AWS AmazonCloudWatch documentation change
Summary
Replaced inline JSON policy definitions with links to AWS Managed Policy Reference Guide and added 'cloudwatch:GenerateQueryResultsSummary' permission to managed policies
Security assessment
The changes remove verbose policy JSONs in favor of centralized references and add a new query summary permission. While permissions changes can impact security posture, there is no evidence this addresses a vulnerability. The update appears to document a new feature capability rather than fix a security issue.
Diff
diff --git a/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md b/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md index c5117590a..74df35eb7 100644 --- a//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md +++ b//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md @@ -5 +5 @@ -Permissions required to use the CloudWatch consoleAWS managed (predefined) policies for CloudWatch LogsPolicy updatesCustomer managed policy examplesUse tagging and IAM policies for control at the log group level +Permissions required to use the CloudWatch consoleAWS managed (predefined) policies for CloudWatch Logs @@ -201,262 +201 @@ The following AWS managed policies, which you can attach to users and roles in y -The **CloudWatchLogsFullAccess** policy grants full access to CloudWatch Logs. The policy includes the `cloudwatch:GenerateQuery` permission, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. It includes permissions for Amazon OpenSearch Service and IAM to enable CloudWatch Logs integration with OpenSearch Service for some features. The full contents are as follows: - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "CloudWatchLogsFullAccess", - "Effect": "Allow", - "Action": [ - "logs:*", - "cloudwatch:GenerateQuery", - "opensearch:ApplicationAccessAll", - "iam:ListRoles", - "iam:ListUsers", - "aoss:BatchGetCollection", - "aoss:BatchGetLifecyclePolicy", - "es:ListApplications" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchLogsOpenSearchCreateServiceLinkedAccess", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "opensearchservice.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/*/AWSServiceRoleForAmazonOpenSearchServerless", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "observability.aoss.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchLogsCollectionRequestAccess", - "Effect": "Allow", - "Action": [ - "aoss:CreateCollection" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/CloudWatchOpenSearchIntegration": [ - "Dashboards" - ] - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": "CloudWatchOpenSearchIntegration" - } - } - }, - { - "Sid": "CloudWatchLogsApplicationRequestAccess", - "Effect": "Allow", - "Action": [ - "es:CreateApplication" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/OpenSearchIntegration": [ - "Dashboards" - ] - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": "OpenSearchIntegration" - } - } - }, - { - "Sid": "CloudWatchLogsCollectionResourceAccess", - "Effect": "Allow", - "Action": [ - "aoss:DeleteCollection" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ - "Dashboards" - ] - } - } - }, - { - "Sid": "CloudWatchLogsApplicationResourceAccess", - "Effect": "Allow", - "Action": [ - "es:UpdateApplication", - "es:GetApplication" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/OpenSearchIntegration": [ - "Dashboards" - ] - } - } - }, - { - "Sid": "CloudWatchLogsCollectionPolicyAccess", - "Effect": "Allow", - "Action": [ - "aoss:CreateSecurityPolicy", - "aoss:CreateAccessPolicy", - "aoss:DeleteAccessPolicy", - "aoss:DeleteSecurityPolicy", - "aoss:GetAccessPolicy", - "aoss:GetSecurityPolicy", - "aoss:APIAccessAll" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aoss:collection": "logs-collection-*" - } - } - }, - { - "Sid": "CloudWatchLogsIndexPolicyAccess", - "Effect": "Allow", - "Action": [ - "aoss:CreateAccessPolicy", - "aoss:DeleteAccessPolicy", - "aoss:GetAccessPolicy", - "aoss:CreateLifecyclePolicy", - "aoss:DeleteLifecyclePolicy" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aoss:index": "logs-collection-*" - } - } - }, - { - "Sid": "CloudWatchLogsStartDirectQueryAccess", - "Effect": "Allow", - "Action": [ - "opensearch:StartDirectQuery" - ], - "Resource": "arn:aws:opensearch:*:*:datasource/logs_datasource_*" - }, - { - "Sid": "CloudWatchLogsDQSRequestQueryAccess", - "Effect": "Allow", - "Action": [ - "es:AddDirectQueryDataSource" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/CloudWatchOpenSearchIntegration": [ - "Dashboards" - ] - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": "CloudWatchOpenSearchIntegration" - } - } - }, - { - "Sid": "CloudWatchLogsDQSResourceQueryAccess", - "Effect": "Allow", - "Action": [ - "es:GetDirectQueryDataSource", - "es:DeleteDirectQueryDataSource" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ - "Dashboards" - ] - } - } - },