AWS AmazonCloudWatch high security documentation change
Summary
Removed a specific cross-account subscription filter policy example
Security assessment
The deleted policy granted logs:PutSubscriptionFilter permissions across accounts. Removal suggests this example might have contained overly broad resource definitions ('*' in ARNs) that could enable unintended cross-account access if implemented.
Diff
diff --git a/AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md b/AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md index e56e751e3..ee221c645 100644 --- a//AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md +++ b//AmazonCloudWatch/latest/logs/Subscription-Filter-CrossAccount-Permissions.md @@ -57,22 +56,0 @@ The following policy provides permissions to create a subscription filter only o -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Allow subscription filters on one specific resource in one specific account", - "Effect": "Allow", - "Action": "logs:PutSubscriptionFilter", - "Resource": [ - "arn:aws:logs:*:*:log-group:*", - "arn:aws:logs:*:123456789012:destination:sampleDestination" - ] - } - ] - } - -