@shinyaz

AWS Security Agent service role requires CloudWatch Logs permission (undocumented)

1 min read
#aws#security-agent#iam

Ran start-pentest-job for Security Agent and the PREFLIGHT step immediately failed. Checking batch-get-pentest-jobs revealed:

Output
{
  "code": "CLIENT_ERROR",
  "message": "Log group creation failed: An error occurred (AccessDeniedException) when calling the CreateLogGroup operation: User: arn:aws:sts::123456789012:assumed-role/SecurityAgentPentestRole/securityagent is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:ap-northeast-1:123456789012:log-group:/aws/securityagent/... because no identity-based policy allows the logs:CreateLogGroup action"
}

The service role needs CloudWatch Logs permissions. The official documentation doesn't mention this requirement (as of April 2026).

Terminal
aws iam put-role-policy \
  --role-name SecurityAgentPentestRole \
  --policy-name SecurityAgentLogsAccess \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
      "Resource": "arn:aws:logs:ap-northeast-1:123456789012:log-group:/aws/securityagent/*"
    }]
  }'

After adding the permission, re-running the pentest passed PREFLIGHT successfully. Easy to remember VPC access policies (for ENI creation) but easy to forget log permissions.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more