Status: IN
CloudTrail requires only two CloudWatch Logs permissions to deliver events: `logs:CreateLogStream` and `logs:PutLogEvents` — notably not `logs:CreateLogGroup`.
Source: entries/2026/03/12/awscloudtrail-latest-userguide-cloudtrail-required-policy-for-cloudwatch-logshtm.md
JSON