# Using identity-based policies (IAM policies) for CloudWatch Logs
Using identity-based policies (IAM policies)

This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

**Important**  
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your CloudWatch Logs resources. For more information, see [Overview of managing access permissions to your CloudWatch Logs resources](iam-access-control-overview-cwl.md).

This topic covers the following:
+ [Permissions required to use the CloudWatch console](#console-permissions-cwl)
+ [AWS managed (predefined) policies for CloudWatch Logs](#managed-policies-cwl)
+ [Customer managed policy examples](#customer-managed-policies-cwl)

The following is an example of a permissions policy:

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}
```

------

This policy has one statement that grants permissions to create log groups and log streams, to upload log events to log streams, and to list details about log streams.

The wildcard character (\$1) at the end of the `Resource` value means that the statement allows permission for the `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`, and `logs:DescribeLogStreams` actions on any log group. To limit this permission to a specific log group, replace the wildcard character (\$1) in the resource ARN with the specific log group ARN. For more information about the sections within an IAM policy statement, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html) in *IAM User Guide*. For a list showing all of the CloudWatch Logs actions, see [CloudWatch Logs permissions reference](permissions-reference-cwl.md).

## Permissions required to use the CloudWatch console


For a user to work with CloudWatch Logs in the CloudWatch console, that user must have a minimum set of permissions that allows the user to describe other AWS resources in their AWS account. In order to use CloudWatch Logs in the CloudWatch console, you must have permissions from the following services:
+ CloudWatch
+ CloudWatch Logs
+ OpenSearch Service
+ IAM
+ Kinesis
+ Lambda
+ Amazon S3

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the CloudWatch console, also attach the `CloudWatchReadOnlyAccess` managed policy to the user, as described in [AWS managed (predefined) policies for CloudWatch Logs](#managed-policies-cwl).

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the CloudWatch Logs API.

The full set of permissions required to work with the CloudWatch console for a user who is not using the console to manage log subscriptions are:
+ cloudwatch:GetMetricData
+ cloudwatch:ListMetrics
+ logs:CancelExportTask
+ logs:CreateExportTask
+ logs:CreateLogGroup
+ logs:CreateLogStream
+ logs:DeleteLogGroup
+ logs:DeleteLogStream
+ logs:DeleteMetricFilter
+ logs:DeleteQueryDefinition
+ logs:DeleteRetentionPolicy
+ logs:DeleteSubscriptionFilter
+ logs:DescribeExportTasks
+ logs:DescribeLogGroups
+ logs:DescribeLogStreams
+ logs:DescribeMetricFilters
+ logs:DescribeQueryDefinitions
+ logs:DescribeQueries
+ logs:DescribeSubscriptionFilters
+ logs:FilterLogEvents
+ logs:GetLogEvents
+ logs:GetLogGroupFields
+ logs:GetLogRecord
+ logs:GetQueryResults
+ logs:PutMetricFilter
+ logs:PutQueryDefinition
+ logs:PutRetentionPolicy
+ logs:StartQuery
+ logs:StopQuery
+ logs:PutSubscriptionFilter
+ logs:TestMetricFilter

For a user who will also be using the console to manage log subscriptions, the following permissions are also required:
+ es:DescribeElasticsearchDomain
+ es:ListDomainNames
+ iam:AttachRolePolicy
+ iam:CreateRole
+ iam:GetPolicy
+ iam:GetPolicyVersion
+ iam:GetRole
+ iam:ListAttachedRolePolicies
+ iam:ListRoles
+ kinesis:DescribeStreams
+ kinesis:ListStreams
+ lambda:AddPermission
+ lambda:CreateFunction
+ lambda:GetFunctionConfiguration
+ lambda:ListAliases
+ lambda:ListFunctions
+ lambda:ListVersionsByFunction
+ lambda:RemovePermission
+ s3:ListBuckets

## AWS managed (predefined) policies for CloudWatch Logs


AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

The following AWS managed policies, which you can attach to users and roles in your account, are specific to CloudWatch Logs:
+ **CloudWatchLogsFullAccess** – Grants full access to CloudWatch Logs.
+ **CloudWatchLogsReadOnlyAccess** – Grants read-only access to CloudWatch Logs.

### CloudWatchLogsFullAccess


 The **CloudWatchLogsFullAccess** policy grants full access to CloudWatch Logs. The policy includes the `cloudwatch:GenerateQuery` and `cloudwatch:GenerateQueryResultsSummary` permissions, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. To see the full contents of the policy, see [CloudWatchLogsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsFullAccess.html) in the *AWS Managed Policy Reference Guide*. 

### CloudWatchLogsReadOnlyAccess


 The **CloudWatchLogsReadOnlyAccess** policy grants read-only access to CloudWatch Logs. It includes the `cloudwatch:GenerateQuery` and `cloudwatch:GenerateQueryResultsSummary` permissions, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. To see the full contents of the policy, see [CloudWatchLogsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*. 

### CloudWatchOpenSearchDashboardsFullAccess


The **CloudWatchOpenSearchDashboardsFullAccess** policy grants access to create, manage, and delete integrations with OpenSearch Service, and to create delete and manage vended log dashboards in those integrations. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md).

 To see the full contents of the policy, see [CloudWatchOpenSearchDashboardsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchOpenSearchDashboardsFullAccess.html) in the *AWS Managed Policy Reference Guide*.

### CloudWatchOpenSearchDashboardAccess


The **CloudWatchOpenSearchDashboardAccess** policy grants access to view vended logs dashboards that are created with Amazon OpenSearch Service analytics. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md).

**Important**  
In addition to granting this policy, to enable a role or user to be able to view vended log dashboards, you must also specify them when you create the integration with OpenSearch Service. For more information, see [Step 1: Create the integration with OpenSearch Service](OpenSearch-Dashboards-Integrate.md).

 To see the full contents of the policy, see [CloudWatchOpenSearchDashboardAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchOpenSearchDashboardAccess.html) in the *AWS Managed Policy Reference Guide*.

#### CloudWatchLogsCrossAccountSharingConfiguration


The **CloudWatchLogsCrossAccountSharingConfiguration** policy grants access to create, manage, and view Observability Access Manager links for sharing CloudWatch Logs resources between accounts. For more information, see [ CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).

 To see the full contents of the policy, see [CloudWatchLogsCrossAccountSharingConfiguration](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsCrossAccountSharingConfiguration.html) in the *AWS Managed Policy Reference Guide*.

#### CloudWatchLogsAPIKeyAccess


The **CloudWatchLogsAPIKeyAccess** policy enables CloudWatch Logs API key authentication and encrypted log ingestion. This policy grants permissions to authenticate using bearer tokens and write log events to CloudWatch Logs, with additional AWS KMS permissions for decrypting and generating data keys when logs are encrypted.

This policy grants the following permissions:
+ `logs` – Allows principals to authenticate via API key bearer tokens and write log events to CloudWatch Logs streams.
+ `kms` – Allows principals to read AWS KMS key metadata, generate data keys for encryption, and decrypt data. These permissions support encrypted CloudWatch Logs by allowing the service to encrypt log data using customer-managed AWS KMS keys. Access is restricted to operations called through the CloudWatch Logs service.

To view more details about the policy, including the latest version of the JSON policy document, see [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) in the *AWS Managed Policy Reference Guide*.

### CloudWatch Logs updates to AWS managed policies
Policy updates



View details about updates to AWS managed policies for CloudWatch Logs since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Logs Document history page.




| Change | Description | Date | 
| --- | --- | --- | 
|  [CloudWatchLogsAPIKeyAccess](#managed-policies-cwl-CloudWatchLogsAPIKeyAccess) – New policy.  |  CloudWatch Logs added a new managed policy **CloudWatchLogsAPIKeyAccess**. This policy enables CloudWatch Logs API key authentication and encrypted log ingestion, granting permissions to authenticate using bearer tokens and write log events to CloudWatch Logs.  |  February 17, 2026  | 
|  [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy.  |   CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**. Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations.  |  December 02, 2025  | 
|  [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy.  |  CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations.  |  December 02, 2025  | 
|   [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy.   |   CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**.  Permissions for `cloudwatch:GenerateQueryResultsSummary` were added to allow for generation of a natural language summary of the query results.   |   May 20, 2025  | 
|   [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy.   |   CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**.  Permissions for `cloudwatch:GenerateQueryResultsSummary` were added to allow for generation of a natural language summary of the query results.   |   May 20, 2025  | 
|   [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy.   |   CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**.  Permissions for Amazon OpenSearch Service and IAM were added, to enable CloudWatch Logs integration with OpenSearch Service for some features.   |   December 1, 2024   | 
|   [CloudWatchOpenSearchDashboardsFullAccess](#managed-policies-cwl-CloudWatchOpenSearchDashboardsFullAccess) – New IAM policy.   |   CloudWatch Logs added a new IAM policy, **CloudWatchOpenSearchDashboardsFullAccess**.- This policy grants access to create, manage, and delete integrations with OpenSearch Service, and to create, manage, and delete vended log dashboards in those integrations. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md).   |   December 1, 2024   | 
|   [CloudWatchOpenSearchDashboardAccess](#managed-policies-cwl-CloudWatchOpenSearchDashboardAccess) – New IAM policy.   |   CloudWatch Logs added a new IAM policy, **CloudWatchOpenSearchDashboardAccess**.- This policy grants access to view vended logs dashboards powered by Amazon OpenSearch Service. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md).   |   December 1, 2024   | 
|   [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy.   |   CloudWatch Logs added a permission to **CloudWatchLogsFullAccess**.   The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt.   |   November 27, 2023   | 
|   [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy.   |   CloudWatch added a permission to **CloudWatchLogsReadOnlyAccess**.   The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt.   |   November 27, 2023   | 
|  [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy  |  CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. The `logs:StartLiveTail` and `logs:StopLiveTail` permissions were added so that users with this policy can use the console to start and stop CloudWatch Logs live tail sessions. For more information, see [ Use live tail to view logs in near real time](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_LiveTail.html).  | June 6, 2023 | 
|  [CloudWatchLogsCrossAccountSharingConfiguration](#managed-policies-cwl-CloudWatchLogsCrossAccountSharingConfiguration) – New policy  |  CloudWatch Logs added a new policy to enable you to manage CloudWatch cross-account observability links that share CloudWatch Logs log groups. For more information, see [ CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html)  | November 27, 2022 | 
|  [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy  |  CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.  | November 27, 2022 | 

### Customer managed policy examples


You can create your own custom IAM policies to allow permissions for CloudWatch Logs actions and resources. You can attach these custom policies to the users or groups that require those permissions.

In this section, you can find example user policies that grant permissions for various CloudWatch Logs actions. These policies work when you are using the CloudWatch Logs API, AWS SDKs, or the AWS CLI.

**Topics**
+ [

#### Example 1: Allow full access to CloudWatch Logs
](#w2aac59c15c15c23c19b9)
+ [

#### Example 2: Allow read-only access to CloudWatch Logs
](#w2aac59c15c15c23c19c11)
+ [

#### Example 3: Allow access to one log group
](#w2aac59c15c15c23c19c13)

#### Example 1: Allow full access to CloudWatch Logs


The following policy allows a user to access all CloudWatch Logs actions.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Action": [
        "logs:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
```

------

#### Example 2: Allow read-only access to CloudWatch Logs


AWS provides a **CloudWatchLogsReadOnlyAccess** policy that enables read-only access to CloudWatch Logs data. This policy includes the following permissions.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents",
                "logs:StartLiveTail",
                "logs:StopLiveTail",
                "cloudwatch:GenerateQuery"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

------

#### Example 3: Allow access to one log group


The following policy allows a user to read and write log events in one specified log group.

**Important**  
The `:*` at the end of the log group name in the `Resource` line is required to indicate that the policy applies to all log streams in this log group. If you omit `:*`, the policy will not be enforced.

------
#### [ JSON ]

****  

```
{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
      "Action": [
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents",
        "logs:GetLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
      }
   ]
}
```

------

### Use tagging and IAM policies for control at the log group level


You can grant users access to certain log groups while preventing them from accessing other log groups. To do so, tag your log groups and use IAM policies that refer to those tags. To apply tags to a log group, you need to have either the `logs:TagResource` or `logs:TagLogGroup` permission. This applies both if you are assigning tags to the log group when you create it. or assigning them later.

For more information about tagging log groups, see [Tag log groups in Amazon CloudWatch Logs](Working-with-log-groups-and-streams.md#log-group-tagging).

When you tag log groups, you can then grant an IAM policy to a user to allow access to only the log groups with a particular tag. For example, the following policy statement grants access to only log groups with the value of `Green` for the tag key `Team`.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "logs:*"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/Team": "Green"
                }
            }
        }
    ]
}
```

------

The **StopQuery** and **StopLiveTail** API operations don't interact with AWS resources in the traditional sense. They don't return any data, put any data, or modify a resource in any way. Instead, they operate only on a given live tail session or a given CloudWatch Logs Insights query, which are not categorized as resources. As a result, when you specify the `Resource` field in IAM policies for these operations, you must set the value of the `Resource` field as `*`, as in the following example. 

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	  
    "Statement": 
        [ {
            "Effect": "Allow", 
            "Action": [ 
                "logs:StopQuery",
                "logs:StopLiveTail"
            ], 
            "Resource": "*" 
            } 
        ] 
}
```

------

For more information about using IAM policy statements, see [Controlling Access Using Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html) in the *IAM User Guide*.

# CloudWatch Logs permissions reference


When you are setting up [Access control](auth-and-access-control-cwl.md#access-control-cwl) and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each CloudWatch Logs API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's `Action` field. For the `Resource` field, you can specify the ARN of a log group or log stream, or specify `*` to represent all CloudWatch Logs resources.

You can use AWS-wide condition keys in your CloudWatch Logs policies to express conditions. For a complete list of AWS-wide keys, see [AWS Global and IAM Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.

**Note**  
To specify an action, use the `logs:` prefix followed by the API operation name. For example: `logs:CreateLogGroup`, `logs:CreateLogStream`, or `logs:*` (for all CloudWatch Logs actions).


**CloudWatch Logs API operations and required permissions for actions**  

| CloudWatch Logs API operations | Required permissions (API actions) | 
| --- | --- | 
|  [CancelExportTask](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CancelExportTask.html)  |  `logs:CancelExportTask` Required to cancel a pending or running export task.  | 
|  [CreateExportTask](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateExportTask.html)  |  `logs:CreateExportTask` Required to export data from a log group to an Amazon S3 bucket.  | 
|  [CreateLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogGroup.html)  |  `logs:CreateLogGroup` Required to create a new log group.  | 
|  [CreateLogStream](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogStream.html)  |  `logs:CreateLogStream` Required to create a new log stream in a log group.  | 
|  [DeleteDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteDestination.html)  |  `logs:DeleteDestination` Required to delete a log destination and disables any subscription filters to it.  | 
|  [DeleteLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html)  |  `logs:DeleteLogGroup` Required to delete a log group and any associated archived log events.  | 
|  [DeleteLogStream](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html)  |  `logs:DeleteLogStream` Required to delete a log stream and any associated archived log events.  | 
|  [DeleteMetricFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteMetricFilter.html)  |  `logs:DeleteMetricFilter` Required to delete a metric filter associated with a log group.  | 
|  [DeleteQueryDefinition](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteQueryDefinition.html)  |  `logs:DeleteQueryDefinition` Required to delete a saved query definition in CloudWatch Logs Insights.  | 
|  [DeleteResourcePolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteResourcePolicy.html)  |  `logs:DeleteResourcePolicy` Required to delete a CloudWatch Logs resource policy.  | 
|  [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html)  |  `logs:DeleteRetentionPolicy` Required to delete a log group's retention policy.  | 
|  [DeleteSubscriptionFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteSubscriptionFilter.html)  |  `logs:DeleteSubscriptionFilter` Required to delete the subscription filter associated with a log group.  | 
|  [DescribeDestinations](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeDestinations.html)  |  `logs:DescribeDestinations` Required to view all destinations associated with the account.  | 
|  [DescribeExportTasks](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeExportTasks.html)  |  `logs:DescribeExportTasks` Required to view all export tasks associated with the account.  | 
|  [DescribeLogGroups](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogGroups.html)  |  `logs:DescribeLogGroups` Required to view all log groups associated with the account.  | 
|  [DescribeLogStreams](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogStreams.html)  |  `logs:DescribeLogStreams` Required to view all log streams associated with a log group.  | 
|  [DescribeMetricFilters](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeMetricFilters.html)  |  `logs:DescribeMetricFilters` Required to view all metrics associated with a log group.  | 
|  [DescribeQueryDefinitions](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeQueryDefinitions.html)  |  `logs:DescribeQueryDefinitions` Required to see the list of saved query definitions in CloudWatch Logs Insights.  | 
|  [DescribeQueries](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeQueries.html)  |  `logs:DescribeQueries` Required to see the list of CloudWatch Logs Insights queries that are scheduled, executing, or have recently excecuted.  | 
|  [DescribeResourcePolicies](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeResourcePolicies.html)  |  `logs:DescribeResourcePolicies` Required to view a list of CloudWatch Logs resource policies.  | 
|  [DescribeSubscriptionFilters](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeSubscriptionFilters.html)  |  `logs:DescribeSubscriptionFilters` Required to view all subscription filters associated with a log group.  | 
|  [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html)  |  `logs:FilterLogEvents` Required to sort log events by log group filter pattern.  | 
|  [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html)  |  `logs:GetLogEvents` Required to retrieve log events from a log stream.  | 
|  [GetLogGroupFields](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogGroupFields.html)  |  `logs:GetLogGroupFields` Required to retrieve the list of fields that are included in the log events in a log group.  | 
|  [GetLogRecord](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogRecord.html)  |  `logs:GetLogRecord` Required to retrieve the details from a single log event.  | 
|  [GetLogObject](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogObject.html)  |  `logs:GetLogRecord` Required to fetch the content of large portions of log events that have been ingested through the PutOpenTelemetryLogs API.  | 
|  [GetQueryResults](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetQueryResults.html)  |  `logs:GetQueryResults` Required to retrieve the results of CloudWatch Logs Insights queries.  | 
|  ListEntitiesForLogGroup (CloudWatch console-only permission)  |  `logs:ListEntitiesForLogGroup` Required to find the entities associated with a log group. Required to explore related logs within the CloudWatch console.  | 
|  ListLogGroupsForEntity (CloudWatch console-only permission)  |  `logs:ListLogGroupsForEntity` Required to find the log groups associated with an entity. Required to explore related logs within the CloudWatch console.  | 
|  [ListTagsLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_ListTagsLogGroup.html)  |  `logs:ListTagsLogGroup` Required to list the tags associated with a log group.  | 
|  [ListLogGroups](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_API_ListLogGroups.html)  |  `logs:DescribeLogGroups` Required to view all log groups associated with the account.  | 
|  [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html)  |  `logs:PutDestination` Required to create or update a destination log stream (such as an Kinesis stream).  | 
|  [PutDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestinationPolicy.html)  |  `logs:PutDestinationPolicy` Required to create or update an access policy associated with an existing log destination.  | 
|  [PutLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html)  |  `logs:PutLogEvents` Required to upload a batch of log events to a log stream.  | 
|  [PutMetricFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutMetricFilter.html)  |  `logs:PutMetricFilter` Required to create or update a metric filter and associate it with a log group.  | 
|  [PutQueryDefinition](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutQueryDefinition.html)  |  `logs:PutQueryDefinition` Required to save a query in CloudWatch Logs Insights, including saved queries with parameters.  | 
|  [PutResourcePolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutResourcePolicy.html)  |  `logs:PutResourcePolicy` Required to create a CloudWatch Logs resource policy.  | 
|  [PutRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutRetentionPolicy.html)  |  `logs:PutRetentionPolicy` Required to set the number of days to keep log events (retention) in a log group.  | 
|  [PutSubscriptionFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutSubscriptionFilter.html)  |  `logs:PutSubscriptionFilter` Required to create or update a subscription filter and associate it with a log group.  | 
|  [StartQuery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StartQuery.html)  |  `logs:StartQuery` Required to start CloudWatch Logs Insights queries. To run a saved query with parameters, you also need `logs:DescribeQueryDefinitions`.  | 
|  [StopQuery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StopQuery.html)  |  `logs:StopQuery` Required to stop a CloudWatch Logs Insights query that is in progress.  | 
|  [TagLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_TagLogGroup.html)  |  `logs:TagLogGroup` Required to add or update log group tags.  | 
|  [TestMetricFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_TestMetricFilter.html)  |  `logs:TestMetricFilter` Required to test a filter pattern against a sampling of log event messages.  | 

# Using service-linked roles for CloudWatch Logs
Using service-linked roles

Amazon CloudWatch Logs uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html). A service-linked role is a unique type of IAM role that is linked directly to CloudWatch Logs. Service-linked roles are predefined by CloudWatch Logs and include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up CloudWatch Logs more efficient because you aren't required to manually add the necessary permissions. CloudWatch Logs defines the permissions of its service-linked roles, and unless defined otherwise, only CloudWatch Logs can assume those roles. The defined permissions include the trust policy and the permissions policy. That permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for CloudWatch Logs


CloudWatch Logs uses the service-linked role named **AWSServiceRoleForLogDelivery**. CloudWatch Logs uses this service-linked role to write logs directly to Firehose. For more information, see [Enable logging from AWS services](AWS-logs-and-resource-policy.md).

The **AWSServiceRoleForLogDelivery** service-linked role trusts the following services to assume the role:
+ `logs.amazonaws.com`

The role permissions policy allows CloudWatch Logs to complete the following actions on the specified resources:
+ Action: `firehose:PutRecord` and `firehose:PutRecordBatch` on all Firehose streams that have a tag with a `LogDeliveryEnabled` key with a value of `True`. This tag is automatically attached to an Firehose stream when you create a subscription to deliver the logs to Firehose.

You must configure permissions to allow an IAM entity to create, edit, or delete a service-linked role. This entity could be a user, group, or role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.

## Creating a service-linked role for CloudWatch Logs


You aren't required to manually create a service-linked role. When you set up logs to be sent directly to a Firehose stream in the AWS Management Console, the AWS CLI, or the AWS API, CloudWatch Logs creates the service-linked role for you. 

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you again set up logs to be sent directly to a Firehose stream, CloudWatch Logs creates the service-linked role for you again. 

## Editing a service-linked role for CloudWatch Logs


CloudWatch Logs does not allow you to edit **AWSServiceRoleForLogDelivery**, or any other service-linked role, after you create it. You cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Deleting a service-linked role for CloudWatch Logs


If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

**Note**  
If the CloudWatch Logs service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete CloudWatch Logs resources used by the **AWSServiceRoleForLogDelivery** service-linked role**
+ Stop sending logs directly to Firehose streams.

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the **AWSServiceRoleForLogDelivery** service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role)

### Supported Regions for CloudWatch Logs service-linked roles


CloudWatch Logs supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [CloudWatch Logs Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#cwl_region).

# CloudWatch Logs updates to AWS service linked roles
Policy updates



View details about updates to AWS service linked role for CloudWatch Logs since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Logs Document history page.




| Change | Description | Date | 
| --- | --- | --- | 
|  [ AWSServiceRoleForLogDelivery service-linked role policy](AWS-logs-infrastructure-Firehose.md) – Update to an existing policy  |  CloudWatch Logs changed the permissions in the IAM policy associated with the **AWSServiceRoleForLogDelivery** service-linked role. The following change was made: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.html)  | July 15, 2021 | 
|  CloudWatch Logs started tracking changes  |  CloudWatch Logs started tracking changes for its AWS managed policies.  | June 10, 2021 |