Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I add a CloudWatch log group to use as a target for an EventBridge rule?

3 minute read
1

I want to add an Amazon CloudWatch log group as a target to an Amazon EventBridge rule.

Resolution

To configure a CloudWatch log group as a target for an EventBridge rule, you can use the EventBridge console. Or, you can use the AWS SDK, API, AWS Cloud Development Kit (AWS CDK), or AWS Command Line Interface (AWS CLI).

Use the EventBridge console

Complete the following steps:

  1. Open the EventBridge console.
  2. In the navigation pane, choose Rules.
  3. Choose Create rule, and then enter a name and optional description for the rule.
    Note: You can also add the log group to an existing rule.
  4. For Target type, choose AWS service.
  5. For Select a target, select CloudWatch log group.
    Note: To add a CloudWatch log group as a target, you can either create a new log group or use an existing log group. When you use the console, the log group name must start with a forward slash (/).

When you use the EventBridge console to configure the target, the EventBridge service automatically updates the log group's resource policy so that the service has permission to access the log group.

Use the AWS SDK, API, AWS CDK, or AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

  1. To add the required permissions to the log group's resource policy so that EventBridge can access the target log group, use the PutResourcePolicy API. Or, run the put-resource-policy AWS CLI command.
    Example resource policy with the required permissions: 
    {  
  "Statement": [
    {
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "events.amazonaws.com",
          "delivery.logs.amazonaws.com"
        ]
      },
      "Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
      "Sid": "TrustEventsToStoreLogEvent"
    }
  ],
  "Version": "2012-10-17"
}
    Note: The current quota is 10 policies per AWS Region, per AWS account. If you exceed this quota, then delete unused policies or combine multiple policies.
  2. Use the DescribeResourcePolicies API or run the describe-resource-policies AWS CLI command to check that your policy is correctly applied.
  3. (Optional) Use the PutRule API or run the put-rule AWS CLI command to create rules.
  4. Use the PutTargets API or run the put-targets AWS CLI command to add the log group to the EventBridge rule.

Related information

Event bus targets in EventBridge

Event bus targets available in the EventBridge console

CloudWatch Logs permissions

Topics
ServerlessApplication IntegrationManagement & GovernanceNetworking & Content Delivery
Tags
Amazon CloudWatchAmazon EventBridge
Language
English
AWS OFFICIALUpdated 2 months ago
3 Comments

But, if you use the AWS SDK/API/CDK/CLI, then you must manually update the log group's resource-based policy.

Now I created rules using CDK, but CDK automatically created resource-based policies for each rules. So, number of resource-based policy easily reach the limit. Is there any way to stop creating resource-based policy in CDK?

replied a year ago

The log group must start with /aws/events.

I tried with a loggroup starting differently, and it worked.

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 3 months ago

Relevant content