AWS opensearch-service medium security documentation change
Summary
Removed CloudWatch Logs permissions policy example with wildcard resource (*)
Security assessment
The deleted example used Resource: * for CloudWatch Logs permissions, which violates least privilege. Removal prevents users from adopting over-permissive configurations.
Diff
diff --git a/opensearch-service/latest/developerguide/monitoring-pipeline-logs.md b/opensearch-service/latest/developerguide/monitoring-pipeline-logs.md index 7f69defe6..45bdc4a18 100644 --- a//opensearch-service/latest/developerguide/monitoring-pipeline-logs.md +++ b//opensearch-service/latest/developerguide/monitoring-pipeline-logs.md @@ -19,27 +18,0 @@ You need the following CloudWatch Logs permissions in order to create and update -JSON - - -**** - - - - {a - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": "*", - "Action": [ - "logs:CreateLogDelivery", - "logs:PutResourcePolicy", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:DescribeResourcePolicies", - "logs:GetLogDelivery", - "logs:ListLogDeliveries" - ] - } - ] - } - -