Tutorial / Cram Notes
Access permissions play a critical role in defining who can view, create, edit, and delete logs within the AWS ecosystem. These permissions are vital for maintaining the security and integrity of log data, which records the events, decisions, and actions taken with respect to resources in an AWS account. For the AWS Certified Security – Specialty (SCS-C02) exam, candidates must understand these permissions in the context of AWS Identity and Access Management (IAM) and logging services like Amazon CloudWatch Logs and AWS CloudTrail.
Amazon CloudWatch Logs Permissions
Amazon CloudWatch Logs help you to monitor, store, and access logging data. When considering access permissions for logging within CloudWatch, you must understand the following actions and their required permissions:
logs:CreateLogGroup: Required to create a new log group.logs:CreateLogStream: Necessary to create a log stream in the specified log group.logs:PutLogEvents: Allows putting log events to the specified log stream.logs:DescribeLogStreams: Gives permission to list the log streams.logs:GetLogEvents: Permits the retrieval of log events from the specified log stream.
Here is an example of an IAM policy that grants permissions to perform logging actions in CloudWatch for a particular log group:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”
],
“Resource”: “arn:aws:logs:region:account-id:log-group:log-group-name”
}
]
}
AWS CloudTrail Permissions
AWS CloudTrail is another service that is instrumental in logging API calls and related events. To properly configure logging and maintain the log files, certain permissions are required.
For instance, to manage CloudTrail logging, consider the following actions:
cloudtrail:CreateTrail: Required to create a new trail.cloudtrail:StartLogging: Necessary to start the recording of AWS API calls and related events.cloudtrail:StopLogging: Allows stopping the recording of API calls and related events.cloudtrail:PutEventSelectors: Permits the specification of events that will be recorded by your trail.
Here’s an example IAM policy that provides the necessary CloudTrail permissions to create and manage a trail:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“cloudtrail:CreateTrail”,
“cloudtrail:StartLogging”,
“cloudtrail:StopLogging”,
“cloudtrail:PutEventSelectors”
],
“Resource”: “*”
}
]
}
S3 Bucket Permissions for Logging
When CloudTrail logs are delivered to an S3 bucket, the correct S3 bucket permissions need to be in place. Specific actions include:
s3:PutObject: Allows the uploading of log files to the specified bucket.s3:PutObjectAcl: Lets the service set the ACL of the uploaded log files.s3:GetBucketAcl: Grants permission to view the bucket’s ACL.
An example policy that grants an AWS service permission to write logs to an S3 bucket is:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {“Service”: “cloudtrail.amazonaws.com”},
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::bucket-name/AWSLogs/account-id/*”,
“Condition”: {“StringEquals”: {“s3:x-amz-acl”: “bucket-owner-full-control”}}
}
]
}
KMS Permissions for Log Encryption
If you’re leveraging AWS Key Management Service (KMS) to encrypt log files, you would also need to include permissions for KMS key usage:
kms:Encrypt: Needed for encryption operations.kms:Decrypt: Required for decryption operations.kms:ReEncrypt*: Allows re-encryption.kms:GenerateDataKey*: Permits the generation of data keys for encryption and decryption.
A KMS policy snippet granting encryption and decryption permissions might look like this:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”,
“kms:ReEncrypt*”,
“kms:GenerateDataKey*”
],
“Resource”: “arn:aws:kms:region:account-id:key/key-id”
}
]
}
Understanding and properly setting up these access permissions are essential for candidates looking to pass the AWS Certified Security – Specialty (SCS-C02) exam, as it reflects a deep awareness of how to secure and manage log data, which is fundamental to maintaining AWS security posture.
Practice Test with Explanation
True or False: CloudTrail logs can be delivered to an S3 bucket without the need for proper write permissions.
- (A) True
- (B) False
Answer: B) False
Explanation: CloudTrail requires appropriate write permissions to the S3 bucket to store logs. Without write permissions, log delivery will fail.
True or False: AWS IAM users need the “logs:CreateLogStream” permission to push logs to CloudWatch Logs.
- (A) True
- (B) False
Answer: A) True
Explanation: Yes, IAM users need the “logs:CreateLogStream” permission to create a new log stream in a specified log group as part of pushing logs to CloudWatch Logs.
Which AWS service provides access control to manage permissions for AWS resources?
- (A) Amazon EC2
- (B) Amazon S3
- (C) AWS Identity and Access Management (IAM)
- (D) AWS Shield
Answer: C) AWS Identity and Access Management (IAM)
Explanation: AWS IAM controls access to AWS resources by allowing you to define permissions and manage which actions users and roles can perform.
True or False: A user who has “ReadOnlyAccess” can modify the access permissions of CloudWatch log groups.
- (A) True
- (B) False
Answer: B) False
Explanation: The “ReadOnlyAccess” policy allows a user to view resources and configuration but does not grant permissions to modify any resources, including access permissions.
Which AWS feature enables you to centralize the control of IAM user access to AWS services and resources?
- (A) IAM Groups
- (B) IAM Policies
- (C) IAM Roles
- (D) AWS Organizations
Answer: D) AWS Organizations
Explanation: AWS Organizations allows you to centrally manage multiple AWS accounts, with permission policies that can be applied across the entire organization.
True or False: The “SecurityAudit” managed policy in AWS gives permissions necessary for configuring log file validation in CloudTrail.
- (A) True
- (B) False
Answer: A) True
Explanation: The “SecurityAudit” managed policy provides a wide range of permissions for security auditing, including configuring log file validation in CloudTrail.
What is required to allow EC2 instances to send and retrieve log data from CloudWatch Logs?
- (A) EC2 Instance Connect
- (B) The “logs:PutLogEvents” permission
- (C) AWS Config
- (D) Amazon EC2 Auto Scaling
Answer: B) The “logs:PutLogEvents” permission
Explanation: An IAM role with the “logs:PutLogEvents” permission attached must be assigned to an EC2 instance to allow it to send and retrieve log data to and from CloudWatch Logs.
To view logs stored in an S3 bucket, what minimum permission is necessary?
- (A) s3:GetBucketLogging
- (B) s3:ListBucket
- (C) s3:GetObject
- (D) s3:PutObject
Answer: C) s3:GetObject
Explanation: The s3:GetObject permission is necessary to retrieve and view objects, including logs stored in an S3 bucket.
True or False: It is recommended to use a service-linked role with CloudTrail to ensure the necessary permissions are automatically granted.
- (A) True
- (B) False
Answer: A) True
Explanation: Using a service-linked role with CloudTrail is advisable because it automatically grants the necessary permissions for CloudTrail to access other AWS services.
Which of the following permissions are necessary for managing log subscriptions in CloudWatch Logs?
- (A) logs:PutSubscriptionFilter
- (B) logs:DeleteSubscriptionFilter
- (C) logs:CreateLogGroup
- (D) logs:DescribeLogStreams
- (E) All of the above
Answer: E) All of the above
Explanation: logs:PutSubscriptionFilter and logs:DeleteSubscriptionFilter are directly related to managing log subscriptions, while logs:CreateLogGroup and logs:DescribeLogStreams can be necessary in a broader context for managing the log environment.
True or False: To create a new KMS key to encrypt your CloudTrail logs, the “kms:CreateKey” permission is required.
- (A) True
- (B) False
Answer: A) True
Explanation: The “kms:CreateKey” permission is necessary for creating a new AWS KMS key, which can be used to encrypt CloudTrail logs.
When using AWS Config to track changes to AWS resources and configurations, which permission must a role have to record configuration changes?
- (A) config:DescribeConfigurationRecorders
- (B) config:PutConfigurationRecorder
- (C) config:StartConfigurationRecorder
- (D) All of the above
Answer: D) All of the above
Explanation: To fully manage and use AWS Config for recording changes, a role needs various permissions such as those listed, which involve describing, putting, and starting configuration recorders.
Interview Questions
What permissions are needed for a user to successfully create log groups and log streams in Amazon CloudWatch Logs?
To create log groups and log streams in Amazon CloudWatch Logs, a user needs the logs:CreateLogGroup and logs:CreateLogStream permissions. These permissions allow the user to set up the necessary log infrastructure to capture and store logs.
In AWS, which IAM permission allows a user to write log events to the designated log stream?
The logs:PutLogEvents permission is required for a user to write log events to a specified log stream in AWS. This enables the system or user to send logs to CloudWatch Logs for monitoring and analysis.
Describe the necessary permissions for configuring AWS CloudTrail to deliver logs to an S3 bucket.
To configure CloudTrail to deliver logs to an S3 bucket, the following permissions are necessary:
cloudtrail:CreateTrailandcloudtrail:UpdateTrailfor setting up and modifying the trail.s3:PutObjectpermission on the S3 bucket to allow CloudTrail to write log files.s3:GetBucketACLands3:PutBucketACLto manage access to the bucket.
These permissions ensure that the trail can be created or updated and that it can write logs to the designated S3 bucket.
Which IAM permissions are required for a service to push logs to a CloudWatch Logs group?
A service or entity needs the logs:CreateLogStream and logs:PutLogEvents permissions to send logs to a CloudWatch Logs group. The service would first need to create a log stream (if it does not exist) and then put log events into that stream.
What is the minimum permission required for a user to be able to list all CloudWatch log groups in an AWS account?
The logs:DescribeLogGroups permission is required to list all CloudWatch log groups in an AWS account. This permission allows a user to view the log groups and not modify them.
For a user to delete log groups and log streams in CloudWatch Logs, what permissions do they need?
A user requires logs:DeleteLogGroup and logs:DeleteLogStream permissions to delete log groups and log streams in CloudWatch Logs. These permissions provide the ability to clean up logs and manage the logging infrastructure efficiently.
Which role must an AWS Lambda function assume to successfully write execution logs to Amazon CloudWatch Logs?
An AWS Lambda function must assume an execution role with the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions to write its execution logs to Amazon CloudWatch Logs. This is typically provided by assigning the AWS managed policy AWSLambdaBasicExecutionRole to the Lambda execution role.
If an EC2 instance needs to send logs to CloudWatch Logs, what instance profile permissions are required?
An EC2 instance requires an instance profile with a role that has logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions attached to it. This allows the instance to create the necessary resources in CloudWatch and send logs to those resources.
What permissions are necessary for an IAM user to modify the retention policy of a CloudWatch Logs log group?
The logs:PutRetentionPolicy permission is required for an IAM user to modify the retention policy of a CloudWatch Logs log group. This permission allows the user to change how long logs are kept before they are automatically deleted.
What permission does a user need to set up an AWS CloudTrail trail that applies to all regions in an account?
To set up an AWS CloudTrail trail that applies to all regions in an account, the user needs the cloudtrail:CreateTrail permission with the IsMultiRegionTrail option set to true. Additionally, the user would require appropriate S3 bucket permissions to store the logs and optionally sns:Publish if notifications are configured.
Which permissions are required for an IAM role that a third-party application uses to access log files within a specific S3 bucket?
The IAM role for a third-party application will typically need s3:ListBucket to list the objects in the bucket, and s3:GetObject to read the log files. If the application also needs to update or delete logs, then s3:PutObject and s3:DeleteObject permissions would also be required.
How do you ensure that only specific resources, such as EC2 instances with a particular tag, have the permission to write to a CloudWatch Logs log group?
You can use resource-based policies and condition keys to control which resources have permissions to write to a CloudWatch Logs log group. Specifically, the aws:ResourceTag/tag-key condition key in the policy will restrict permission to resources that match the specified tags. This ensures that only EC2 instances with the particular tag have the logs:CreateLogStream and logs:PutLogEvents permissions for the log group.
Great post! Understanding access permissions for logging is critical for AWS security.
Can someone explain what specific IAM policies are needed for enabling CloudTrail logging?
Appreciate the detailed breakdown on permissions!
This is very helpful! Especially when studying for the AWS Certified Security Specialty exam.
What about CloudWatch Logs? Any specific IAM policies needed there?
Thanks for the insights! This cleared up a lot of my confusion.
Does anyone have tips on how to audit AWS permissions effectively?
Could be better organized, but useful content.