AWS cli documentation change
Summary
Clarified IAM policy limitations for tag management, explicitly stating that `aws:Resource/key-name` and `aws:TagKeys` cannot restrict tag assignments.
Security assessment
This update clarifies security-related IAM policy constraints for tag management but does not address a specific security vulnerability. It improves documentation accuracy for access control mechanisms without fixing an existing issue.
Diff
diff --git a/cli/latest/reference/logs/untag-log-group.md b/cli/latest/reference/logs/untag-log-group.md index fe03b9204..8fab0e79b 100644 --- a//cli/latest/reference/logs/untag-log-group.md +++ b//cli/latest/reference/logs/untag-log-group.md @@ -13 +13 @@ - * [AWS CLI 2.27.54 Command Reference](../../index.html) » + * [AWS CLI 2.27.55 Command Reference](../../index.html) » @@ -58 +58 @@ To list the tags for a log group, use [ListTagsForResource](https://docs.aws.ama -CloudWatch Logs doesn’t support IAM policies that prevent users from assigning specified tags to log groups using the `aws:Resource/*key-name* `` or ``aws:TagKeys` condition keys. +When using IAM policies to control tag management for CloudWatch Logs log groups, the condition keys `aws:Resource/key-name` and `aws:TagKeys` cannot be used to restrict which tags users can assign. @@ -212 +212 @@ None - * [AWS CLI 2.27.54 Command Reference](../../index.html) » + * [AWS CLI 2.27.55 Command Reference](../../index.html) »