You have enabled CloudTrail in your AWS account and stored the trail logs in CloudWatch Logs.
In the CloudWatch Log Group, you plan to create a new subscription filter to deliver the logs to an Amazon Kinesis stream for real-time processing.
You have a Kinesis stream in place and the stream ARN is "arn:aws:kinesis:us-east-1:123456789012:stream/Test"
When creating the subscription filter through AWS CLI "aws logs put-subscription-filter", you need an IAM role to provide the required permission.
Which IAM permission policy should the IAM role have?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer : C.
Option A is incorrect because the IAM role of the subscription filter should allow the "kinesis:PutRecord" action on the Kinesis stream so that CloudWatch Logs can forward the logs on your behalf.
There is no need to permit the "kinesis:CreateStream" action.
Option B is incorrect because the IAM role should have an explicit allow on the Kinesis stream resource.
The "Resource" field is also missing in the IAM policy.
Option C is CORRECT because this IAM policy includes the required permission for CloudWatch Logs to deliver the events to the Kinesis stream.
Option D is incorrect because this IAM policy is for the subscription filter of CloudWatch Logs.
There is no need to add the "Principal" field and the Kinesis stream ARN should be in the "Resource" field.
Reference:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.htmlThe correct IAM permission policy for the IAM role needed to create a subscription filter to deliver CloudTrail logs to an Amazon Kinesis stream for real-time processing would be option C.
Option A's policy grants the role permission to create a new Kinesis stream, which is not necessary as the stream already exists.
Option B's policy denies the role permission to put a record to the Kinesis stream if the source ARN does not match the specified stream ARN. This policy would be unnecessary and could interfere with the delivery of logs from CloudTrail to Kinesis.
Option D's policy grants permission to the specified Kinesis stream principal to put records to the CloudWatch Logs endpoint, which is also unnecessary and does not match the requirement of the scenario.
Therefore, option C's policy is the correct one to use. It grants the role permission to put records to the specified Kinesis stream ARN, which is required to deliver CloudTrail logs to the Kinesis stream for processing.
The IAM permission policy should look like this:
json{ "Statement": [ { "Effect": "Allow", "Action": "kinesis:PutRecord", "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/Test" } ] } This policy allows the IAM role to put records to the Kinesis stream ARN specified in the scenario, which is needed for the subscription filter to deliver CloudTrail logs in real-time for processing.