AWS AmazonCloudWatch medium security documentation change
Summary
Added security requirement for CloudWatch Logs Insights queries requiring both 'logs:StartQuery' and 'logs:GetQueryResults' permissions starting July 2025
Security assessment
Explicitly addresses security by tightening permission requirements for query access, preventing unauthorized viewing of query results. Directly modifies authorization controls.
Diff
diff --git a/AmazonCloudWatch/latest/logs/AnalyzingLogData.md index d75f8ee74..84fbff3ec 100644 --- a/AmazonCloudWatch/latest/logs/AnalyzingLogData.md +++ b/AmazonCloudWatch/latest/logs/AnalyzingLogData.md @@ -21,0 +22,8 @@ With OpenSearch PPL you can retrieve, query, and analyze data by using commands +###### Important + +To enhance security for CloudWatch Logs Insights queries, beginning on July 31, 2025 users must be signed on with both the `logs:StartQuery` and `logs:GetQueryResults` permissions to be able to run queries in the CloudWatch console. After this date, users who don't have both of these permissions won't be able to view query results in the console, and will instead see a banner message when attempting to view query results in the console. + +After the change, the required console experience permissions will be consistent with the current required permissions for SDK and AWS CLI users who use the StartQuery and GetQueryResults APIs. + +For information about how to create IAM policies or to add permissions to existing policies, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and [Edit IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html) in the IAM User Guide. +