AWS AmazonCloudWatch medium security documentation change
Summary
Added identical content about resource policy limits and security configuration as seen in CWL.md, including policy examples with account/ARN validation
Security assessment
This parallel change reinforces security practices for log group policies across documentation versions, explicitly showing how to implement least-privilege access controls through source validation conditions to prevent unauthorized access.
Diff
diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md index 8facf8722..ee4a99f60 100644 --- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md +++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md @@ -107,0 +108,44 @@ JSON + "aws:SourceArn": [ + "arn:aws:logs:us-east-1:111122223333:*" + ] + } + } + } + ] + } + + +The log group's resource policy limit is 51,200 bytes. Once this limit is reached, AWS cannot add new permissions. This requires customers to manually modify the policy to grant the `delivery.logs.amazonaws.com` service principal permissions on the `logs:CreateLogStream` and `logs:PutLogEvents` actions. Customers should use a log group name prefix with wildcards such as `/aws/vendedlogs/*` and use this log group name for future Delivery creation. + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "AWSLogDeliveryWrite20150319", + "Effect": "Allow", + "Principal": { + "Service": [ + "delivery.logs.amazonaws.com" + ] + }, + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": [ + "arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": [ + "0123456789" + ] + }, + "ArnLike": {