Update IAM permissions needed for CloudWatch Logs

According to the AWS documentation for the CloudWatch Logs permissions reference [1], the IAM policy to permit or deny CloudWatch Logs actions uses the `logs:` prefix rather than `cloudwatchlogs:`. This commit updates the policy additions JSON file as well as the README to reflect this change. I confirmed this having assumed an appropriate role in an AWS account, then executing the AWS CLI command `aws logs describe-log-groups`; with the `cloudwatchlogs:` prefix an AccessDeniedException was returned to the client. [1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html
2026-02-10 14:55:00 +00:00 · 2018-03-05 16:01:42 -05:00
parent 6ccd1020e3
commit c20f8878da
2 changed files with 6 additions and 7 deletions
--- a/README.md
+++ b/README.md
@@ -186,8 +186,6 @@ Instead of using default policy SecurityAudit for the account you use for checks
            "cloudtrail:gettrailstatus",
            "cloudtrail:listtags",
            "cloudwatch:describe*",
-            "cloudwatchlogs:describeloggroups",
-            "cloudwatchlogs:describemetricfilters",
            "codecommit:batchgetrepositories",
            "codecommit:getbranch",
            "codecommit:getobjectidentifier",
@@ -229,7 +227,8 @@ Instead of using default policy SecurityAudit for the account you use for checks
            "kms:list*",
            "lambda:getpolicy",
            "lambda:listfunctions",
-            "logs:DescribeMetricFilters",
+            "logs:DescribeLogGroups",
+            "logs:DescribeMetricFilters",  
            "rds:describe*",
            "rds:downloaddblogfileportion",
            "rds:listtagsforresource",
@@ -294,9 +293,9 @@ Alternatively, here is a policy which defines the permissions which are NOT pres
      "Action": [
        "acm:DescribeCertificate",
        "acm:ListCertificates",
-        "cloudwatchlogs:describeLogGroups",
-        "cloudwatchlogs:DescribeMetricFilters",
        "es:DescribeElasticsearchDomainConfig",
+        "logs:DescribeLogGroups",
+        "logs:DescribeMetricFilters",        
        "ses:GetIdentityVerificationAttributes",
        "sns:ListSubscriptionsByTopic"
      ],
--- a/prowler-policy-additions.json
+++ b/prowler-policy-additions.json
@@ -5,9 +5,9 @@
      "Action": [
        "acm:describecertificate",
        "acm:listcertificates",
-        "cloudwatchlogs:describeloggroups",
-        "cloudwatchlogs:describemetricfilters",
        "es:describeelasticsearchdomainconfig",
+        "logs:DescribeLogGroups",
+        "logs:DescribeMetricFilters",
        "ses:getidentityverificationattributes",
        "sns:listsubscriptionsbytopic",
        "guardduty:ListDetectors"