AWS AmazonCloudWatch documentation change
Summary
Updated IAM policy examples to standardize placeholder values (e.g., 'account-id' to 'your-account-id'), removed resource policy limits section, and revised AWS CLI commands/resource ARN formats for consistency.
Security assessment
Changes primarily involve documentation formatting and placeholder standardization. No evidence of addressing a specific security vulnerability. The removed resource policy limits section could impact operational awareness but doesn't directly relate to a security flaw. Updates to IAM examples improve clarity but don't introduce new security controls.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md index 9d989c9cf..8ad207115 100644 --- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md +++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md @@ -29 +29 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - "Resource": "arn:aws:iam::account-id:role/s3-source-role" + "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role" @@ -44 +44 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - "Resource": "arn:aws:iam::account-id:role/secrets-manager-role" + "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role" @@ -59 +59 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - "Resource": "arn:aws:iam::account-id:role/cloudwatch-logs-role"" + "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role"" @@ -100 +100 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/S3-SOURCE-ROLE" + "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role" @@ -115 +115 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/S3-SOURCE-ROLE", + "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role", @@ -122 +122 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "arn:aws:observabilityadmin:YOUR-REGION:YOUR-ACCOUNT-ID:telemetry-pipeline/*" + "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" @@ -140 +140 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/SECRETS-MANAGER-ROLE" + "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role" @@ -155 +155 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/SECRETS-MANAGER-ROLE", + "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role", @@ -162 +162 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "arn:aws:observabilityadmin:YOUR-REGION:YOUR-ACCOUNT-ID:telemetry-pipeline/*" + "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" @@ -180 +180 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/CLOUDWATCH-LOGS-ROLE", + "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role", @@ -187 +187 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "arn:aws:observabilityadmin:YOUR-REGION:YOUR-ACCOUNT-ID:telemetry-pipeline/*" + "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" @@ -235 +235 @@ For S3 sources, customers must provide an IAM role with permissions to access S3 - "Resource": "arn:aws:s3:::bucket-name/*" + "Resource": "arn:aws:s3:::your-bucket-name/*" @@ -245 +245 @@ For S3 sources, customers must provide an IAM role with permissions to access S3 - "Resource": "arn:aws:sqs:region:account-id:queue-name" + "Resource": "arn:aws:sqs:your-region:your-account-id:your-queue-name" @@ -251 +251 @@ For S3 sources, customers must provide an IAM role with permissions to access S3 - "Resource": "arn:aws:kms:region:account-id:key/key-id", + "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id", @@ -275 +275 @@ For sources that reference AWS Secrets Manager (Microsoft Office 365, Microsoft - "Resource": "arn:aws:secretsmanager:region:account-id:secret:secret-name*" + "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:your-secret-name*" @@ -281 +281 @@ For sources that reference AWS Secrets Manager (Microsoft Office 365, Microsoft - "Resource": "arn:aws:kms:region:account-id:key/key-id", + "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id", @@ -321,4 +320,0 @@ After calling `CreateTelemetryPipeline` API, you will receive a pipeline ARN. Fo -###### Resource policy limits - -CloudWatch Logs has a maximum of 10 resource policies per account per region. If you reach this limit, remove the `Condition` section and `Resource` restriction from the policy. - @@ -333 +329 @@ You have a limited time window (less than 5 minutes) to create the resource poli - "policyName": "ATPTelemetryPipelinePolicy", + "policyName": "resourceArn=arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*", @@ -346 +342 @@ You have a limited time window (less than 5 minutes) to create the resource poli - "Resource": "arn:aws:logs:region:account-id:log-group:log-group-name:*", + @@ -349 +345 @@ You have a limited time window (less than 5 minutes) to create the resource poli - "aws:SourceArn": "arn:aws:observabilityadmin:region:account-id:telemetry-pipeline/pipeline-id" + "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id" @@ -357,5 +352,0 @@ You have a limited time window (less than 5 minutes) to create the resource poli -The following AWS CLI example should how to create a log-groups scope resource policy. Each log group is limited to a single resource policy. - - - aws logs put-resource-policy --resource-arn "arn:aws:logs:us-east-1:123456789012:log-group:testGroup" --policy-document file://~/example_resource_policy.json - @@ -369 +360 @@ Check for existing policies: - aws logs describe-resource-policies --region <YOUR-REGION> + aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:* @@ -371 +362 @@ Check for existing policies: -This returns all existing resource policies. Look for any policy that might already be associated with your log group. +This returns all existing resource policies attached to the log group. Look for any policy that might already be associated with your log group. @@ -378 +369 @@ If no resource policy exists, create a new one: - --policy-name ATPTelemetryPipelinePolicy \ + --policy-name "resourceArn": "arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*"\ @@ -391 +381,0 @@ If no resource policy exists, create a new one: - "Resource": "arn:aws:logs:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:log-group:<YOUR-LOG-GROUP>:*", @@ -394 +384 @@ If no resource policy exists, create a new one: - "aws:SourceArn": "arn:aws:observabilityadmin:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:telemetry-pipeline/<PIPELINE-ID>" + "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id" @@ -403 +393 @@ Replace the following placeholders: - * `<YOUR-REGION>` \- Your AWS region (e.g., us-east-1) + * `your-region` \- Your AWS region (e.g., us-east-1) @@ -405 +395 @@ Replace the following placeholders: - * `<YOUR-ACCOUNT-ID>` \- Your 12-digit AWS account ID + * `your-account-id` \- Your 12-digit AWS account ID @@ -407 +397 @@ Replace the following placeholders: - * `<YOUR-LOG-GROUP>` \- Your CloudWatch Logs log group name + * `your-log-group-name` \- Your CloudWatch Logs log group name @@ -409 +399 @@ Replace the following placeholders: - * `<PIPELINE-ID>` \- Your telemetry pipeline ID + * `your-pipeline-id` \- Your telemetry pipeline ID @@ -418,4 +408 @@ If a resource policy already exists, merge the new statement with it: - aws logs describe-resource-policies \ - --region <YOUR-REGION> \ - --query "resourcePolicies[?policyName=='ATPTelemetryPipelinePolicy'].policyDocument" \ - --output text > existing-policy.json + aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:* @@ -435,2 +422 @@ If a resource policy already exists, merge the new statement with it: - ], - "Resource": "arn:aws:logs:region:account:log-group:existing-group:*" + ] @@ -447 +433 @@ If a resource policy already exists, merge the new statement with it: - "Resource": "arn:aws:logs:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:log-group:<YOUR-LOG-GROUP>:*", + @@ -450 +436 @@ If a resource policy already exists, merge the new statement with it: - "aws:SourceArn": "arn:aws:observabilityadmin:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:telemetry-pipeline/<PIPELINE-ID>" + "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id" @@ -460,2 +446,2 @@ If a resource policy already exists, merge the new statement with it: - --region <YOUR-REGION> \ - --policy-name ATPTelemetryPipelinePolicy \ + --region your-region \ + --policy-name resourceArn=arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:* \ @@ -470,3 +456 @@ Confirm the policy was created or updated successfully: - aws logs describe-resource-policies \ - --region <YOUR-REGION> \ - --query "resourcePolicies[?policyName=='ATPTelemetryPipelinePolicy']" + aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*