AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-07-18 · Documentation medium

File: AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.md

Summary

Added X-Ray trace delivery documentation and Amazon Bedrock AgentCore log support

Security assessment

Introduces X-Ray resource policy requirements and IAM permissions for secure log delivery configuration

Diff

diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.md b/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.md
index c29da08bb..07076f44e 100644
--- a//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.md
+++ b//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.md
@@ -22,0 +23 @@ Log source | Log type | CloudWatch Logs | Amazon S3 | Firehose
+[Amazon Bedrock AgentCore](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-genesis.html) | Vended logs | Supported [V2 Permissions] | Supported [V2 Permissions] | Supported [V2 Permissions]  
@@ -364 +365 @@ This service-linked role also has a trust policy that allows the `delivery.logs.
-Some AWS services use a new method to send their logs. This is a flexible method that enables you to set up log delivery from these services to one or more of the following destinations: CloudWatch Logs, Amazon S3, or Firehose.
+Some AWS services use a new method to send their logs. This is a flexible method that enables you to set up log delivery from these services to one or more of the following destinations: CloudWatch Logs, Amazon S3, or Firehose and X-Ray for trace delivery.
@@ -414,0 +416,2 @@ It is your responsibility to remove log delivery resources after deleting the lo
+  * [Traces sent to X-Ray](./AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-V2-XRayTraces)
+
@@ -759,0 +763,102 @@ This service-linked role also has a trust policy that allows the `delivery.logs.
+### Traces sent to X-Ray
+
+**User permissions**
+
+To enable sending traces to AWS X-Ray, you must be signed in with the following permissions.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "ReadWriteAccessForLogDeliveryActions",
+                "Effect": "Allow",
+                "Action": [
+                    "logs:GetDelivery",
+                    "logs:GetDeliverySource",
+                    "logs:PutDeliveryDestination",
+                    "logs:GetDeliveryDestinationPolicy",
+                    "logs:DeleteDeliverySource",
+                    "logs:PutDeliveryDestinationPolicy",
+                    "logs:CreateDelivery",
+                    "logs:GetDeliveryDestination",
+                    "logs:PutDeliverySource",
+                    "logs:DeleteDeliveryDestination",
+                    "logs:DeleteDeliveryDestinationPolicy",
+                    "logs:DeleteDelivery",
+                    "logs:UpdateDeliveryConfiguration"
+                ],
+                "Resource": [
+                    "arn:aws:logs:region:account-id:delivery:*",
+                    "arn:aws:logs:region:account-id:delivery-source:*",
+                    "arn:aws:logs:region:account-id:delivery-destination:*"
+                ]
+            },
+            {
+                "Sid": "ListAccessForLogDeliveryActions",
+                "Effect": "Allow",
+                "Action": [
+                    "logs:DescribeDeliveryDestinations",
+                    "logs:DescribeDeliverySources",
+                    "logs:DescribeDeliveries",
+                    "logs:DescribeConfigurationTemplates"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "AllowUpdatesToResourcePolicyXRay",
+                "Effect": "Allow",
+                "Action": [
+                    "xray:PutResourcePolicy",
+                    "xray:ListResourcePolicies"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
+**X-Ray resource policy**
+
+The destination account where the traces are being sent must have a resource policy that includes certain permissions. When X-Ray does not currently have a resource policy, and the user setting up the tracing has `xray:PutResourcePolicy` and `xray:ListResourcePolicies` permissions in the account, AWS will automatically create the following policy when you begin sending traces to X-Ray.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AWSLogDeliveryWrite20150319",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "delivery.logs.amazonaws.com"
+                    ]
+                },
+                "Action": [
+                    "xray:PutTraceSegments"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:SourceAccount": [
+                            "0123456789"
+                        ]
+                    },
+                    "ArnLike": {
+                        "aws:SourceArn": [
+                            "arn:aws:logs:us-east-1:0123456789:delivery-source:my-delivery-source"
+                        ]
+                    },
+                    "ForAllValues:ArnLike": {
+                        "logs:LogGeneratingResourceArns": [
+                            "arn:aws:bedrock-agentcore:us-east-1:0123456789:memory/memory-4o2x4O8dp9"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+
+**Enable transaction search**
+
+To enable sending traces to X-Ray, you must enable [transaction search](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Enable-Lambda-TransactionSearch.html).
+