Guide on how we leverage IAM Permissions
sts:AssumeRole
is mandatory.
The IAM Role on your end will also need the following Trust Relationship Policy,
allowing one of our workload IAM Users to assume this role:
Principal > AWS > ARN
is a reference to our Workload AWS Account,
and CavokOrganizationId
is a reference to your Organization number with us.sts:ExternalId
is an AWS Best-Practice that enforces us to confirm a mutually known information
(but not a secret) in order to request temporary credentials at every SDK interaction."Resource": "arn:aws:logs:*:*:log-group:/cavok/*"