logs:CreateLogDelivery and logs:DeleteLogDelivery missing

Question

logs:CreateLogDelivery and logs:DeleteLogDelivery missing

Opened this issue 3 years ago · 1 comments

Hi,

thank you for this tool. But I have found some undetected actions.

When creating VPC flow logs and probably other logs, the action logs:CreateLogDelivery is needed. To delete it, logs:DeleteLogDelivery is needed:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html

Answer 1 · 2022-04-18T00:55:32.000Z

Hey @danygielow,

Thanks for raising!

This is a pretty interesting find. I played around with a bunch of the services in the table you linked with an explicit deny on logs:CreateLogDelivery and was able to ignore the documented requirements, except for VPC flow logs. I was also able to create and delete log groups with an explicit deny on logs:DeleteLogDelivery.

I've added the requirement for logs:CreateLogDelivery on EC2.CreateFlowLogs for now, but this probably needs a little more research. It'll propagate to permissions.cloud within 24 hours, and I'll have it in iamlive in a few days.