AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I resolve the CloudWatch error "Unable to enable logging. Policy document length breaking CloudWatch Logs Constraints" when I try to create an AWS resource?

3 minute read

When I try to create an AWS resource or turn on Amazon CloudWatch Logs for an AWS service, I receive the error "Unable to enable logging. Policy document length breaking CloudWatch Logs Constraints."

Short description

Amazon CloudWatch resource policies have a maximum size of 51,200 bytes. When your policy reaches this quota, you receive an error. You can review the error details in the AWS CloudTrail Event history.

Resolution

To check your current resource policies and modify them, complete the following steps:

Run the following describe-resource-policies command to check your current resource policies:
```
aws logs describe-resource-policies --region REGION-NAME > resource.json
```
Note: Replace REGION-NAME with your AWS Region. If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version. You can use only the AWS CLI to check CloudWatch resource policies.
Save the output to a JSON file that's named resource.json.
Copy the AWSLogDeliveryWrite20150319 policy from resource.json, and then paste the policy into a text editor.

To reduce the number of characters in your policy, do the following:
Remove entries that you don't use, such as resources and log streams.
Replace resource Amazon Resource Names (ARNs) with the wildcard character *.
Attach a new resource policy that has the required permissions.
Example resource policy:

{ 
"Version": "2012-10-17", 
"Statement": [ 
{ "Sid": "AWSLogDeliveryWrite", 
"Effect": "Allow", 
"Principal": { 
"Service": "delivery.logs.amazonaws.com" 
},
"Action": [ 
"logs:CreateLogStream", "logs:PutLogEvents" 
], 
"Resource": 
[ "arn:aws:logs:us-east-1:869614222995:log-group:aws-waf-logs-albwafs:log-stream:xyz", 
"arn:aws:logs:us-east-1:869614222995:log-group:aws-s3:log-stream:abc"

], 
"Condition": 
{ "StringEquals": 
{ "aws:SourceAccount": "869614222995" }, 
"ArnLike": { "aws:SourceArn": "arn:aws:logs:us-east-1:869614222995:*" 
}
 }
} 
]
}

Note: The example shows a policy with two resources. When the resource policy reaches the quota of 51,200 bytes, AWS can't automatically add new permissions. You must manually modify the policy to grant the delivery.logs.amazonaws.com service principal permissions on the logs:CreateLogStream and logs:PutLogEvents actions. To stay within the quota, use a log group name prefix with wildcards, such as /aws/vendedlogs/* for future creation of log groups. If you want to use custom log group names, then edit the policy to include your specific resource names and confirm that the policy stays within the quota of 51,200 bytes.

Run the following put-resource-policy command to replace the AWSLogDeliveryWrite20150319 resource policy with your edited version in resource.json:

aws logs put-resource-policy --policy-document file://resource.json --policy-name AWSLogDeliveryWrite20150319

Note: Replace policy-name with the name of the resource policy you want to replace.

When you add the new resource policy, you might receive the following error message that's related to CloudWatch quotas:

"Error: creating CloudWatch Logs Resource Policy (name): operation error CloudWatch Logs: PutResourcePolicy, exceeded maximum number of attempts, https response error StatusCode: 400, RequestID: 3d123ce1-f123-4d12-12b8-abc1234ba1a9, LimitExceededException: Resource limit exceeded."

CloudWatch allows a maximum of 10 CloudWatch Logs resource policies in your AWS account for each Region. You can't change this quota.

To remove an existing policy that you don't use, run the following delete-resource-policy command:

aws logs delete-resource-policy --policy-name POLICY-NAME

Note: Replace POLICY-NAME with the name of the resource policy you want to delete.

When you have fewer than 10 resource policies in your Region, run the put-resource-policy command to create a new resource policy.

Related information

Viewing recent management events with the console

Enable logging from AWS services

Topics: Management & Governance Networking & Content Delivery
Tags: Amazon CloudWatch Amazon CloudWatch Logs
Language: English

AWS OFFICIALUpdated a month ago

1 Comment

This article was reviewed and updated on 2026-03-11.

MODERATOR

AWS Official

replied a month ago

Relevant content

Cannot enable logging. Policy document length breaking Cloudwatch Logs Constraints, either 1 or > 5120”.
Accepted Answer
rePost-User-1898315
asked 3 years ago
How can I troubleshoot intermittent 500 errors in my AWS Lambda function when processing DynamoDB streams using CloudWatch Logs and X-Ray?
Accepted Answer
rePost-User-storage118
asked 2 years ago
Unable to output session manager logs in CloudWatchLogs using CloudWatchLogs resource policy
yellow submarine
asked 2 years ago
Unable to retrieve CloudWatch Logs Insights queries filtered by query language "CWLI" via the AWS CLI
Iridium
asked a year ago
Enabling cloudwatch slowlogs and engine logs for elasticache redis cluster
rePost-User-8884400
asked 4 years ago
How do I resolve the error that I receive in CloudFormation when I try to publish slow logs to CloudWatch Logs?
AWS OFFICIALUpdated 2 years ago
How do I resolve the "LimitExceededException" error when I create EventBridge rules with CloudWatch log groups as targets?
AWS OFFICIALUpdated 3 months ago
How do I resolve throttling errors in my CloudWatch logs?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot a failed export task in CloudWatch Logs?
AWS OFFICIALUpdated 25 days ago
How can I send AWS WAF log to both CloudWatch logs and S3?
EXPERT
Lei Pei
published 2 years ago