Extending the S3 output requires PutObject on * Resources, this post is created for other people to setup the IAM policy for S3 output plugin.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LogstashPutObject",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "LogstashDeleteTestObject",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::mybucket/logstash-programmatic-access-test-object-*"
}
]
}
The plugin simply requires the PutObject permission on the whole bucket to work. However, this will leave a "programmatic access test objects" on the bucket every time Logstash starts. Including the DeleteObject permission will solve the issue.