Don’t miss CloudWatch log group permissions

CloudWatch log group permissions are required in order for the log groups to receive events from a sources such as Cloud Watch Event rule. these permissions are added automatically when you create log groups using AWS Console.

However when we use terraform to automate the process, these permissions should be added separately otherwise your log groups will not work.

Lets look into a use case of creating guard duty CloudWatch event rule and then create a CW Log group and then add CloudWatch log group as a target of the event rule. following is a CloudWatch terraform example

Refer to AWS documentation to lean more about Log groups

Lets look into a Cloud Watch log group Terraform example to understand the CloudWatch log group permissions better.

Step #1: Create Cloud Watch event rule for Guard Duty high severity findings

resource "aws_cloudwatch_event_rule" "guardduty_event_rule" {
  name        = "Name of event rule"
  description = "Capture GuardDuty high severity findins and trigger CW Log Group"
  tags = {
    "Name"            = "Name of event rule

  event_pattern = <<PATTERN
        ["GuardDuty Finding"],

Step #2: Create CloudWatch log group to store logs for 5 days

#create CW Log group
resource "aws_cloudwatch_log_group" "guard_duty_log_group" {
  name              = "Guard Duty findings log group name"
  #delete logs after 5 days
  retention_in_days = 5
  tags = {
    "Name"            = "Guard Duty findings log group name"

Step #3: Add CW event Target

#add CW Log group to store logs.
resource "aws_cloudwatch_event_target" "cw_target_to_cw_logs" {
  rule      =
  target_id = "SendToCWLogGroup"
  arn       = "${substr(aws_cloudwatch_log_group.guard_duty_log_group.arn,0,length(aws_cloudwatch_log_group.guard_duty_log_group.arn) - 2)}"

Step #4: Add CloudWatch log group permissions

These permissions allows CloudWatch events to create logs stream and publish events to the logs. change the resource from the policy as per your needs.

#Provides a CW events to manage a CloudWatch log resource policy
data "aws_iam_policy_document" "cw-event-log-publishing-policy" {
  statement {
    actions = [

    #resources = ["arn:aws:logs:*"]
    resources  = ["arn:aws:logs:eu-central-1:<AccountId>:log-group:/aws/events/*:*]
    principals {
      identifiers = ["", ""]
      type        = "Service"

resource "aws_cloudwatch_log_resource_policy" "cw-rule-log-publishing-policy" {
  policy_document = "${}"
  policy_name     = "cw-rule-log-publishing-policy"

Now we should see the Guard Duty events flowing into CloudWatch log groups.

This screenshot shows how your CloudWatch even should look like.

CloudWatch log group permissions

Refer to this article to learn setting up guard duty service in a multi account environment


Leave a Reply

Your email address will not be published. Required fields are marked *