AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-07-19 · Documentation low

File: cli/latest/reference/logs/untag-log-group.md

Summary

Clarified IAM policy limitations for tag management, explicitly stating that `aws:Resource/key-name` and `aws:TagKeys` cannot restrict tag assignments.

Security assessment

This update clarifies security-related IAM policy constraints for tag management but does not address a specific security vulnerability. It improves documentation accuracy for access control mechanisms without fixing an existing issue.

Diff

diff --git a/cli/latest/reference/logs/untag-log-group.md b/cli/latest/reference/logs/untag-log-group.md
index fe03b9204..8fab0e79b 100644
--- a//cli/latest/reference/logs/untag-log-group.md
+++ b//cli/latest/reference/logs/untag-log-group.md
@@ -13 +13 @@
-  * [AWS CLI 2.27.54 Command Reference](../../index.html) »
+  * [AWS CLI 2.27.55 Command Reference](../../index.html) »
@@ -58 +58 @@ To list the tags for a log group, use [ListTagsForResource](https://docs.aws.ama
-CloudWatch Logs doesn’t support IAM policies that prevent users from assigning specified tags to log groups using the `aws:Resource/*key-name* `` or ``aws:TagKeys` condition keys.
+When using IAM policies to control tag management for CloudWatch Logs log groups, the condition keys `aws:Resource/key-name` and `aws:TagKeys` cannot be used to restrict which tags users can assign.
@@ -212 +212 @@ None
-  * [AWS CLI 2.27.54 Command Reference](../../index.html) »
+  * [AWS CLI 2.27.55 Command Reference](../../index.html) »