AWS Security ChangesHomeSearch

AWS AmazonCloudWatch high security documentation change

Service: AmazonCloudWatch · 2025-08-28 · Security-related high

File: AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md

Summary

Removed a specific cross-account subscription filter policy example

Security assessment

The deleted policy granted logs:PutSubscriptionFilter permissions across accounts. Removal suggests this example might have contained overly broad resource definitions ('*' in ARNs) that could enable unintended cross-account access if implemented.

Diff

diff --git a/AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md b/AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md
index e56e751e3..ee221c645 100644
--- a//AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md
+++ b//AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md
@@ -57,22 +56,0 @@ The following policy provides permissions to create a subscription filter only o
-JSON
-    
-
-****
-    
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "Allow subscription filters on one specific resource in one specific account",
-                "Effect": "Allow",
-                "Action": "logs:PutSubscriptionFilter",
-                "Resource": [
-                    "arn:aws:logs:*:*:log-group:*",
-                    "arn:aws:logs:*:123456789012:destination:sampleDestination"
-                ]
-            }
-        ]
-    }
-    
-