Error in `aws logs put-account-policy` documentation

[garysassano]

Describe the issue

I found the following error in the documentation:

RoleArn The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream. You don’t need to provide the ARN when you are working with a logical destination for cross-account delivery.

The following sentence isn't fully true: you DO require a RoleArn for cross-account delivery when the logical destination was created with an organization access policy, otherwise you'll get the following error:

An error occurred (InvalidParameterException) when calling the PutAccountPolicy operation: Role ARN is required when creating subscription filter against destination with Organization access policy.

Links

https://docs.aws.amazon.com/cli/latest/reference/logs/put-account-policy.html

[garysassano]

I want to add that, in my view, the current RoleArn description is not clear at all. I was following this guide step for creating the role, and I simply could not understand it.

This is the IAM policy document:

{ 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "logs:PutLogEvents", 
            "Resource": "arn:aws:logs:region:111111111111:log-group:LogGroupOnWhichSubscriptionFilterIsCreated:*" 
        } 
    ] 
}

Essentially, this grants the CloudWatch Logs service principal (logs.amazonaws.com) permission to write to a specific log group. That does not make sense to me for several reasons:

1. The permission should apply to the entire account, since we are working with account-level subscription filters, not a single log group.

2. The AWS CLI docs states that the RoleArn grants CloudWatch Logs permissions to deliver ingested log events to the destination stream, but that seems inaccurate. The policy document above actually grants CloudWatch Logs permission to write to a log group, which I don't see how is any useful in this context. Why would a service try to write to itself?

[adev-code]

Hello @garysassano , thanks for reaching out. I have replicated the same issue where I got the same error : An error occurred (InvalidParameterException) when calling the PutAccountPolicy operation: Role ARN is required when creating subscription filter against destination with Organization access policy.. Then adding the Role ARN and it worked. The documentation reflects the CloudWatch Logs Service Model and I have reached out to the team for updating the model and the document. I have also forwarded your question to the team in regards to the doc. If there are any updates, I will let you know. Thanks

For Internal Tracking: P242743771

[garysassano]

@adev-code Thanks for the response. The policy requirement still doesn't make much logical sense to me. Interestingly, @aidansteele had the same question a few years ago, which he pointed out in this blog post.

Resources:
  LogPusherRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref LogPusherRoleName
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: logs.amazonaws.com
      Policies:
        - PolicyName: PutLogEvents
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: logs:PutLogEvents
                Resource: "*"
                # why does it need this permission? not sure. it's what the docs 
                # say and i haven't yet tested if it works without it. 
                # https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateSubscriptionFilter-IAMrole.html