AWS AmazonCloudWatch documentation change
Summary
Added documentation for RUM endpoint with authentication details and mobile SDK references
Security assessment
The change adds documentation about authentication methods (SigV4 and unauthenticated access) for the RUM endpoint. While this describes security features, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md index bb8efe99a..bbb6fd134 100644 --- a//AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md +++ b//AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md @@ -5 +5 @@ -Traces endpointLogs endpointEndpoint limits and restrictions +Traces endpointLogs endpointRUM endpointEndpoint limits and restrictions @@ -9 +9 @@ Traces endpointLogs endpointEndpoint limits and restrictions -OpenTelemetry Protocol (OTLP) is a general-purpose telemetry data delivery protocol designed for the OpenTelemetry. CloudWatch OpenTelemetry endpoints are HTTP 1.1 endpoints. You need to configure your OpenTelemetry collector to start sending open telemetry data to CloudWatch. For more information, see [Getting started](./CloudWatch-OTLPGettingStarted.html). The endpoint authenticates callers using Signature 4 authentication. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html). +OpenTelemetry Protocol (OTLP) is a general-purpose telemetry data delivery protocol designed for the OpenTelemetry. CloudWatch OpenTelemetry endpoints are HTTP 1.1 endpoints. You need to configure your OpenTelemetry collector to start sending open telemetry data to CloudWatch. For more information, see [Getting started](./CloudWatch-OTLPGettingStarted.html). @@ -15 +15 @@ The traces endpoint follows the pattern `https://xray.`AWS Region`.amazonaws.com -You need to configure your OpenTelemetry collector to start sending traces to CloudWatch. To get started, see [Getting started](./CloudWatch-OTLPGettingStarted.html). +You need to configure your OpenTelemetry collector to start sending traces to CloudWatch. The endpoint authenticates callers using Signature 4 authentication. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html). @@ -21 +21 @@ The logs endpoint follows the pattern `https://logs.`AWS Region`.amazonaws.com/v -You must configure `LogGroup` and `LogStream` when you invoke CloudWatch Logs OpenTelemetry endpoint by setting `x-aws-log-group` and `x-aws-log-stream` HTTP headers to `LogGroup` and `LogStream` name respectively. For more information, see [Getting started](./CloudWatch-OTLPGettingStarted.html). +You must configure `LogGroup` and `LogStream` when you invoke CloudWatch Logs OpenTelemetry endpoint by setting `x-aws-log-group` and `x-aws-log-stream` HTTP headers to `LogGroup` and `LogStream` name respectively. For more information, see [Getting started](./CloudWatch-OTLPGettingStarted.html). The endpoint authenticates callers using Signature 4 authentication. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html). @@ -24,0 +25,17 @@ When log event size exceed 1MB, CloudWatch Logs automatically truncates up to 10 +## RUM endpoint + +The RUM endpoint follows the pattern `https://dataplane.rum.{AWS Region}.amazonaws.com/v1/rum`. For example, for the US West (Oregon) Region, the endpoint is `https://dataplane.rum.us-west-2.amazonaws.com/v1/rum`. This endpoint handles _client-side telemetry data_ (only traces and log records with `eventName`) for CloudWatch RUM applications. + +To use this endpoint, you must create a [RUM app monitor](./CloudWatch-RUM-get-started-create-app-monitor.html) with Mobile platform (Android/ iOS) and use the code snippet generated to instrument your applications. The snippet will pull the RUM Mobile SDKs which are configured with this endpoint. You can configure the SDKs further for RUM to collect telemetry accordingly. + +The endpoint supports both authenticated and unauthenticated requests. You can use AWS Signature Version 4 (SigV4) for authenticated requests, or resource-based policies to allow unauthenticated access from mobile applications. + +To learn more about the authentication models as defined in their SDKs, see the following: + + * iOS applications - [AWS Distro for OpenTelemetry (ADOT) iOS SDK](https://github.com/aws-observability/aws-otel-swift). + + * Android applications - [AWS Distro for OpenTelemetry (ADOT) Android SDK](https://github.com/aws-observability/aws-otel-android). + + + +