CLS Permission Overview

Last updated: 2021-10-25 15:06:10

    This document introduces the authorization policies for CLS features and corresponding management and read-only permissions. You can configure the corresponding authorization policy statements based on the CLS features to be authorized.

    Authorization Directions

    You need to perform 3 steps: use the root account (CompanyExample) to create a custom policy, grant the sub-account (Developer) all permissions for the log topic (TopicA), and then access CLS using the sub-account (Developer). The procedure for creating a custom policy using the root account is as follows:

    1. Log in to the CAM console as the root account (CompanyExample).
    2. On the left sidebar, click Policies to go to the policy management page.
    3. Click Create Custom Policy.
    4. In the pop-up window, select Create by Policy Syntax.
    5. On the Create by Policy Syntax page, select Blank Template and click Next.
    6. On the policy editing page, set the policy name and content, and click Done.
      For example, you can set the policy name to CLS-TopicA-Access. Configure the policy content by referring to the following:

    Authorization Policy Statements for Data Collection

    Authorize the minimum permission for log upload via LogListener

    {
    "version": "2.0",
    "statement": [
    {
        "action": [
           "cls:pushlog",
           "cls:listLogset",
           "cls:getConfig",
           "cls:agentHeartBeat"
       ],
        "resource": "*",
        "effect": "allow"
    }
    ]
    }
    

    Configure LogListener collection rules

    Management permission

    • Authorization for all log topics
      {
      "version": "2.0",
      "statement": [
      {
      "action": [
            "cls:DescribeLogsets",
            "cls:DescribeConfigs",
            "cls:ModifyConfig",
            "cls:DescribeIndex",
            "cls:DescribeIndex",
            "cls:ModifyIndex"
                   ],
      "resource": [
                   "*"
               ],
      "effect": "allow"
      }
      ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
           "action": [
                        "cls:DescribeLogsets",
                        "cls:DescribeConfigs",
                        "cls:ModifyConfig",
                        "cls:DescribeIndex",
                        "cls:DescribeIndex",
                        "cls:ModifyIndex"
               ],
               "resource": [
                   "*"
               ],
                "condition":{
                       "for_any_value:string_equal": {
                            "qcs:resource_tag": [
                                "key&value"
                             ]
                        }
               },
            "effect": "allow"
           }
       ]
      }
      

    Read-only permission

    • Authorization for all log topics
      {
      "version": "2.0",
      "statement": [
      {
        "action": [
            "cls:DescribeLogsets",
            "cls:DescribeConfigs",
            "cls:DescribeIndex",
            "cls:DescribeIndex"
                   ]
      "resource": [
                   "*"
               ],
      "effect": "allow"
      }
      ]
      }
      
    • Authorization for log topics with a specified tag
      {
      "version": "2.0",
      "statement": [
      {
        "effect": "allow",
        "action": [
            "cls:DescribeLogsets",
            "cls:DescribeConfigs",
            "cls:DescribeIndex",
            "cls:DescribeIndex"
                   ],
       "resource": [
                   "*"
               ],
        "condition":{
           "for_any_value:string_equal": {
              "qcs:resource_tag": [
                "key&value"
                       ]
                   }
               }   
      }
      ]
      }
      

    Authorize the minimum permission for log upload via API

    {
    "version": "2.0",
    "statement": [
        {
        "action": [
                  "cls:CreateTopic",
                  "cls:CreateLogset",
                  "cls:UploadLog",
              ],
        "resource": "*",
        "effect": "allow"
        }
    ]
    }
    

    Authorization Policy Statements for Search and Analysis

    Log search via console

    Management permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAsyncContextResult",
                   "cls:DescribeAsyncSearchResult",
                   "cls:DescribeExports",
                   "cls:DescribeIndex",
                   "cls:DescribeLatestJsonLog",
                   "cls:DescribeLogContext",
                   "cls:DescribeLogFastAnalysis",
                   "cls:DescribeLogHistogram",
                   "cls:DescribePartitions",
                   "cls:DescribeTopics",
                   "cls:GetFastAnalysis",
                   "cls:GetHistogram",
                   "cls:GetLog",
                   "cls:SearchLog",
                   "cls:ShowContext",
                   "cls:getIndex",
                   "cls:getLogset",
                   "cls:getTopic",
                   "cls:searchLog",
                   "cls:DescribeAsyncContextTasks",
                   "cls:DescribeAsyncSearchTasks",
                   "cls:DescribeLogsets",
                   "cls:listLogset",
                   "cls:listTopic",
                   "cls:listPartitions",
                   "cls:CreateAsyncContextTask",
                   "cls:CreateAsyncSearchTask",
                   "cls:CreateExport",
                   "cls:CreateIndex",
                   "cls:DeleteAsyncContextTask",
                   "cls:DeleteAsyncSearchTask",
                   "cls:DeleteExport",
                   "cls:DeleteIndex",
                   "cls:DeleteLogset",
                   "cls:DeleteTopic",
                   "cls:MergePartition",
                   "cls:ModifyIndex",
                   "cls:ModifyLogset",
                   "cls:ModifyTopic",
                   "cls:SplitPartition",
                   "cls:deleteLogset",
                   "cls:deleteTopic",
                   "cls:downloadLog",
                   "cls:modifyIndex",
                   "cls:modifyLogset",
                   "cls:modifyTopic",
                   "cls:updatePartition",
                   "cls:GetDeliverFunction",
                   "cls:CreateLogset",
                   "cls:CreateTopic",
                   "cls:createLogset",
                   "cls:createTopic"
               ],
               "resource": [
                   "*"
               ]
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      Note:

      During configuration, you also need to bind tags to log topics and logsets.

      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAsyncContextResult",
                   "cls:DescribeAsyncSearchResult",
                   "cls:DescribeExports",
                   "cls:DescribeIndex",
                   "cls:DescribeLatestJsonLog",
                   "cls:DescribeLogContext",
                   "cls:DescribeLogFastAnalysis",
                   "cls:DescribeLogHistogram",
                   "cls:DescribePartitions",
                   "cls:DescribeTopics",
                   "cls:GetFastAnalysis",
                   "cls:GetHistogram",
                   "cls:GetLog",
                   "cls:SearchLog",
                   "cls:ShowContext",
                   "cls:getIndex",
                   "cls:getLogset",
                   "cls:getTopic",
                   "cls:searchLog",
                   "cls:DescribeAsyncContextTasks",
                   "cls:DescribeAsyncSearchTasks",
                   "cls:DescribeLogsets",
                   "cls:listLogset",
                   "cls:listTopic",
                   "cls:listPartitions",
                   "cls:CreateAsyncContextTask",
                   "cls:CreateAsyncSearchTask",
                   "cls:CreateExport",
                   "cls:CreateIndex",
                   "cls:DeleteAsyncContextTask",
                   "cls:DeleteAsyncSearchTask",
                   "cls:DeleteExport",
                   "cls:DeleteIndex",
                   "cls:DeleteLogset",
                   "cls:DeleteTopic",
                   "cls:MergePartition",
                   "cls:ModifyIndex",
                   "cls:ModifyLogset",
                   "cls:ModifyTopic",
                   "cls:SplitPartition",
                   "cls:deleteLogset",
                   "cls:deleteTopic",
                   "cls:downloadLog",
                   "cls:modifyIndex",
                   "cls:modifyLogset",
                   "cls:modifyTopic",
                   "cls:updatePartition",
                   "cls:GetDeliverFunction"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "testCAM&test1"
                       ]
                   }
               }
           }
       ]
      }
      

    Read-only permission

    • Authorization for log topics with a specified tag
      Note:

      During configuration, you also need to bind tags to log topics and logsets.

      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAsyncContextResult",
                   "cls:DescribeAsyncSearchResult",
                   "cls:DescribeExports",
                   "cls:DescribeIndex",
                   "cls:DescribeLatestJsonLog",
                   "cls:DescribeLogContext",
                   "cls:DescribeLogFastAnalysis",
                   "cls:DescribeLogHistogram",
                   "cls:DescribePartitions",
                   "cls:DescribeTopics",
                   "cls:GetFastAnalysis",
                   "cls:GetHistogram",
                   "cls:GetLog",
                   "cls:SearchLog",
                   "cls:ShowContext",
                   "cls:getIndex",
                   "cls:getLogset",
                   "cls:getTopic",
                   "cls:searchLog",
                   "cls:DescribeAsyncContextTasks",
                   "cls:DescribeAsyncSearchTasks",
                   "cls:DescribeLogsets",
                   "cls:listLogset",
                   "cls:listTopic",
                   "cls:listPartitions"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           }
       ]
      }
      
    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAsyncContextResult",
                   "cls:DescribeAsyncSearchResult",
                   "cls:DescribeExports",
                   "cls:DescribeIndex",
                   "cls:DescribeLatestJsonLog",
                   "cls:DescribeLogContext",
                   "cls:DescribeLogFastAnalysis",
                   "cls:DescribeLogHistogram",
                   "cls:DescribePartitions",
                   "cls:DescribeTopics",
                   "cls:GetFastAnalysis",
                   "cls:GetHistogram",
                   "cls:GetLog",
                   "cls:SearchLog",
                   "cls:ShowContext",
                   "cls:getIndex",
                   "cls:getLogset",
                   "cls:getTopic",
                   "cls:searchLog",
                   "cls:DescribeAsyncContextTasks",
                   "cls:DescribeAsyncSearchTasks",
                   "cls:DescribeLogsets",
                   "cls:listLogset",
                   "cls:listTopic",
                   "cls:listPartitions"
               ],
               "resource": [
                   "*"
               ]
           }
       ]
      }
      

    Visual dashboard

    Management permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:GetChart",
                   "cls:GetDashboard",
                   "cls:ListChart",
                   "cls:CreateChart",
                   "cls:CreateDashboard",
                   "cls:DeleteChart",
                   "cls:DeleteDashboard",
                   "cls:ModifyChart",
                   "cls:ModifyDashboard",
                   "cls:ListDashboard"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:SearchLog",
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:GetChart",
                   "cls:GetDashboard",
                   "cls:ListChart",
                   "cls:CreateChart",
                   "cls:DeleteChart",
                   "cls:DeleteDashboard",
                   "cls:ModifyChart",
                   "cls:ModifyDashboard"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:ListDashboard"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:SearchLog",
                   "cls:DescribeTopics"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           }
       ]
      }
      

    Read-only permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:GetChart",
                   "cls:GetDashboard",
                   "cls:ListChart"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:ListDashboard"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:SearchLog",
                   "cls:DescribeTopics"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:GetChart",
                   "cls:GetDashboard",
                   "cls:ListChart"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:ListDashboard"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "cls:SearchLog",
                   "cls:DescribeTopics"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           }
       ]
      }
      

    Authorization Policy Statements for Monitoring Alarms

    Management permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeLogsets",
                   "cls:DescribeTopics"
               ],
               "resource": [
                   "*"
               ]
           },
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAlarms",
                   "cls:CreateAlarm",
                   "cls:ModifyAlarm",
                   "cls:DeleteAlarm",
                   "cls:DescribeAlarmNotices",
                   "cls:CreateAlarmNotice",
                   "cls:ModifyAlarmNotice",
                   "cls:DeleteAlarmNotice",
                   "cam:ListGroups",
                   "cam:DescribeSubAccountContacts"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeLogsets",
                   "cls:DescribeTopics"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAlarms",
                   "cls:CreateAlarm",
                   "cls:ModifyAlarm",
                   "cls:DeleteAlarm",
                   "cls:DescribeAlarmNotices",
                   "cls:CreateAlarmNotice",
                   "cls:ModifyAlarmNotice",
                   "cls:DeleteAlarmNotice",
                   "cam:ListGroups",
                   "cam:DescribeSubAccountContacts"
               ],
               "resource": "*"
           }
       ]
      }
      

    Read-only permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeLogsets",
                   "cls:DescribeTopics"
               ],
               "resource": [
                   "*"
               ]
           },
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAlarms",
                   "cls:DescribeAlarmNotices",
                   "cls:GetAlarmLog"
               ],
               "resource": [
                   "*"
               ]
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeLogsets",
                   "cls:DescribeTopics"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeAlarms",
                   "cls:DescribeAlarmNotices",
                   "cls:GetAlarmLog"
               ],
               "resource": [
                   "*"
               ]
           }
       ]
      }
      

    Authorization Policy Statements for Data Shipping

    Shipping to CKafka

    Management permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*",
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "ckafka:DescribeInstances",
                   "ckafka:DescribeTopic",
                   "ckafka:DescribeInstanceAttributes",
                   "cls:modifyConsumer",
                   "cls:getConsumer"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*",
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "age&13",
                           "name&vinson"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "ckafka:DescribeInstances",
                   "ckafka:DescribeTopic",
                   "ckafka:DescribeInstanceAttributes",
                   "cls:modifyConsumer",
                   "cls:getConsumer"
               ],
               "resource": "*"
           }
       ]
      }
      

    Read-only permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "ckafka:DescribeInstances",
                   "ckafka:DescribeTopic",
                   "ckafka:DescribeInstanceAttributes",
                   "cls:getConsumer"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*",
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "ckafka:DescribeInstances",
                   "ckafka:DescribeTopic",
                   "ckafka:DescribeInstanceAttributes",
                   "cls:getConsumer"
               ],
               "resource": "*"
           }
       ]
      }
      

    Shipping to COS

    Management permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets",
                   "cls:DescribeIndex"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cls:CreateShipper",
                   "cls:ModifyShipper",
                   "cls:DescribeShippers",
                   "cls:DeleteShipper",
                   "cls:DescribeShipperTasks",
                   "cls:RetryShipperTask",
                   "cam:ListAttachedRolePolicies",
                   "cos:GetService",
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets",
                   "cls:DescribeIndex"
               ],
               "resource": "*", 
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cls:CreateShipper",
                   "cls:ModifyShipper",
                   "cls:DescribeShippers",
                   "cls:DeleteShipper",
                   "cls:DescribeShipperTasks",
                   "cls:RetryShipperTask",
                   "cam:ListAttachedRolePolicies",
                   "cos:GetService",
               ],
               "resource": "*"
           }
       ]
      }
      

    Read-only permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"            ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cls:DescribeShippers",
                   "cls:DescribeShipperTasks",
                   "cls:RetryShipperTask",
                   "cam:ListAttachedRolePolicies"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"            ],
               "resource": "*",
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cls:DescribeShippers",
                   "cls:DescribeShipperTasks",
                   "cls:RetryShipperTask",
                   "cam:ListAttachedRolePolicies"
               ],
               "resource": "*"
           }
       ]
      }
      

    Shipping to SCF

    Management permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "cls:CreateDeliverFunction",
                   "cls:DeleteDeliverFunction",
                   "cls:ModifyDeliverFunction",
                   "cls:GetDeliverFunction",
                   "scf:ListFunctions",
                   "scf:ListAliases",
                   "scf:ListVersionByFunction"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*",
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "cls:CreateDeliverFunction",
                   "cls:DeleteDeliverFunction",
                   "cls:ModifyDeliverFunction",
                   "cls:GetDeliverFunction",
                   "scf:ListFunctions",
                   "scf:ListAliases",
                   "scf:ListVersionByFunction"
               ],
               "resource": "*"
           }
       ]
      }
      

    Read-only permission

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*"
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "cls:GetDeliverFunction",
                   "scf:ListFunctions",
                   "scf:ListAliases",
                   "scf:ListVersionByFunction"
               ],
               "resource": "*"
           }
       ]
      }
      
    • Authorization for log topics with a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:DescribeTopics",
                   "cls:DescribeLogsets"
               ],
               "resource": "*",
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "key&value"
                       ]
                   }
               }
           },
           {
               "effect": "allow",
               "action": [
                   "tag:DescribeResourceTagsByResourceIds",
                   "tag:DescribeTagKeys",
                   "tag:DescribeTagValues",
                   "cam:ListAttachedRolePolicies",
                   "cls:GetDeliverFunction",
                   "scf:ListFunctions",
                   "scf:ListAliases",
                   "scf:ListVersionByFunction"
               ],
               "resource": "*"
           }
       ]
      }
      

    Authorization Policy Statements for Developers

    Permission to display on Grafana

    • Authorization for all log topics
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:searchLog"
               ],
               "resource": [
                   "*"
               ]
           }
       ]
      }
      
    • Authorization for log topics of a specified tag
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "cls:searchLog"
               ],
               "resource": [
                   "*"
               ],
               "condition":{
                   "for_any_value:string_equal": {
                       "qcs:resource_tag": [
                           "testCAM&test1"
                       ]
                   }
               }
           }
       ]
      }