logs:PutLogEvents
Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.
Policies (any)
126
Allow (Action)
125
Deny (Action)
1
NotAction
3
Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).
Action reference
SAR-style (unofficial)Service: Amazon CloudWatch Logs
Access level
WriteDescription
Grants permission to upload a batch of log events to the specified log stream
Resource types
- log-stream*
Allow (Action)
- AWSAppSyncPushToCloudWatchLogs
- AWSApplicationMigrationNetworkMigrationMultiAccount
- AWSBatchServiceRole
- AWSChatbotServiceLinkedRolePolicy
- AWSCloudFrontLogger
- AWSConfigServiceRolePolicy
- AWSControlTowerCloudTrailRolePolicy
- AWSControlTowerServiceRolePolicy
- AWSDataSyncDiscoveryServiceRolePolicy
- AWSDataSyncServiceRolePolicy
- AWSDeepLensLambdaFunctionAccessPolicy
- AWSDeepRacerRoboMakerAccessPolicy
- AWSDeepRacerServiceRolePolicy
- AWSDiscoveryContinuousExportFirehosePolicy
- AWSElasticBeanstalkCustomPlatformforEC2Role
- AWSElasticBeanstalkEnhancedHealth
- AWSElasticBeanstalkServiceRolePolicy
- AWSElasticBeanstalkWebTier
- AWSElasticBeanstalkWorkerTier
- AWSGlueDataBrewServiceRole
- AWSGlueServiceRole
- AWSIoTLogging
- AWSIoTManagedIntegrationsRolePolicy
- AWSIoTWirelessLogging
- AWSLambdaBasicDurableExecutionRolePolicy
- AWSLambdaBasicExecutionRole
- AWSLambdaDynamoDBExecutionRole
- AWSLambdaKinesisExecutionRole
- AWSLambdaMSKExecutionRole
- AWSLambdaSQSQueueExecutionRole
- AWSLambdaVPCAccessExecutionRole
- AWSMediaTailorServiceRolePolicy
- AWSObservabilityAdminLogsCentralizationServiceRolePolicy
- AWSOpsWorksCloudWatchLogs
- AWSPanoramaApplianceRolePolicy
- AWSPanoramaApplianceServiceRolePolicy
- AWSPanoramaGreengrassGroupRolePolicy
- AWSProtonCodeBuildProvisioningBasicAccess
- AWSQuickSetupPatchPolicyPermissionsBoundary
- AWSServiceRoleForImageBuilder
- AWSServiceRoleForIoTSiteWise
- AWSServiceRoleForNeptuneGraphPolicy
- AWSThinkboxAWSPortalGatewayPolicy
- AWSThinkboxAWSPortalWorkerPolicy
- AWSThinkboxDeadlineResourceTrackerAccessPolicy
- AWSTransferLoggingAccess
- AWS_ConfigRole
- AdministratorAccess-Amplify
- AlexaForBusinessGatewayExecution
- AmazonAPIGatewayPushToCloudWatchLogs
- AmazonApplicationWizardFullaccess
- AmazonBedrockStudioPermissionsBoundary
- AmazonBraketFullAccess
- AmazonBraketJobsExecutionPolicy
- AmazonBraketServiceRolePolicy
- AmazonConnectServiceLinkedRolePolicy
- AmazonDMSCloudWatchLogsRole
- AmazonDataZoneEnvironmentRolePermissionsBoundary
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- AmazonEC2ContainerServiceforEC2Role
- AmazonEC2RolePolicyForApplicationWizard
- AmazonEC2RolePolicyForLaunchWizard
- AmazonEC2RoleforSSM
- AmazonECSServiceRolePolicy
- AmazonECSTaskExecutionRolePolicy
- AmazonEKSLocalOutpostClusterPolicy
- AmazonEKSServicePolicy
- AmazonEKSServiceRolePolicy
- AmazonElasticFileSystemsUtils
- AmazonFSxFullAccess
- AmazonFSxServiceRolePolicy
- AmazonGuardDutyMalwareProtectionServiceRolePolicy
- AmazonLaunchWizardFullAccessV2
- AmazonLaunchWizardFullaccess
- AmazonLaunchWizard_Fullaccess
- AmazonMQServiceRolePolicy
- AmazonMacieServiceRolePolicy
- AmazonManagedBlockchainServiceRolePolicy
- AmazonRDSBetaServiceRolePolicy
- AmazonRDSCustomInstanceProfileRolePolicy
- AmazonRDSEnhancedMonitoringRole
- AmazonRDSPreviewServiceRolePolicy
- AmazonRDSServiceRolePolicy
- AmazonRedshiftAllCommandsFullAccess
- AmazonRedshiftServiceLinkedRolePolicy
- AmazonS3ObjectLambdaExecutionRolePolicy
- AmazonSNSRole
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerCanvasFullAccess
- AmazonSageMakerClusterInstanceRolePolicy
- AmazonSageMakerFullAccess
- AmazonSageMakerGroundTruthExecution
- AmazonSageMakerHyperPodInferenceAccess
- AmazonSageMakerHyperPodServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy
- AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy
- AmazonSecurityLakeMetastoreManager
- AmazonWorkMailEventsServiceRolePolicy
- AppRunnerServiceRolePolicy
- AppStudioServiceRolePolicy
- AwsGlueSessionUserRestrictedNotebookServiceRole
- AwsGlueSessionUserRestrictedServiceRole
- BatchServiceRolePolicy
- ClientVPNServiceRolePolicy
- CloudHSMServiceRolePolicy
- CloudWatchAgentAdminPolicy
- CloudWatchAgentServerPolicy
- CloudWatchInternetMonitorServiceRolePolicy
- CloudWatchLambdaApplicationSignalsExecutionRolePolicy
- CloudWatchLambdaInsightsExecutionRolePolicy
- CloudWatchLogsAPIKeyAccess
- DatabaseAdministrator
- EC2InstanceProfileForImageBuilder
- EC2InstanceProfileForImageBuilderECRContainerBuilds
- GameLiftContainerFleetPolicy
- MediaPackageServiceRolePolicy
- MonitronServiceRolePolicy
- QBusinessServiceRolePolicy
- SageMakerStudioAdminIAMDefaultExecutionPolicy
- SageMakerStudioProjectRoleMachineLearningPolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- SageMakerStudioUserIAMDefaultExecutionPolicy
Deny (Action)
Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.
Definitions bundle generated 4/7/2026, 3:29:24 AM