AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-11-22 · Documentation medium

File: AmazonCloudWatch/latest/logs/scheduled-queries-concepts.md

Summary

Added detailed trust policy requirements and example IAM policies for query execution and destination delivery roles

Security assessment

Provides explicit security guidance about required trust relationships and least-privilege permissions for CloudWatch Logs scheduled queries. While security-related, there's no evidence this addresses a specific vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/logs/scheduled-queries-concepts.md b/AmazonCloudWatch/latest/logs/scheduled-queries-concepts.md
index 48026a66b..2e95376ec 100644
--- a//AmazonCloudWatch/latest/logs/scheduled-queries-concepts.md
+++ b//AmazonCloudWatch/latest/logs/scheduled-queries-concepts.md
@@ -36,0 +37,37 @@ Allows CloudWatch Logs to run CloudWatch Logs Insights queries on your behalf. T
+**Trust relationship requirement:** The query execution role must include a trust policy that allows the CloudWatch Logs service (`logs.amazonaws.com`) to assume the role. Without this trust relationship, scheduled queries will fail with permission errors.
+
+Example trust policy for the query execution role:
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "logs.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+
+Example permissions policy for the query execution role:
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "logs:StartQuery",
+                    "logs:StopQuery",
+                    "logs:GetQueryResults",
+                    "logs:DescribeLogGroups"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
@@ -41,0 +79,18 @@ Allows CloudWatch Logs to deliver query results to your chosen destination. This
+**Trust relationship requirement:** The destination delivery role must also include a trust policy that allows the CloudWatch Logs service (`logs.amazonaws.com`) to assume the role.
+
+Example permissions policy for S3 destination delivery role:
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:PutObject"
+                ],
+                "Resource": "arn:aws:s3:::your-scheduled-query-results-bucket/*"
+            }
+        ]
+    }
+