account_policies
Creates, updates, deletes or gets an account_policy resource or lists account_policies in a region
Overview
| Name | account_policies |
| Type | Resource |
| Description | The AWS::Logs::AccountPolicy resource specifies a CloudWatch Logs AccountPolicy. |
| Id | aws.logs.account_policies |
Fields
| Name | Datatype | Description |
|---|---|---|
account_id | string | User account id |
policy_name | string | The name of the account policy |
policy_document | string | The body of the policy document you want to use for this topic. You can only add one policy per PolicyType. The policy must be in JSON string format. Length Constraints: Maximum length of 30720 |
policy_type | string | Type of the policy. |
scope | string | Scope for policy application |
selection_criteria | string | Log group selection criteria to apply policy only to a subset of log groups. SelectionCriteria string can be up to 25KB and cloudwatchlogs determines the length of selectionCriteria by using its UTF-8 bytes |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | PolicyName, PolicyType, PolicyDocument, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all account_policies in a region.
SELECT
region,
account_id,
policy_name,
policy_document,
policy_type,
scope,
selection_criteria
FROM aws.logs.account_policies
WHERE region = 'us-east-1';
Gets all properties from an individual account_policy.
SELECT
region,
account_id,
policy_name,
policy_document,
policy_type,
scope,
selection_criteria
FROM aws.logs.account_policies
WHERE region = 'us-east-1' AND data__Identifier = '<AccountId>|<PolicyType>|<PolicyName>';
INSERT example
Use the following StackQL query and manifest file to create a new account_policy resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.logs.account_policies (
PolicyName,
PolicyDocument,
PolicyType,
region
)
SELECT
'{{ PolicyName }}',
'{{ PolicyDocument }}',
'{{ PolicyType }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.logs.account_policies (
PolicyName,
PolicyDocument,
PolicyType,
Scope,
SelectionCriteria,
region
)
SELECT
'{{ PolicyName }}',
'{{ PolicyDocument }}',
'{{ PolicyType }}',
'{{ Scope }}',
'{{ SelectionCriteria }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: account_policy
props:
- name: PolicyName
value: '{{ PolicyName }}'
- name: PolicyDocument
value: '{{ PolicyDocument }}'
- name: PolicyType
value: '{{ PolicyType }}'
- name: Scope
value: '{{ Scope }}'
- name: SelectionCriteria
value: '{{ SelectionCriteria }}'
DELETE example
/*+ delete */
DELETE FROM aws.logs.account_policies
WHERE data__Identifier = '<AccountId|PolicyType|PolicyName>'
AND region = 'us-east-1';
Permissions
To operate on the account_policies resource, the following permissions are required:
Create
logs:PutAccountPolicy,
logs:PutDataProtectionPolicy,
logs:DescribeAccountPolicies,
logs:CreateLogDelivery,
s3:REST.PUT.OBJECT,
firehose:TagDeliveryStream,
logs:PutSubscriptionFilter,
logs:DeleteSubscriptionFilter,
iam:PassRole
Read
logs:DescribeAccountPolicies
Update
logs:PutAccountPolicy,
logs:PutDataProtectionPolicy,
logs:DescribeAccountPolicies,
logs:DeleteAccountPolicy,
logs:DeleteDataProtectionPolicy,
logs:CreateLogDelivery,
logs:PutSubscriptionFilter,
logs:DeleteSubscriptionFilter,
s3:REST.PUT.OBJECT,
firehose:TagDeliveryStream,
iam:PassRole
Delete
logs:DeleteAccountPolicy,
logs:DeleteDataProtectionPolicy,
logs:DescribeAccountPolicies,
logs:DeleteSubscriptionFilter,
iam:PassRole
List
logs:DescribeAccountPolicies