AWS CloudWatch Logs Tag Based Authorization Update

[tschumann]

I got the following email from AWS this week:

AWS is continuously on the lookout for opportunities to improve customer security, and as part of that effort, we recently updated our CloudWatch authorization strategy. As of October 30, 2022, tagging is supported for the “Destination” resource. Previously, CloudWatch Logs supported tagging only for the “Log Group” resource. We recommend that, for your IAM policies that are used to access the CreateLogGroup API, you add logs:TagResource permission to your IAM policies by January 31, 2023. The new logs:TagResource permission will not be required for existing accounts that previously used CreateLogGroup API with tags.

In order to tag new log groups using the CreateLogGroup API, we recommend you add logs:TagResource permission to your IAM policies [1]. Please see the following example of a recommended policy for CreateLogGroup API with Tags:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:TagResource"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

We identified that you are using tagging APIs and recommend use the following new APIs that have “Resource” as the suffix, instead of “LogGroup”.
​
logs:TagResource
logs:UntagResource
logs:ListTagsForResource
​
The CloudWatch Logs team will not remove previous tagging APIs but the following APIs will no longer be actively developed:
TagLogGroup
UntagLogGroup
ListTagsLogGroup

Will this affect Serverless if trying to deploy resources to a new account that hasn't used the old APIs before?

[mgerlach]

We also received the same note (probably many have). Currently, Serverless does not seem to add the logs:TagResource permission to the default policy created for Lambda roles. The info sounds like this may lead at least to new Lambda LogGroups not being tagged when created by AWS Lambda. I am not sure if this applies only to new accounts or also to existing ones, I find the info a bit fuzzy regarding this, also says "we RECOMMEND you add logs:TagResouce ..." for new log groups. So it may even be not required at all...

To be safe, you could add the following IAM policy statement in serverless.yml (for Lambda):

service: <servicename>
stage: ...
provider:
  name: aws
  ...
  iam:
    role:
      statements:
        - Effect: "Allow"
          Action:
            - "logs:TagResource"
          Resource:
            - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${self:service}-${sls:stage}*:*"

or similar. Or open a PR for adding this to the default role ;)

[mgerlach]

Opened an issue: #11762

[mgerlach]

Issue closed with merge of #11766