Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logs:CreateLogDelivery and logs:DeleteLogDelivery missing #12

Open
danygielow opened this issue Apr 13, 2022 · 1 comment
Open

logs:CreateLogDelivery and logs:DeleteLogDelivery missing #12

danygielow opened this issue Apr 13, 2022 · 1 comment

Comments

@danygielow
Copy link

Hi,

thank you for this tool. But I have found some undetected actions.

When creating VPC flow logs and probably other logs, the action logs:CreateLogDelivery is needed. To delete it, logs:DeleteLogDelivery is needed:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html
iann0036 added a commit that referenced this issue Apr 18, 2022
@iann0036
Add CreateLogDelivery for flow logs creation #12
04ca4ef
@iann0036
Copy link
Owner

Hey @danygielow,

Thanks for raising!

This is a pretty interesting find. I played around with a bunch of the services in the table you linked with an explicit deny on logs:CreateLogDelivery and was able to ignore the documented requirements, except for VPC flow logs. I was also able to create and delete log groups with an explicit deny on logs:DeleteLogDelivery.

I've added the requirement for logs:CreateLogDelivery on EC2.CreateFlowLogs for now, but this probably needs a little more research. It'll propagate to permissions.cloud within 24 hours, and I'll have it in iamlive in a few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danygielow @iann0036