Icon-Architecture/16/Arch_Amazon-CloudWatch_16Created with Sketch.cloudwatch-log-groups

TypePublisherVersionSoure CodePublished
Officialcommon-fatev0.3.1github.com11 days ago

Deploy this provider

Config Schema

cloudwatch_read_role_arn stringThe ARN of the AWS IAM Role with permission to read CloudWatch log groupsfalse
cloudwatch_regions stringcomma-separated regions to query for CloudWatch log groups infalse
sso_identity_store_id stringthe AWS SSO identity store IDfalse
sso_instance_arn stringthe AWS SSO instance ARNfalse
sso_region stringthe AWS SSO instance regionfalse
sso_role_arn stringThe ARN of the AWS IAM Role with permission to create AWS SSO Permission Setsfalse



This Access Provider provisions a temporary AWS IAM Identity Center Permission Set which grants access to read a CloudWatch log group. When making an access request, users will specify the following parameters:

log_groupthe ARN of the CloudWatch log group to grant read access to

The Access Provider provisions a Permission Set and attaches the following inline policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:GetLogDelivery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetLogRecord", "logs:GetQueryResults", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents", "logs:DescribeSubscriptionFilters", "logs:ListTagsLogGroup", "logs:GetDataProtectionPolicy", ], "Resource": [f"{target.log_group}:*"], }, // These permissions are not required to view log group data, // but allowing users to view metadata about logs results in // a far better console user experience. // // This allows for users to view metadata about log groups // other than the one they have requested, and to view // metric data. This provider does not consider these to be // sensitive and in fact may be of assistance to a user who // is using this provider to get access to logs when responding // to an incident. // // In future we will introduce a configuration option allowing // this policy statement to be disabled, so that metadata // about other log groups and metrics cannot be viewed. { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "cloudwatch:GetMetricData", ], "Resource": ["*"], }, ], }

Deployment architecture

We recommend the adopting the following account architecture when deploying this Access Provider:

Account architecture

The Access Provider should be deployed in the same AWS account as your Common Fate deployment.

Getting started


To use this Access Provider you'll need to have deployed Common Fate. You'll also need to download the cf CLI.

You will also need AWS credentials with the ability to deploy CloudFormation templates.

To use this Access Provider, you need to have AWS IAM Identity Center set up in your AWS Organization. Please contact us via Slack if you'd like to use this Access Provider, but are not using IAM Identity Center.

1. Deploy access roles

First, deploy the IAM roles below.

CloudWatch read role

This role is used to list CloudWatch log groups to determine the available log groups for users to select.

Deploy this role into the account with the log groups you wish to grant access to:

Launch Stack

AWS SSO provisioning role

This role allows the Access Provider to create temporary Permission Sets in IAM Identity Center, and attach an inline policy allowing read access to CloudWatch log data.

Deploy this role into either the root account of your AWS organization, or into an account which is given Delegated Administration privileges:

Launch Stack

2. Deploy the Access Provider

To deploy this Access Provider, open a terminal window and assume an AWS role with access to deploy CloudFormation resources in the Common Fate account. Then, run:

cf provider deploy

and select the common-fate/cloudwatch-log-groups Provider when prompted.

Need Help?

Join our Slack Community