AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-12-07 · Documentation low

File: AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md

Summary

Updated IAM policy examples to standardize placeholder values (e.g., 'account-id' to 'your-account-id'), removed resource policy limits section, and revised AWS CLI commands/resource ARN formats for consistency.

Security assessment

Changes primarily involve documentation formatting and placeholder standardization. No evidence of addressing a specific security vulnerability. The removed resource policy limits section could impact operational awareness but doesn't directly relate to a security flaw. Updates to IAM examples improve clarity but don't introduce new security controls.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
index 9d989c9cf..8ad207115 100644
--- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
+++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
@@ -29 +29 @@ Required for any roles specified in the pipeline configuration (S3 source roles,
-                "Resource": "arn:aws:iam::account-id:role/s3-source-role"
+                "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role"
@@ -44 +44 @@ Required for any roles specified in the pipeline configuration (S3 source roles,
-                "Resource": "arn:aws:iam::account-id:role/secrets-manager-role"
+                "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role"
@@ -59 +59 @@ Required for any roles specified in the pipeline configuration (S3 source roles,
-                "Resource": "arn:aws:iam::account-id:role/cloudwatch-logs-role""
+                "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role""
@@ -100 +100 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-                "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/S3-SOURCE-ROLE"
+                "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role"
@@ -115 +115 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-                "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/S3-SOURCE-ROLE",
+                "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role",
@@ -122 +122 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-                      "arn:aws:observabilityadmin:YOUR-REGION:YOUR-ACCOUNT-ID:telemetry-pipeline/*"
+                      "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*"
@@ -140 +140 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-                "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/SECRETS-MANAGER-ROLE"
+                "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role"
@@ -155 +155 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-              "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/SECRETS-MANAGER-ROLE",
+              "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role",
@@ -162 +162 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-                    "arn:aws:observabilityadmin:YOUR-REGION:YOUR-ACCOUNT-ID:telemetry-pipeline/*"
+                    "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*"
@@ -180 +180 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-              "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID:role/CLOUDWATCH-LOGS-ROLE",
+              "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role",
@@ -187 +187 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
-                    "arn:aws:observabilityadmin:YOUR-REGION:YOUR-ACCOUNT-ID:telemetry-pipeline/*"
+                    "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*"
@@ -235 +235 @@ For S3 sources, customers must provide an IAM role with permissions to access S3
-                "Resource": "arn:aws:s3:::bucket-name/*"
+                "Resource": "arn:aws:s3:::your-bucket-name/*"
@@ -245 +245 @@ For S3 sources, customers must provide an IAM role with permissions to access S3
-                "Resource": "arn:aws:sqs:region:account-id:queue-name"
+                "Resource": "arn:aws:sqs:your-region:your-account-id:your-queue-name"
@@ -251 +251 @@ For S3 sources, customers must provide an IAM role with permissions to access S3
-                "Resource": "arn:aws:kms:region:account-id:key/key-id",
+                "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id",
@@ -275 +275 @@ For sources that reference AWS Secrets Manager (Microsoft Office 365, Microsoft
-                "Resource": "arn:aws:secretsmanager:region:account-id:secret:secret-name*"
+                "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:your-secret-name*"
@@ -281 +281 @@ For sources that reference AWS Secrets Manager (Microsoft Office 365, Microsoft
-                "Resource": "arn:aws:kms:region:account-id:key/key-id",
+                "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id",
@@ -321,4 +320,0 @@ After calling `CreateTelemetryPipeline` API, you will receive a pipeline ARN. Fo
-###### Resource policy limits
-
-CloudWatch Logs has a maximum of 10 resource policies per account per region. If you reach this limit, remove the `Condition` section and `Resource` restriction from the policy.
-
@@ -333 +329 @@ You have a limited time window (less than 5 minutes) to create the resource poli
-        "policyName": "ATPTelemetryPipelinePolicy",
+        "policyName": "resourceArn=arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*",
@@ -346 +342 @@ You have a limited time window (less than 5 minutes) to create the resource poli
-                    "Resource": "arn:aws:logs:region:account-id:log-group:log-group-name:*",
+                   
@@ -349 +345 @@ You have a limited time window (less than 5 minutes) to create the resource poli
-                            "aws:SourceArn": "arn:aws:observabilityadmin:region:account-id:telemetry-pipeline/pipeline-id"
+                            "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id"
@@ -357,5 +352,0 @@ You have a limited time window (less than 5 minutes) to create the resource poli
-The following AWS CLI example should how to create a log-groups scope resource policy. Each log group is limited to a single resource policy.
-    
-    
-    aws logs put-resource-policy --resource-arn "arn:aws:logs:us-east-1:123456789012:log-group:testGroup" --policy-document file://~/example_resource_policy.json
-
@@ -369 +360 @@ Check for existing policies:
-    aws logs describe-resource-policies --region <YOUR-REGION>
+    aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*
@@ -371 +362 @@ Check for existing policies:
-This returns all existing resource policies. Look for any policy that might already be associated with your log group. 
+This returns all existing resource policies attached to the log group. Look for any policy that might already be associated with your log group. 
@@ -378 +369 @@ If no resource policy exists, create a new one:
-            --policy-name ATPTelemetryPipelinePolicy \
+            --policy-name  "resourceArn": "arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*"\
@@ -391 +381,0 @@ If no resource policy exists, create a new one:
-                "Resource": "arn:aws:logs:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:log-group:<YOUR-LOG-GROUP>:*",
@@ -394 +384 @@ If no resource policy exists, create a new one:
-                        "aws:SourceArn": "arn:aws:observabilityadmin:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:telemetry-pipeline/<PIPELINE-ID>"
+                        "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id"
@@ -403 +393 @@ Replace the following placeholders:
-  * `<YOUR-REGION>` \- Your AWS region (e.g., us-east-1)
+  * `your-region` \- Your AWS region (e.g., us-east-1)
@@ -405 +395 @@ Replace the following placeholders:
-  * `<YOUR-ACCOUNT-ID>` \- Your 12-digit AWS account ID
+  * `your-account-id` \- Your 12-digit AWS account ID
@@ -407 +397 @@ Replace the following placeholders:
-  * `<YOUR-LOG-GROUP>` \- Your CloudWatch Logs log group name
+  * `your-log-group-name` \- Your CloudWatch Logs log group name
@@ -409 +399 @@ Replace the following placeholders:
-  * `<PIPELINE-ID>` \- Your telemetry pipeline ID
+  * `your-pipeline-id` \- Your telemetry pipeline ID
@@ -418,4 +408 @@ If a resource policy already exists, merge the new statement with it:
-        aws logs describe-resource-policies \
-            --region <YOUR-REGION> \
-            --query "resourcePolicies[?policyName=='ATPTelemetryPipelinePolicy'].policyDocument" \
-            --output text > existing-policy.json
+        aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*
@@ -435,2 +422 @@ If a resource policy already exists, merge the new statement with it:
-                ],
-                "Resource": "arn:aws:logs:region:account:log-group:existing-group:*"
+                ]
@@ -447 +433 @@ If a resource policy already exists, merge the new statement with it:
-                "Resource": "arn:aws:logs:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:log-group:<YOUR-LOG-GROUP>:*",
+              
@@ -450 +436 @@ If a resource policy already exists, merge the new statement with it:
-                        "aws:SourceArn": "arn:aws:observabilityadmin:<YOUR-REGION>:<YOUR-ACCOUNT-ID>:telemetry-pipeline/<PIPELINE-ID>"
+                        "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id"
@@ -460,2 +446,2 @@ If a resource policy already exists, merge the new statement with it:
-            --region <YOUR-REGION> \
-            --policy-name ATPTelemetryPipelinePolicy \
+            --region your-region \
+            --policy-name resourceArn=arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:* \
@@ -470,3 +456 @@ Confirm the policy was created or updated successfully:
-    aws logs describe-resource-policies \
-            --region <YOUR-REGION> \
-            --query "resourcePolicies[?policyName=='ATPTelemetryPipelinePolicy']"
+    aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*