AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2026-02-28 · Security-related medium

File: AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md

Summary

Added documentation about log group resource policy size limits, manual intervention requirements, and security best practices for policy configuration including source account/ARN conditions

Security assessment

The change introduces security-focused guidance by emphasizing policy size limitations that could break log delivery if exceeded, and demonstrates secure policy configuration with explicit aws:SourceAccount validation and ArnLike conditions to restrict permissions. This addresses potential misconfiguration risks.

Diff

diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md
index 582635644..54d1d1e63 100644
--- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md
+++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md
@@ -80 +80,43 @@ JSON
-If the log group does have a resource policy but that policy doesn't contain the statement shown in the previous policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, that statement is appended to the log group's resource policy.
+The log group's resource policy limit is 51,200 bytes. Once this limit is reached, AWS cannot add new permissions. This requires customers to manually modify the policy to grant the `delivery.logs.amazonaws.com` service principal permissions on the `logs:CreateLogStream` and `logs:PutLogEvents` actions. Customers should use a log group name prefix with wildcards such as `/aws/vendedlogs/*` and use this log group name for future Delivery creation.
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "AWSLogDeliveryWrite20150319",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "delivery.logs.amazonaws.com"
+                    ]
+                },
+                "Action": [
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                ],
+                "Resource": [
+                    "arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:SourceAccount": [
+                            "0123456789"
+                        ]
+                    },
+                    "ArnLike": {
+                        "aws:SourceArn": [
+                            "arn:aws:logs:us-east-1:111122223333:*"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+