- Newest
- Most votes
- Most comments
When CloudWatch Logs is the target of a rule, EventBridge creates log streams, and CloudWatch Logs stores the text from the events as log entries. To allow EventBridge to create the log stream and log the events, CloudWatch Logs must include a resource-based policy that enables EventBridge to write to CloudWatch Logs.
If you use the AWS Management Console to add CloudWatch Logs as the target of a rule, the resource-based policy is created automatically. If you use the AWS CLI to add the target, and the policy doesn't already exist, you must create it.
[+] https://repost.aws/knowledge-center/cloudwatch-log-group-eventbridge
Resource based policy is not visible on console. Run the below CLI command to view the resource based policy on terminal.
aws logs describe-resource-policies --region <REGION>
[+] https://docs.aws.amazon.com/cli/latest/reference/logs/describe-resource-policies.html
To update your resource policy, please use put-resource-policy in the AWS CLI as you will not be able to edit a resource policy in the console.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 months ago- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 months ago
Aha! That seems like it. However, I'm a little confused by the principal on that policy. For mine it is delivery.logs.amazonaws.com. How would pipes have access to that role? I don't see a service role that pipes would be using.
Also the user guide you linked has this to say about pipes: "EventBridge Pipes does not support resource-based policies and has no APIs which support resource based policy conditions." So I'm again very confused how this works :D