I want to add an Amazon CloudWatch log group as a target to an Amazon EventBridge rule.
Resolution
To configure a CloudWatch log group as a target for an EventBridge rule, you can use the EventBridge console. Or, you can use the AWS SDK, API, AWS Cloud Development Kit (AWS CDK), or AWS Command Line Interface (AWS CLI).
Use the EventBridge console
Complete the following steps:
- Open the EventBridge console.
- In the navigation pane, choose Rules.
- Choose Create rule, and then enter a name and optional description for the rule.
Note: You can also add the log group to an existing rule.
- For Target type, choose AWS service.
- For Select a target, select CloudWatch log group.
Note: To add a CloudWatch log group as a target, you can either create a new log group or use an existing log group. The log group must start with /aws/events.
When you use the EventBridge console to configure the target, the EventBridge service automatically updates the log group's resource policy so that the service has permission to access the log group.
Use the AWS SDK, API, AWS CDK, or AWS CLI
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.
Complete the following steps:
- To add the required permissions to the log group's resource policy so that EventBridge can access the target log group, use the PutResourcePolicy API. Or, run the put-resource-policy AWS CLI command.
Example resource policy with the required permissions:
{
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
"Sid": "TrustEventsToStoreLogEvent"
}
],
"Version": "2012-10-17"
}
Note: The current quota is 10 policies per AWS Region, per AWS account. If you exceed this quota, then delete unused policies or combine multiple policies.
- Use the DescribeResourcePolicies API or run the describe-resource-policies AWS CLI command to check that your policy is correctly applied.
- (Optional) Use the PutRule API or run the put-rule AWS CLI command to create rules.
- Use the PutTargets API or run the put-targets AWS CLI command to add the log group to the EventBridge rule.
Related information
Amazon EventBridge targets
Targets available in the EventBridge console
CloudWatch Logs permissions