Skip to content

Commit 505abc7

Browse files
author
MAMIP Bot
committed
AWSObservabilityAdminTelemetryEnablementServiceRolePolicy - Policy Version v2
1 parent 90bf376 commit 505abc7

File tree

1 file changed

+267
-3
lines changed

1 file changed

+267
-3
lines changed

policies/AWSObservabilityAdminTelemetryEnablementServiceRolePolicy

Lines changed: 267 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"PolicyVersion": {
3-
"CreateDate": "2025-08-01T18:04:06Z",
4-
"VersionId": "v1",
3+
"CreateDate": "2025-12-02T01:19:06Z",
4+
"VersionId": "v2",
55
"Document": {
66
"Version": "2012-10-17",
77
"Statement": [
@@ -90,9 +90,14 @@
9090
{
9191
"Action": [
9292
"ec2:DeleteFlowLogs",
93+
"logs:CreateDelivery",
9394
"logs:CreateLogGroup",
9495
"logs:PutResourcePolicy",
95-
"logs:PutRetentionPolicy"
96+
"logs:PutRetentionPolicy",
97+
"logs:PutDeliveryDestination",
98+
"logs:PutDeliverySource",
99+
"logs:CreateLogStream",
100+
"logs:DescribeLogGroups"
96101
],
97102
"Resource": "*",
98103
"Effect": "Allow",
@@ -104,6 +109,265 @@
104109
},
105110
"Sid": "TelemetryOperationsForLogs"
106111
},
112+
{
113+
"Action": [
114+
"eks:UpdateClusterConfig"
115+
],
116+
"Resource": "arn:aws:eks:*:*:cluster/*",
117+
"Effect": "Allow",
118+
"Condition": {
119+
"Bool": {
120+
"eks:loggingType/api": "true"
121+
},
122+
"StringEquals": {
123+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
124+
}
125+
},
126+
"Sid": "TelemetryOperationsForEKSApiLogs"
127+
},
128+
{
129+
"Action": [
130+
"eks:UpdateClusterConfig"
131+
],
132+
"Resource": "arn:aws:eks:*:*:cluster/*",
133+
"Effect": "Allow",
134+
"Condition": {
135+
"Bool": {
136+
"eks:loggingType/audit": "true"
137+
},
138+
"StringEquals": {
139+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
140+
}
141+
},
142+
"Sid": "TelemetryOperationsForEKSAuditLogs"
143+
},
144+
{
145+
"Action": [
146+
"eks:UpdateClusterConfig"
147+
],
148+
"Resource": "arn:aws:eks:*:*:cluster/*",
149+
"Effect": "Allow",
150+
"Condition": {
151+
"Bool": {
152+
"eks:loggingType/authenticator": "true"
153+
},
154+
"StringEquals": {
155+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
156+
}
157+
},
158+
"Sid": "TelemetryOperationsForEKSAuthenticatorLogs"
159+
},
160+
{
161+
"Action": [
162+
"eks:UpdateClusterConfig"
163+
],
164+
"Resource": "arn:aws:eks:*:*:cluster/*",
165+
"Effect": "Allow",
166+
"Condition": {
167+
"Bool": {
168+
"eks:loggingType/controllerManager": "true"
169+
},
170+
"StringEquals": {
171+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
172+
}
173+
},
174+
"Sid": "TelemetryOperationsForEKSControllerManagerLogs"
175+
},
176+
{
177+
"Action": [
178+
"eks:UpdateClusterConfig"
179+
],
180+
"Resource": "arn:aws:eks:*:*:cluster/*",
181+
"Effect": "Allow",
182+
"Condition": {
183+
"Bool": {
184+
"eks:loggingType/scheduler": "true"
185+
},
186+
"StringEquals": {
187+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
188+
}
189+
},
190+
"Sid": "TelemetryOperationsForEKSSchedulerLogs"
191+
},
192+
{
193+
"Action": [
194+
"wafv2:PutLoggingConfiguration"
195+
],
196+
"Resource": "arn:aws:wafv2:*:*:regional/webacl/*",
197+
"Effect": "Allow",
198+
"Condition": {
199+
"ArnLike": {
200+
"wafv2:LogDestinationResource": "arn:aws:logs:*:*:log-group:*"
201+
},
202+
"StringEquals": {
203+
"wafv2:LogScope": "CloudwatchTelemetryRuleManaged",
204+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
205+
}
206+
},
207+
"Sid": "TelemetryOperationsForWafLoggingConfigurations"
208+
},
209+
{
210+
"Action": [
211+
"logs:CreateLogDelivery"
212+
],
213+
"Resource": "*",
214+
"Effect": "Allow",
215+
"Condition": {
216+
"ForAnyValue:StringEquals": {
217+
"aws:CalledVia": [
218+
"wafv2.amazonaws.com"
219+
]
220+
},
221+
"StringEquals": {
222+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
223+
}
224+
},
225+
"Sid": "TelemetryOperationsForWafLogDelivery"
226+
},
227+
{
228+
"Action": [
229+
"elasticloadbalancing:AllowVendedLogDeliveryForResource"
230+
],
231+
"Resource": "*",
232+
"Effect": "Allow",
233+
"Condition": {
234+
"StringEquals": {
235+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
236+
}
237+
},
238+
"Sid": "TelemetryOperationsForELB"
239+
},
240+
{
241+
"Action": [
242+
"bedrock-agentcore:AllowVendedLogDeliveryForResource"
243+
],
244+
"Resource": "*",
245+
"Effect": "Allow",
246+
"Condition": {
247+
"StringEquals": {
248+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
249+
}
250+
},
251+
"Sid": "TelemetryOperationsForBedrock"
252+
},
253+
{
254+
"Action": [
255+
"cloudtrail:CreateServiceLinkedChannel",
256+
"cloudtrail:UpdateServiceLinkedChannel",
257+
"cloudtrail:DeleteServiceLinkedChannel"
258+
],
259+
"Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/cloudwatch/*",
260+
"Effect": "Allow",
261+
"Condition": {
262+
"StringEquals": {
263+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
264+
}
265+
},
266+
"Sid": "TelemetryOperationsForCloudTrailLogs"
267+
},
268+
{
269+
"Action": [
270+
"logs:CreateLogGroup",
271+
"logs:PutResourcePolicy",
272+
"logs:PutRetentionPolicy"
273+
],
274+
"Resource": [
275+
"arn:aws:logs:*:*:log-group:aws/cloudtrail",
276+
"arn:aws:logs:*:*:log-group:aws/cloudtrail/*"
277+
],
278+
"Effect": "Allow",
279+
"Condition": {
280+
"StringEquals": {
281+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
282+
}
283+
},
284+
"Sid": "TelemetryOperationsForManagedLogs"
285+
},
286+
{
287+
"Action": [
288+
"route53resolver:ListResolverQueryLogConfigs",
289+
"route53resolver:ListResolverQueryLogConfigAssociations"
290+
],
291+
"Resource": "*",
292+
"Effect": "Allow",
293+
"Condition": {
294+
"StringEquals": {
295+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
296+
}
297+
},
298+
"Sid": "Route53QueryLoggingListOperations"
299+
},
300+
{
301+
"Action": [
302+
"route53resolver:GetResolverQueryLogConfig",
303+
"route53resolver:ListTagsForResource"
304+
],
305+
"Resource": "*",
306+
"Effect": "Allow",
307+
"Condition": {
308+
"StringEquals": {
309+
"aws:ResourceTag/CloudWatchTelemetryRuleManaged": "true",
310+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
311+
}
312+
},
313+
"Sid": "Route53QueryLoggingGetOperations"
314+
},
315+
{
316+
"Action": [
317+
"route53resolver:CreateResolverQueryLogConfig",
318+
"route53resolver:TagResource"
319+
],
320+
"Resource": "arn:aws:route53resolver:*:*:resolver-query-log-config/*",
321+
"Effect": "Allow",
322+
"Condition": {
323+
"StringEquals": {
324+
"aws:RequestTag/CloudWatchTelemetryRuleManaged": "true",
325+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
326+
}
327+
},
328+
"Sid": "Route53QueryLoggingConfigCreation"
329+
},
330+
{
331+
"Action": [
332+
"route53resolver:AssociateResolverQueryLogConfig"
333+
],
334+
"Resource": "*",
335+
"Effect": "Allow",
336+
"Condition": {
337+
"StringEquals": {
338+
"aws:ResourceTag/CloudWatchTelemetryRuleManaged": "true",
339+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
340+
}
341+
},
342+
"Sid": "Route53QueryLoggingConfigAssociation"
343+
},
344+
{
345+
"Action": [
346+
"iam:CreateServiceLinkedRole"
347+
],
348+
"Resource": "arn:*:iam::*:role/aws-service-role/route53resolver.amazonaws.com/AWSServiceRoleForRoute53Resolver",
349+
"Effect": "Allow",
350+
"Condition": {
351+
"BoolIfExists": {
352+
"aws:ViaAWSService": "true"
353+
},
354+
"StringEquals": {
355+
"iam:AWSServiceName": [
356+
"route53resolver.amazonaws.com"
357+
],
358+
"aws:ResourceAccount": "${aws:PrincipalAccount}"
359+
}
360+
},
361+
"Sid": "TelemetryOperationsForRoute53LogDeliverySLR"
362+
},
363+
{
364+
"Action": [
365+
"logs:CreateLogDelivery"
366+
],
367+
"Resource": "*",
368+
"Effect": "Allow",
369+
"Sid": "TelemetryOperationsForRoute53LogDelivery"
370+
},
107371
{
108372
"Action": [
109373
"iam:CreateServiceLinkedRole"

0 commit comments

Comments
 (0)