aws-iam-and-cloudwatch-logs-start-query

User with accountId: 123456791011 is not authorized to perform StartQuery

Example iam policy for querying cloudwatch logs (that one works):

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:StartQuery",
            "Resource": "arn:aws:logs:us-east-1:123456791011:log-group:hairy-log-group-name:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:GetQueryResults",
                "logs:StopQuery"
            ],
            "Resource": "*"
        }
    ]
}

The above error you get when you try the log-group arn without the `:*` at the end.

You need the `:*` behind the log-group for some reason, probably because the log-streams also participate in the resource permission thing or something.

This was kind of hard to figure out, no examples on the official websites and you think you do it right from reading the documentation.