AWS AmazonCloudWatch high security documentation change
Summary
Updated IAM policy structure for X-Ray trace delivery, including explicit service principal, simplified action, and stricter resource/ARN conditions.
Security assessment
The changes enforce stricter IAM conditions (aws:SourceAccount, logs:LogGeneratingResourceArns, aws:SourceArn) to limit permissions to specific resources. This reduces the attack surface by preventing unintended access, making it a security improvement.
Diff
diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-XRayTraces.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-XRayTraces.md index 54ffd58d8..1ca83b5d8 100644 --- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-XRayTraces.md +++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-XRayTraces.md @@ -84 +84 @@ JSON - "Sid": "AWSLogDeliveryWrite20250319", + "Sid": "AWSLogDeliveryWrite", @@ -86,3 +86,4 @@ JSON - "Action": [ - "xray:PutTraceSegments" - ], + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Action": "xray:PutTraceSegments", @@ -92,3 +93,4 @@ JSON - "aws:SourceAccount": [ - "123456789012" - ] + "aws:SourceAccount": "123456789012" + }, + "ForAllValues:ArnLike": { + "logs:LogGeneratingResourceArns": "arn:aws:bedrock-agentcore:us-east-1:123456789012:memory/MemoryId" @@ -97,3 +99 @@ JSON - "aws:SourceArn": [ - "arn:aws:logs:us-east-1:111122223333:delivery-source:my-delivery-source" - ] + "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:xray-test"