...
In order to log to AWS Cloudwatch Logs you need to create a IAM role which grants the Circulation Manager application the following AWS IAM actions:
logs:PutLogEvents
logs:DescribeLogStreams
If you want the application to be able to create the log group and streams for you it needs the following AWS IAM actions:
logs:CreateLogGroup
logs:CreateLogStream
Sample IAM Policy
To support these actions, you should add a policy for the IAM Role. It will have the following attributes as a minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:::*"
]
}
]
}
Authentication with the AWS Cloudwatch service is handled through the Boto3 library. There are a number of ways to configure the credentials so that the instance has access to Cloudwatch Logs. These options are documented in the Boto3 Credentials Documentation. If you are running the Circulation Manager in AWS, the best practice is to configure logging to use an Instance IAM Role.
...