# Analyze with Amazon OpenSearch Service CloudWatch Logs integrates with Amazon OpenSearch Service to enable you to create automatic curated dashboards that display key metrics that OpenSearch Service derives from logs vended from AWS services. The following dashboards are available: + An **Amazon VPC flow logs dashboard** captures network flow data for Amazon VPC. It helps you analyze network traffic, detect unusual patterns, and monitor resource usage. Key metrics displayed include the following: + Total flows and acceptance and rejection of these flows + Traffic patterns over time + A Sankey diagram that illustrates data flow between source and destination IPs (top talkers) + Top IPs by bytes and packets transferred **Note** Currently only VPC version 2 fields format is supported. + An **AWS WAF logs dashboard** provides insights into web traffic being monitored by AWS WAF. This dashboard helps you identify traffic patterns, blocked requests, and potential threats from specific regions or IPs. Key metrics displayed include the following: + Total requests, including by “ALLOW” and “BLOCK” counts. + Request history over time, displaying allowed and blocked requests. + Breakdowns of requests by Web ACL name, blocked requests by terminating rule, and source IPs. + A geographic distribution of request origins. + Top client IPs and terminating rules by request count. + A **CloudTrail logs** dashboard provides an overview of API activity within your AWS environment using CloudTrail logs. It’s useful for monitoring API activity, auditing actions, and identifying potential security or compliance issues. Key metrics displayed include the following: + Total event count and event history over time + A breakdown of events by account IDs, categories, and Regions. + Top APIs, services, and source IPs involved in generating events. + A table of the top users that are generating events, detailing user account information and event counts. + An **AWS Network Firewall** dashboard provides enhanced visibility into network traffic, offering valuable insights for security monitoring and analysis. This dashboard offers a comprehensive view of various network metrics and patterns, to quickly identify potential security issues and optimize network configurations. Key metrics displayed include the following: + Top talkers and protocols + Insights into PrivateLink endpoints + Allowed and blocked TLS Server Name Indication traffic The metrics displayed in these curated dashboards are derived from Amazon OpenSearch Service analytics. Before you can view these dashboards, you must create an IAM role and perform a one-time integration of CloudWatch Logs with Amazon OpenSearch Service. This one-time integration configures the Amazon OpenSearch Service resources needed to create and render the dashboard. You will incur charges for the OpenSearch services used. For more information, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/). You can create these curated dashboards only for log groups in the Standard Log Class. **Important** Don't use [log transformers](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html) for any log groups that you want to create vended logs dashboards for. Transforming log events will cause the dashboards to have empty data. **Topics** + [ # Step 1: Create the integration with OpenSearch Service ](OpenSearch-Dashboards-Integrate.md) + [ # Step 2: Create vended logs dashboards ](OpenSearch-Dashboards-Create.md) + [ # View, edit, or delete vended logs dashboards ](OpenSearch-Dashboards-Manage.md) + [ # IAM policies for users ](OpenSearch-Dashboards-UserRoles.md) + [ # Permissions that the integration needs ](OpenSearch-Dashboards-CreateRole.md) # Step 1: Create the integration with OpenSearch Service The first step is creating the integration with OpenSearch Service, which you need to do only once. Creating the integration will create the following resources in your account. + **[An OpenSearch Service time series collection](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-collections.html)** without high availability. A collection is a set of OpenSearch Service *indexes* that work together to support a workload. + **Two security policies** for the collection. One defines the encryption type, which is either with a customer managed AWS KMS key or a service owned key. The other policy defines network access, allowing the OpenSearch Service application to access the collection. For more information, see [Encryption of data at rest for Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html). + **[An OpenSearch Service data access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html)** that defines who can access data in the collection. + **[An OpenSearch Service direct query data source](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/direct-query-s3.html)** with CloudWatch Logs defined as the source. + **[An OpenSearch Service application](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application.html)** with the name `aws-analytics`. The application will be configured to allow the creation of a workspace. If an application named `aws-analytics` already exists, it will be updated to add this collection as a data source. + **[A OpenSearch Service workspace](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application.html)** that will host the dashboards and allows everyone who has been granted access to read from the workspace. **Topics** + [ ## Required permissions ](#OpenSearch-Dashboards-Perms) + [ ## Create the integration ](#OpenSearch-Dashboards-Procedure) ## Required permissions To create the integration, you must be signed on to an account that has the **CloudWatchOpenSearchDashboardsFullAccess** managed IAM policy or equivalent permissions, shown here. You must also have these permissions to delete the integration, create, edit, and delete dashboards, and to refresh the dashboard manually. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Sid": "CloudWatchOpenSearchDashboardsIntegration", "Effect": "Allow", "Action": [ "logs:ListIntegrations", "logs:GetIntegration", "logs:DeleteIntegration", "logs:PutIntegration", "logs:DescribeLogGroups", "opensearch:ApplicationAccessAll", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" }, { "Sid": "CloudWatchLogsOpensearchReadAPIs", "Effect": "Allow", "Action": [ "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "es:ListApplications" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsOpensearchCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", "Condition": { "StringEquals": { "iam:AWSServiceName": "opensearchservice.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsCollectionRequestAccess", "Effect": "Allow", "Action": [ "aoss:CreateCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsApplicationRequestAccess", "Effect": "Allow", "Action": [ "es:CreateApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/OpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsCollectionResourceAccess", "Effect": "Allow", "Action": [ "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsApplicationResourceAccess", "Effect": "Allow", "Action": [ "es:UpdateApplication", "es:GetApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsCollectionPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateSecurityPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:DeleteSecurityPolicy", "aoss:GetAccessPolicy", "aoss:GetSecurityPolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAPIAccessAll", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } }, { "Sid": "CloudWatchLogsIndexPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:GetAccessPolicy", "aoss:CreateLifecyclePolicy", "aoss:DeleteLifecyclePolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:index": "cloudwatch-logs-*", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsDQSRequestQueryAccess", "Effect": "Allow", "Action": [ "es:AddDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsStartDirectQueryAccess", "Effect": "Allow", "Action": [ "opensearch:StartDirectQuery", "opensearch:GetDirectQuery" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*" }, { "Sid": "CloudWatchLogsDQSResourceQueryAccess", "Effect": "Allow", "Action": [ "es:GetDirectQueryDataSource", "es:DeleteDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsPassRoleAccess", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "directquery.opensearchservice.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAossTagsAccess", "Effect": "Allow", "Action": [ "aoss:TagResource" ], "Resource": "arn:aws:aoss:*:*:collection/*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsApplicationTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:application/*", "Condition": { "StringEquals": { "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ], "aws:CalledViaFirst": "logs.amazonaws.com" }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsDataSourceTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:datasource/*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ], "aws:CalledViaFirst": "logs.amazonaws.com" }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } } ] } ``` ------ ## Create the integration Use these steps to create the integration. **To integrate CloudWatch Logs with Amazon OpenSearch Service** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation pane, choose **Logs Insights** and then choose the **Analyze with OpenSearch** tab. 1. Choose **Create integration**. 1. For **Integration name**, enter a name for the integration. 1. (Optional) To encrypt the data written to OpenSearch Service Serverless, enter the ARN of the AWS KMS key that you want to use in **KMS key ARN**. For more information, see [Encryption at rest](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-encryption.html) in the Amazon OpenSearch Service Developer Guide. 1. For **Data retention**, enter the amount of time that you want the OpenSearch Service data indexes to be retained. This also defines the maximum time period for which you can view data in the dashboards. Choosing a longer data retention period will incur additional searching and indexing costs. For more information, see [OpenSearch Service Serverless Pricing](https://aws.amazon.com/opensearch-service/pricing/). The maximum retention period is 30 days. The data retention length will also be used to create the OpenSearch Service collection lifecycle policy. 1. For **IAM role for writing to OpenSearch collection**, create a new IAM role or select an existing IAM role to be used to write to the OpenSearch Service collection. Creating a new role is the simplest method, and the role will be created with the necessary permissions. **Note** If you create a role, it will have permissions to read from all log groups in the account. If you want to select an existing role, it should have the permissions listed in [Permissions that the integration needs](OpenSearch-Dashboards-CreateRole.md). Alternatively, you can choose **Use an existing role** and then in the **Verify access permissions of the selected role** section you can choose **Create role**. This way you can use the permissions listed in [Permissions that the integration needs](OpenSearch-Dashboards-CreateRole.md) as a template and modify it. For example, if you want to specify a finer-grain control of log groups. 1. For **IAM roles and users who can view dashboards**, you select how you want to grant access to IAM roles and IAM users for vended logs dashboard access: + To limit the dashboard access to just some users, choose **Select IAM roles and users who can view dashboards** and then in the text box search for and select the IAM roles and IAM users that you want to grant access to. + To grant dashboard access to all users, choose **Allow all roles and users in this account to view dashboards**. **Important** Selecting roles or users, or choosing all users, only adds them to the [data access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) needed for accessing OpenSearch Service collection that stores the dashboard data. **For them to be able to view the vended logs dashboards, you must also grant those roles and users the [CloudWatchOpenSearchDashboardAccess](iam-identity-based-access-control-cwl.md#managed-policies-cwl-CloudWatchOpenSearchDashboardAccess) managed IAM policy.** 1. Choose **Create integration** Creating the integration will take a few minutes. # Step 2: Create vended logs dashboards After you have created the integration, you can create dashboards. Dashboards are available for Amazon VPC flow logs, CloudTrail logs, and AWS WAF logs. **To create a vended log dashboard with metrics derived by OpenSearch Service** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation pane, choose **Logs Insights** and then choose the **Analyze with OpenSearch** tab. 1. Choose **Create dashboard**. 1. Choose which type of logs to create the dashboard for, AWS WAF, Amazon VPC flow logs, CloudTrail, or AWS Network Firewall. 1. Enter a name for the dashboard, and optionally enter a description. 1. For **Data synchronization frequency**, enter how often that you want OpenSearch Service to query CloudWatch so the metrics and indexes created in OpenSearch Service can be synchronized and updated with new data. OpenSearch Service creates metrics and indexes on your logs for rendering the dashboard. Choosing a shorter time keeps the data more up to date and incurs higher costs. 1. Select the log groups to collect data from for this dashboard. Be sure to select log groups that match the type of dashboard that you are creating. You can use the **Browse log groups** button and the **View log samples from selected log groups** option as you make these choices, to make sure that you get the log groups that you want. 1. Choose **Create dashboard**. At first, the dashboard appears without any data. After a few minutes, data will appear in the dashboard. When the data first appears, it will be for the most recent 15 minutes of log entries. # View, edit, or delete vended logs dashboards ## View vended logs dashboards in CloudWatch Logs or OpenSearch Service To be able to view dashboards, you must be signed in to an IAM principal that has the **CloudWatchOpenSearchDashboardAccess** IAM policy. **To view vended log dashboards** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation pane, choose **Logs Insights** and then choose the **Analyze with OpenSearch** tab. 1. Choose the dashboard in the **OpenSearch dashboards** box. 1. (Optional) In the upper right, choose **View in OpenSearch**. The OpenSearch Service console opens and you see the same dashboard there. In the OpenSearch Service console, you can make changes to the dashboard and its widgets, and these changes will also be visible when you view the dashboard in CloudWatch Logs. ## Grant dashboard viewing access to additional IAM roles or IAM users To grant access to additional IAM principals after you've created the integration, take the following steps. **To grant vended log dashboard access to additional IAM roles or users** 1. Edit the data access policy for the collection to add these roles or users. For more information, see [Data access control for Amazon OpenSearch Service Serverless](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) in the OpenSearch Service Developer Guide. 1. Grant the **CloudWatchOpenSearchDashboardAccess** to these users. For more information about the contents of this policy, see [CloudWatchOpenSearchDashboardAccess](iam-identity-based-access-control-cwl.md#managed-policies-cwl-CloudWatchOpenSearchDashboardAccess). ## Edit dashboard configuration You can edit the name, description, and synchronization frequency of existing vended log dashboards. **To edit a vended log dashboard** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation pane, choose **Logs Insights** and then choose the **Analyze with OpenSearch** tab. 1. Choose the dashboard in the **OpenSearch dashboards** box. 1. Choose **Actions**, **Change dashboard details**. 1. Make your changes, then choose **Confirm changes**. ## Delete a vended log dashboard You can delete a vended log dashboard. If you do so, the dashboard, the metrics, and indexes created in the OpenSearch Service collection are all deleted. **Note** After you delete a vended log dashboard, wait at least six hours before trying to re-create that same dashboard. If you don't wait, the re-created dashboard won't work correctly. **To delete a vended log dashboard** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation pane, choose **Logs Insights** and then choose the **Analyze with OpenSearch** tab. 1. Choose the dashboard in the **OpenSearch dashboards** box. 1. Choose **Actions**, **Delete**. 1. Confirm your decision by entering **delete**, then choose **Delete**. ## Delete all vended log dashboard integration with OpenSearch Service You can delete your entire OpenSearch integration. If you do, all vended logs dashboards and the data that was displayed in them is deleted. **Important** To avoid ongoing costs, we strongly recommend that you manually delete the following resources before you delete the integration. Deleting the integration doesn't automatically delete these resources, and after you delete the integration you won't be able to access these resources to delete them. To find the names of the resources to delete, see the following procedure. [The data source](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/direct-query-s3-managing-data-sources.html#direct-query-s3-delete) [The collection](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-manage.html#serverless-delete.html) [The data access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html#serverless-data-access-delete) [The encryption policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-encryption.html#serverless-encryption-delete) [The network policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html#serverless-network-delete) [The lifecycle policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-lifecycle.html#serverless-lifecycle-delete) **To delete your entire vended log dashboard integration with OpenSearch Service** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation pane, choose **Settings**. 1. Choose the **Logs** tab. 1. In the **OpenSearch integration** section, choose **Delete integration**. The next screen displays the names of the OpenSearch Service resources that you should delete before deleting the integration. 1. Confirm your decision by entering **delete**, then choose **Delete integration**. # IAM policies for users CloudWatch Logs has created two IAM policies, **CloudWatchOpenSearchDashboardsFullAccess** and **CloudWatchOpenSearchDashboardAccess**. The following table lists which actions each of these policies enables. | Action | IAM policy | Additional permissions needed | | --- | --- | --- | | Create integration | **CloudWatchOpenSearchDashboardsFullAccess** | | | Delete integration | **CloudWatchOpenSearchDashboardsFullAccess** | | | Create dashboard | **CloudWatchOpenSearchDashboardsFullAccess** | | | Edit dashboard | **CloudWatchOpenSearchDashboardsFullAccess** | | | Delete dashboard | **CloudWatchOpenSearchDashboardsFullAccess** | | | Refresh dashboard using **Synchronize now** | **CloudWatchOpenSearchDashboardsFullAccess** | | | View integration in **Settings** | **CloudWatchOpenSearchDashboardAccess** or **CloudWatchOpenSearchDashboardsFullAccess** | | View dashboard | **CloudWatchOpenSearchDashboardAccess** or **CloudWatchOpenSearchDashboardsFullAccess** | Specify the role or user when you create the integration, or edit the data access policy for the collection to add these roles or users. For more information, see [Data access control for Amazon OpenSearch Service Serverless](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) in the OpenSearch Service Developer Guide. | | View dashboard in OpenSearch Service console | **CloudWatchOpenSearchDashboardAccess** or **CloudWatchOpenSearchDashboardsFullAccess** | Specify the role or user when you create the integration, or edit the data access policy for the collection to add these roles or users. For more information, see [Data access control for Amazon OpenSearch Service Serverless](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) in the OpenSearch Service Developer Guide. | # Permissions that the integration needs If you create an IAM role for the integration to use, instead of allowing CloudWatch Logs to create the role, it must include the following permissions and trust policy. For more information about how to create an IAM role, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "*" ] }, { "Sid": "CloudWatchLogsDescribeLogGroupsAccess", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AmazonOpenSearchCollectionAccess", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } } ] } ``` ------ **Note** The previous role grants access to read from all log groups in the account, to enable you to create dashboards for any log account, including cross-account log groups. If you want to restrict access to specific log groups and create dashboards for only those log groups, you can update the first statement in that policy to the following: ``` { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup:*", "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup" ] } ```