amazon-ec2 - Aws IAM 组：在 Terraform 上的日志组上设置只读访问权限

问题描述

有人知道如何设置对特定日志组的只读访问权限吗？

resource "aws_iam_policy" "logs" {
  name        = "AWSLogs${title(var.product)}"
  description = "Logging policy for ${title(var.product)}"
  policy      = <<EOF
  {
        "Version": "2012-10-17",
        "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                    "logs:Get*",
                    "logs:List*",
                    "logs:Filter*"
                ],
                "Resource": [
                    "arn:aws:logs:::log-group:${aws_cloudwatch_log_group.one.arn}:log-stream:*",
                    "arn:aws:logs:::log-group:${aws_cloudwatch_log_group.two.arn}:log-stream:*",
                    "arn:aws:logs:::log-group:${aws_cloudwatch_log_group.three.arn}:log-stream:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "logs:DescribeLogGroups"
                ],
                "Resource": "*"
            }
        ]
   }
EOF
}


resource "aws_iam_group_policy_attachment" "logs" {
  group      = "${aws_iam_group.logs.name}"
  policy_arn = "${aws_iam_policy.logs.arn}"
}

resource "aws_iam_group" "logs" {
  name = "${title(var.product)}Logs"
}

我目前正在努力设置只能访问指定的日志组，但是当我将资源设置为“*”时，我只能访问它们。当我将其设置为专用于预定义的日志组时，这是不可能的。有人有好的做法或解决方案吗？当我在上面尝试这个解决方案时，我只得到

未授权执行： logs:FilterLogEvents ，当我尝试通过属于 IAM 组“日志”的用户访问它时。

标签： amazon-ec2terraformamazon-iamterraform-provider-aws