AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-08-28 · Documentation low

File: AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-service-specific.md

Summary

Simplified service-specific log delivery policy example and added Amazon SES reference

Security assessment

Updates documentation for log delivery authorization policies with a concrete example (Amazon SES). Enhances security documentation but doesn't address a specific vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-service-specific.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-service-specific.md
index 5213aa101..c0531b3a1 100644
--- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-service-specific.md
+++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-service-specific.md
@@ -7,23 +7 @@
-In addition to the destination-specific permissions listed in the previous sections, some services require explicit authorization that customers are allowed to send logs from their resources, as an additional layer of security. It authorizes the `AllowVendedLogDeliveryForResource` action for resources that vend logs within that service. For these services, use the following policy and replace `service` and `resource-type` with the appropriate values. For the service-specific values for these fields, see those services' documentation page for vended logs. 
-
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "ServiceLevelAccessForLogDelivery",
-                "Effect": "Allow",
-                "Action": [
-                    "service:AllowVendedLogDeliveryForResource"
-                ],
-                "Resource": "arn:aws:CloudWatch Logs:us-east-1:123456789012:resource-type/*"
-            }
-        ]
-    }
-    
+In addition to the destination-specific permissions listed in the previous sections, some services require explicit authorization that customers are allowed to send logs from their resources, as an additional layer of security. It authorizes the `AllowVendedLogDeliveryForResource` action for resources that vend logs within that service. For these services, use the following policy and replace `service` and `resource-type` with the appropriate values. For the service-specific values for these fields, see those services' documentation page for vended logs. In the following example, the policy has been updated to enable vended logs from Amazon SES.