Merge pull request #187 from rtkjbillo/update_cloudwatch_logs_permissions

Update IAM permissions needed for CloudWatch Logs

README.md

@@ -186,8 +186,6 @@ Instead of using default policy SecurityAudit for the account you use for checks
             "cloudtrail:gettrailstatus",
             "cloudtrail:listtags",
             "cloudwatch:describe*",
-            "cloudwatchlogs:describeloggroups",
-            "cloudwatchlogs:describemetricfilters",
             "codecommit:batchgetrepositories",
             "codecommit:getbranch",
             "codecommit:getobjectidentifier",
@@ -229,7 +227,8 @@ Instead of using default policy SecurityAudit for the account you use for checks
             "kms:list*",
             "lambda:getpolicy",
             "lambda:listfunctions",
-            "logs:DescribeMetricFilters",
+            "logs:DescribeLogGroups",
+            "logs:DescribeMetricFilters",  
             "rds:describe*",
             "rds:downloaddblogfileportion",
             "rds:listtagsforresource",
@@ -294,9 +293,9 @@ Alternatively, here is a policy which defines the permissions which are NOT pres
       "Action": [
         "acm:DescribeCertificate",
         "acm:ListCertificates",
-        "cloudwatchlogs:describeLogGroups",
-        "cloudwatchlogs:DescribeMetricFilters",
         "es:DescribeElasticsearchDomainConfig",
+        "logs:DescribeLogGroups",
+        "logs:DescribeMetricFilters",        
         "ses:GetIdentityVerificationAttributes",
         "sns:ListSubscriptionsByTopic"
       ],

prowler-policy-additions.json

@@ -5,9 +5,9 @@
       "Action": [
         "acm:describecertificate",
         "acm:listcertificates",
-        "cloudwatchlogs:describeloggroups",
-        "cloudwatchlogs:describemetricfilters",
         "es:describeelasticsearchdomainconfig",
+        "logs:DescribeLogGroups",
+        "logs:DescribeMetricFilters",
         "ses:getidentityverificationattributes",
         "sns:listsubscriptionsbytopic",
         "guardduty:ListDetectors"