This topic covers details for writing policies to control access to Logging.
Resource-Types
Aggregate Resource-Type
logging-family
Individual Resource-Types
log-groups
log-content
unified-configuration
Comments 🔗
A policy that uses <verb> logs is equivalent to writing one with
a separate <verb> <individual resource-type> statement for each of the
individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of
the API operations covered by each verb, for each individual resource-type included
in logs.
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for the log-groups
resource-type includes the same permissions and API operations as the
inspect verb, plus the LOG_GROUPS_READ permission and the
corresponding API operations GetLog and GetLogGroup.