AWS AmazonCloudWatch medium security documentation change
Summary
Corrected ARN pattern in policy example from 'logs' to 'xray'
Security assessment
Fixes misconfiguration in resource policy that could allow overly permissive access. Concrete evidence: SourceArn now properly scoped to X-Ray service.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/Enable-TransactionSearch.md b/AmazonCloudWatch/latest/monitoring/Enable-TransactionSearch.md index 81ff5c0da..36876c3db 100644 --- a//AmazonCloudWatch/latest/monitoring/Enable-TransactionSearch.md +++ b//AmazonCloudWatch/latest/monitoring/Enable-TransactionSearch.md @@ -168 +168 @@ The following example shows how to format your AWS CLI command with `PutResource - aws logs put-resource-policy --policy-name MyResourcePolicy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "TransactionSearchXRayAccess", "Effect": "Allow", "Principal": { "Service": "xray.amazonaws.com" }, "Action": "logs:PutLogEvents", "Resource": [ "arn:partition:logs:region:account-id:log-group:aws/spans:*", "arn:partition:logs:region:account-id:log-group:/aws/application-signals/data:*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:partition:logs:region:account-id:*" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ]}' + aws logs put-resource-policy --policy-name MyResourcePolicy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "TransactionSearchXRayAccess", "Effect": "Allow", "Principal": { "Service": "xray.amazonaws.com" }, "Action": "logs:PutLogEvents", "Resource": [ "arn:partition:logs:region:account-id:log-group:aws/spans:*", "arn:partition:logs:region:account-id:log-group:/aws/application-signals/data:*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:partition:xray:region:account-id:*" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ]}'