Skip to content
Alchemy
GitHubXDiscord

AccountPolicy

The AccountPolicy resource allows you to manage AWS Logs AccountPolicys for your AWS account. This resource enables you to define logging policies to control access to log data across your AWS services.

Minimal Example

Section titled “Minimal Example”

Create a basic account policy with essential properties.

import AWS from "alchemy/aws/control";


const basicAccountPolicy = await AWS.Logs.AccountPolicy("basicAccountPolicy", {
  PolicyType: "CLOUDWATCH_LOGS",
  PolicyName: "BasicLoggingPolicy",
  PolicyDocument: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Action: "logs:CreateLogGroup",
      Resource: "*"
    }]
  })
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure an account policy with additional options for selection criteria and scope.

const advancedAccountPolicy = await AWS.Logs.AccountPolicy("advancedAccountPolicy", {
  PolicyType: "CLOUDWATCH_LOGS",
  PolicyName: "AdvancedLoggingPolicy",
  Scope: "Organization",
  SelectionCriteria: "Region = 'us-west-2'",
  PolicyDocument: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Action: "logs:*",
      Resource: "*"
    }]
  })
});

Policy with Specific Conditions

Section titled “Policy with Specific Conditions”

Create a policy that includes specific conditions to restrict access based on account ID.

const restrictedAccountPolicy = await AWS.Logs.AccountPolicy("restrictedAccountPolicy", {
  PolicyType: "CLOUDWATCH_LOGS",
  PolicyName: "RestrictedLoggingPolicy",
  PolicyDocument: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Action: "logs:DescribeLogGroups",
      Resource: "*",
      Condition: {
        "StringEquals": {
          "aws:PrincipalAccount": "123456789012"
        }
      }
    }]
  })
});

Adoption of Existing Resource

Section titled “Adoption of Existing Resource”

Adopt an existing account policy instead of failing if it already exists.

const adoptExistingPolicy = await AWS.Logs.AccountPolicy("adoptExistingPolicy", {
  PolicyType: "CLOUDWATCH_LOGS",
  PolicyName: "AdoptedLoggingPolicy",
  PolicyDocument: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Effect: "Allow",
      Action: "logs:PutLogEvents",
      Resource: "*"
    }]
  }),
  adopt: true
});