How do I add a CloudWatch log group to use as a target for an EventBridge rule?

3 minute read
1

I want to add an Amazon CloudWatch log group as a target to an Amazon EventBridge rule.

Resolution

To configure a CloudWatch log group as a target for an EventBridge rule, you can use the EventBridge console. Or, you can use the AWS SDK, API, AWS Cloud Development Kit (AWS CDK), or AWS Command Line Interface (AWS CLI).

Use the EventBridge console

Complete the following steps:

  1. Open the EventBridge console.
  2. In the navigation pane, choose Rules.
  3. Choose Create rule, and then enter a name and optional description for the rule.
    Note: You can also add the log group to an existing rule.
  4. For Target type, choose AWS service.
  5. For Select a target, select CloudWatch log group.
    Note: To add a CloudWatch log group as a target, you can either create a new log group or use an existing log group. The log group must start with /aws/events.

When you use the EventBridge console to configure the target, the EventBridge service automatically updates the log group's resource policy so that the service has permission to access the log group.

Use the AWS SDK, API, AWS CDK, or AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.

Complete the following steps:

  1. To add the required permissions to the log group's resource policy so that EventBridge can access the target log group, use the PutResourcePolicy API. Or, run the put-resource-policy AWS CLI command.
    Example resource policy with the required permissions:
    {  
      "Statement": [
        {
          "Action": [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "events.amazonaws.com",
              "delivery.logs.amazonaws.com"
            ]
          },
          "Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
          "Sid": "TrustEventsToStoreLogEvent"
        }
      ],
      "Version": "2012-10-17"
    }
    Note: The current quota is 10 policies per AWS Region, per AWS account. If you exceed this quota, then delete unused policies or combine multiple policies.
  2. Use the DescribeResourcePolicies API or run the describe-resource-policies AWS CLI command to check that your policy is correctly applied.
  3. (Optional) Use the PutRule API or run the put-rule AWS CLI command to create rules.
  4. Use the PutTargets API or run the put-targets AWS CLI command to add the log group to the EventBridge rule.

Related information

Amazon EventBridge targets

Targets available in the EventBridge console

CloudWatch Logs permissions

1 Comment

But, if you use the AWS SDK/API/CDK/CLI, then you must manually update the log group's resource-based policy.

Now I created rules using CDK, but CDK automatically created resource-based policies for each rules. So, number of resource-based policy easily reach the limit. Is there any way to stop creating resource-based policy in CDK?

replied 5 months ago