AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-07-19 · Documentation low

File: cli/latest/reference/logs/put-account-policy.md

Summary

Added documentation for metric extraction policies, including policy behavior, selection criteria rules, and warnings about disabling EMF metrics. Updated supported policy types and permissions.

Security assessment

The changes introduce documentation for a new security control (metric extraction policies) that allows restricting CloudWatch Metrics creation via EMF. While it adds security documentation, there is no evidence of addressing an existing vulnerability. The warnings about accidental feature disablement highlight operational risks but not security flaws.

Diff

diff --git a/cli/latest/reference/logs/put-account-policy.md b/cli/latest/reference/logs/put-account-policy.md
index db936c64a..1520ef558 100644
--- a//cli/latest/reference/logs/put-account-policy.md
+++ b//cli/latest/reference/logs/put-account-policy.md
@@ -15 +15 @@
-  * [AWS CLI 2.27.54 Command Reference](../../index.html) »
+  * [AWS CLI 2.27.55 Command Reference](../../index.html) »
@@ -59 +59 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Creates an account-level data protection policy, subscription filter policy, or field index policy that applies to all log groups or a subset of log groups in the account.
+Creates an account-level data protection policy, subscription filter policy, field index policy, transformer policy, or metric extraction policy that applies to all log groups or a subset of log groups in the account.
@@ -66,0 +67 @@ To use this operation, you must be signed on with the correct permissions depend
+  * To create a metric extraction policy, you must have the `logs:PutMetricExtractionPolicy` and `logs:PutAccountPolicy` permissions.
@@ -134,0 +136,29 @@ If you want to create a field index policy for a single log group, you can use [
+> **Metric extraction policy**
+
+A metric extraction policy controls whether CloudWatch Metrics can be created through the Embedded Metrics Format (EMF) for log groups in your account. By default, EMF metric creation is enabled for all log groups. You can use metric extraction policies to disable EMF metric creation for your entire account or specific log groups.
+
+When a policy disables EMF metric creation for a log group, log events in the EMF format are still ingested, but no CloudWatch Metrics are created from them.
+
+### Warning
+
+Creating a policy disables metrics for AWS features that use EMF to create metrics, such as CloudWatch Container Insights and CloudWatch Application Signals. To prevent turning off those features by accident, we recommend that you exclude the underlying log-groups through a selection-criteria such as `LogGroupNamePrefix NOT IN ["/aws/containerinsights", "/aws/ecs/containerinsights", "/aws/application-signals/data"]` .
+
+Each account can have either one account-level metric extraction policy that applies to all log groups, or up to 5 policies that are each scoped to a subset of log groups with the `selectionCriteria` parameter. The selection criteria supports filtering by `LogGroupName` and `LogGroupNamePrefix` using the operators `IN` and `NOT IN` . You can specify up to 50 values in each `IN` or `NOT IN` list.
+
+The selection criteria can be specified in these formats:
+
+> `LogGroupName IN ["log-group-1", "log-group-2"]`
+> 
+> `LogGroupNamePrefix NOT IN ["/aws/prefix1", "/aws/prefix2"]`
+
+If you have multiple account-level metric extraction policies with selection criteria, no two of them can have overlapping criteria. For example, if you have one policy with selection criteria `LogGroupNamePrefix IN ["my-log"]` , you can’t have another metric extraction policy with selection criteria `LogGroupNamePrefix IN ["/my-log-prod"]` or `LogGroupNamePrefix IN ["/my-logging"]` , as the set of log groups matching these prefixes would be a subset of the log groups matching the first policy’s prefix, creating an overlap.
+
+When using `NOT IN` , only one policy with this operator is allowed per account.
+
+When combining policies with `IN` and `NOT IN` operators, the overlap check ensures that policies don’t have conflicting effects. Two policies with `IN` and `NOT IN` operators do not overlap if and only if every value in the `IN` policy is completely contained within some value in the `NOT IN` policy. For example:
+
+  * If you have a `NOT IN` policy for prefix `"/aws/lambda"` , you can create an `IN` policy for the exact log group name `"/aws/lambda/function1"` because the set of log groups matching `"/aws/lambda/function1"` is a subset of the log groups matching `"/aws/lambda"` .
+  * If you have a `NOT IN` policy for prefix `"/aws/lambda"` , you cannot create an `IN` policy for prefix `"/aws"` because the set of log groups matching `"/aws"` is not a subset of the log groups matching `"/aws/lambda"` .
+
+
+
@@ -239,0 +270 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/logs-2
+>   * `METRIC_EXTRACTION_POLICY`
@@ -257 +288 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/logs-2
-> Specifing `selectionCriteria` is valid only when you specify `SUBSCRIPTION_FILTER_POLICY` , `FIELD_INDEX_POLICY` or `TRANSFORMER_POLICY` for `policyType` .
+> Specifying `selectionCriteria` is valid only when you specify `SUBSCRIPTION_FILTER_POLICY` , `FIELD_INDEX_POLICY` or `TRANSFORMER_POLICY` for `policyType` .
@@ -410 +441 @@ accountPolicy -> (structure)
-  * [AWS CLI 2.27.54 Command Reference](../../index.html) »
+  * [AWS CLI 2.27.55 Command Reference](../../index.html) »