AWS greengrass documentation change
Summary
Added IAM policy example for CloudWatch Logs permissions required by the system log forwarder component
Security assessment
The change adds documentation about required IAM permissions but does not indicate a security vulnerability fix. It improves security documentation by specifying least-privilege permissions for log forwarding operations.
Diff
diff --git a/greengrass/v2/developerguide/system-log-forwarder-component.md b/greengrass/v2/developerguide/system-log-forwarder-component.md index 2caee1347..ad3476c95 100644 --- a//greengrass/v2/developerguide/system-log-forwarder-component.md +++ b//greengrass/v2/developerguide/system-log-forwarder-component.md @@ -64,0 +65,24 @@ The component requires access to create log and stream groups in CloudWatch as w +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["logs:CreateLogGroup"], + "Resource": "arn:aws:logs:us-east-1:111122223333:log-group:greengrass/systemLogs:*" + }, + { + "Effect": "Allow", + "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], + "Resource": "arn:aws:logs:us-east-1:111122223333:log-group:greengrass/systemLogs:log-stream:${credentials-iot:ThingName}" + } + ] + } + +