PutResourcePolicy
Creates or updates a resource policy allowing other AWS services to put log events to this account, such as Amazon Route 53. This API has the following restrictions:
-
Supported actions - Policy only supports
logs:PutLogEventsandlogs:CreateLogStreamactions -
Supported principals - Policy only applies when operations are invoked by AWS service principals (not IAM users, roles, or cross-account principals
-
Policy limits - An account can have a maximum of 10 policies without resourceARN and one per LogGroup resourceARN
Important
Resource policies with actions invoked by non-AWS service principals (such as IAM users, roles, or other AWS accounts) will not be enforced. For access control involving these principals, use the IAM policies.
Request Syntax
{
"expectedRevisionId": "string",
"policyDocument": "string",
"policyName": "string",
"resourceArn": "string"
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- expectedRevisionId
-
The expected revision ID of the resource policy. Required when
resourceArnis provided to prevent concurrent modifications. Usenullwhen creating a resource policy for the first time.Type: String
Length Constraints: Minimum length of 1.
Required: No
- policyDocument
-
Details of the new policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. This parameter is required.
The following example creates a resource policy enabling the Route 53 service to put DNS query logs in to the specified log group. Replace
"logArn"with the ARN of your CloudWatch Logs resource, such as a log group or log stream.CloudWatch Logs also supports aws:SourceArn and aws:SourceAccount condition context keys.
In the example resource policy, you would replace the value of
SourceArnwith the resource making the call from RouteĀ 53 to CloudWatch Logs. You would also replace the value ofSourceAccountwith the AWS account ID making that call.{ "Version": "2012-10-17", "Statement": [ { "Sid": "Route53LogsToCloudWatchLogs", "Effect": "Allow", "Principal": { "Service": [ "route53.amazonaws.com" ] }, "Action": "logs:PutLogEvents", "Resource": "logArn", "Condition": { "ArnLike": { "aws:SourceArn": "myRoute53ResourceArn" }, "StringEquals": { "aws:SourceAccount": "myAwsAccountId" } } } ] }Type: String
Length Constraints: Minimum length of 1. Maximum length of 5120.
Required: No
- policyName
-
Name of the new policy. This parameter is required.
Type: String
Required: No
- resourceArn
-
The ARN of the CloudWatch Logs resource to which the resource policy needs to be added or attached. Currently only supports LogGroup ARN.
Type: String
Required: No
Response Syntax
{
"resourcePolicy": {
"lastUpdatedTime": number,
"policyDocument": "string",
"policyName": "string",
"policyScope": "string",
"resourceArn": "string",
"revisionId": "string"
},
"revisionId": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- resourcePolicy
-
The new policy.
Type: ResourcePolicy object
- revisionId
-
The revision ID of the created or updated resource policy. Only returned for resource-scoped policies.
Type: String
Length Constraints: Minimum length of 1.
Errors
For information about the errors that are common to all actions, see Common Errors.
- InvalidParameterException
-
A parameter is specified incorrectly.
HTTP Status Code: 400
- LimitExceededException
-
You have reached the maximum number of resources that can be created.
HTTP Status Code: 400
- OperationAbortedException
-
Multiple concurrent requests to update the same resource were in conflict.
HTTP Status Code: 400
- ResourceNotFoundException
-
The specified resource does not exist.
HTTP Status Code: 400
- ServiceUnavailableException
-
The service cannot complete the request.
HTTP Status Code: 500
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
