AWS Lambda IAM 策略未按预期对 CloudWatch Logs 起作用

Question

我目前的 Lambda 函数策略如下：

{"Statement": [
    {
        "Action": [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:us-east-1:<MY-ACCOUNT-NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>:*",
        "Effect": "Allow"
    }
]}

我注意到 CloudWatch 日志中缺少我的一些打印日志，当我将其带入策略模拟器并尝试对以下资源运行 CloudWatch CreateLogStream 和 PutLogEvent 操作时，

• 日志组：arn:aws:logs:us-east-1:<MY_ACCOUNT_NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>，和
• 日志流：arn:aws:logs:us-east-1:<MY_ACCOUNT_NUMBER:log-group:/<MY>/<LOGGING>/<DIR>:log-stream:<MY>/<LOG>/<STREAM>

分别，我收到了权限错误：Denied Implicitly denied (no matching statements).

我注意到，当我将策略中的 Resource 更改为不包含尾随的 :* 时（因此它看起来像这样："Resource": "arn:aws:logs:us-east-1:<MY-ACCOUNT-NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>", CreateLogStream 操作工作正常。但是，由于权限，PutLogEvents 操作仍然失败.

如果有人能指出正确的方向，说明为什么此策略在模拟器中不起作用，我将不胜感激，因为我完全不知所措。

Answer 1

应尽量减少在资源中使用通配符。

我建议使用以下策略来尝试授予最低限度的必要访问权限：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:us-east-1:<ACCOUNT-ID>:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:<ACCOUNT-ID>:log-group:/aws/lambda/<LAMBDA-FUNCTION-NAME>",
                "arn:aws:logs:us-east-1:<ACCOUNT-ID>:log-group:/aws/lambda/<LAMBDA-FUNCTION-NAME>:log-stream:*",
            ]
        }
    ]
}