Block all requests to cloudwatch logs rather than resource filtering when deny is enabled.

trajano · trajano · commit 928ce49798a8 · 2025-05-08T15:04:40.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,8 @@
 # Change Log
 
+## 7.1.12
+* Block all requests to cloudwatch logs rather than resource filtering when deny is enabled.
+
 ## 7.1.11
 * Ignore specific tag changes
 
diff --git a/iam-swarm.tf b/iam-swarm.tf
@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "deny-put-log-events" {
   statement {
     effect    = "Deny"
     actions   = ["logs:PutLogEvents"]
-    resources = ["arn:aws:logs:::log-group:${local.dns_name}:log-stream:*"]
+    resources = ["*"]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "deny-put-log-events" {`
`61`	`61`	`statement {`
`62`	`62`	`effect = "Deny"`
`63`	`63`	`actions = ["logs:PutLogEvents"]`
`64`		`- resources = ["arn:aws:logs:::log-group:${local.dns_name}:log-stream:*"]`
	`64`	`+ resources = ["*"]`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`