All IAM policy templates
AWS IAM policy template • CloudWatch Logs

CloudWatch Logs Write (Scoped Log Group)

Write application logs to one specific log group — for services that are not Lambda (ECS, EC2, self-managed).

Policy

Replace the placeholder ARNs (YOUR-BUCKET-NAME, ACCOUNT_ID, REGION, etc.) with your real resource identifiers before use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "WriteToOneLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:REGION:ACCOUNT_ID:log-group:/YOUR-SERVICE/YOUR-LOG-GROUP:*"
    },
    {
      "Sid": "CreateLogGroupOnce",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": "arn:aws:logs:REGION:ACCOUNT_ID:log-group:/YOUR-SERVICE/YOUR-LOG-GROUP"
    }
  ]
}

Why it's scoped this way

  • logs:CreateLogGroup targets the log group ARN without the trailing :* — that suffix is only valid on log-stream-level actions (CreateLogStream, PutLogEvents), a subtle AWS ARN-format distinction that silently causes AccessDenied if swapped.
  • No logs:DeleteLogGroup or logs:PutRetentionPolicy — this role can produce logs but cannot delete evidence or shorten retention to hide activity, which matters for any role handling security-relevant events.
  • Scoped to one log group path, not log-group:*, so a compromised credential with this policy cannot read or write other services' logs.

Hardening it further

  • If the log group already exists (created once via IaC), drop the CreateLogGroup statement entirely and grant only CreateLogStream + PutLogEvents.
  • Set retention on the log group via CloudFormation/CDK rather than granting logs:PutRetentionPolicy to the application role.

Paste your finished policy into the free AI-Powered IAM analyzer to catch anything you loosened while filling it in.

Related templates

Check your finished policy — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.