From c20f8878daaefeb25e90e3048008983a954c0957 Mon Sep 17 00:00:00 2001
From: Jake Billo <jake.billo@arcticwolf.com>
Date: Mon, 5 Mar 2018 16:01:42 -0500
Subject: [PATCH] Update IAM permissions needed for CloudWatch Logs

According to the AWS documentation for the CloudWatch Logs permissions reference [1], the IAM policy to permit or deny CloudWatch Logs actions uses the `logs:` prefix rather than `cloudwatchlogs:`. This commit updates the policy additions JSON file as well as the README to reflect this change.

I confirmed this having assumed an appropriate role in an AWS account, then executing the AWS CLI command `aws logs describe-log-groups`; with the `cloudwatchlogs:` prefix an AccessDeniedException was returned to the client.

[1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html
---
 README.md                     | 9 ++++-----
 prowler-policy-additions.json | 4 ++--
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 0121f8fa..f33dad90 100644
--- a/README.md
+++ b/README.md
@@ -186,8 +186,6 @@ Instead of using default policy SecurityAudit for the account you use for checks
             "cloudtrail:gettrailstatus",
             "cloudtrail:listtags",
             "cloudwatch:describe*",
-            "cloudwatchlogs:describeloggroups",
-            "cloudwatchlogs:describemetricfilters",
             "codecommit:batchgetrepositories",
             "codecommit:getbranch",
             "codecommit:getobjectidentifier",
@@ -229,7 +227,8 @@ Instead of using default policy SecurityAudit for the account you use for checks
             "kms:list*",
             "lambda:getpolicy",
             "lambda:listfunctions",
-            "logs:DescribeMetricFilters",
+            "logs:DescribeLogGroups",
+            "logs:DescribeMetricFilters",  
             "rds:describe*",
             "rds:downloaddblogfileportion",
             "rds:listtagsforresource",
@@ -294,9 +293,9 @@ Alternatively, here is a policy which defines the permissions which are NOT pres
       "Action": [
         "acm:DescribeCertificate",
         "acm:ListCertificates",
-        "cloudwatchlogs:describeLogGroups",
-        "cloudwatchlogs:DescribeMetricFilters",
         "es:DescribeElasticsearchDomainConfig",
+        "logs:DescribeLogGroups",
+        "logs:DescribeMetricFilters",        
         "ses:GetIdentityVerificationAttributes",
         "sns:ListSubscriptionsByTopic"
       ],
diff --git a/prowler-policy-additions.json b/prowler-policy-additions.json
index 66ba909c..0732fd84 100644
--- a/prowler-policy-additions.json
+++ b/prowler-policy-additions.json
@@ -5,9 +5,9 @@
       "Action": [
         "acm:describecertificate",
         "acm:listcertificates",
-        "cloudwatchlogs:describeloggroups",
-        "cloudwatchlogs:describemetricfilters",
         "es:describeelasticsearchdomainconfig",
+        "logs:DescribeLogGroups",
+        "logs:DescribeMetricFilters",
         "ses:getidentityverificationattributes",
         "sns:listsubscriptionsbytopic",
         "guardduty:ListDetectors"