AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2026-02-28 · Security-related medium

File: AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md

Summary

Added identical content about resource policy limits and security configuration as seen in CWL.md, including policy examples with account/ARN validation

Security assessment

This parallel change reinforces security practices for log group policies across documentation versions, explicitly showing how to implement least-privilege access controls through source validation conditions to prevent unauthorized access.

Diff

diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md
index 8facf8722..ee4a99f60 100644
--- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md
+++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md
@@ -107,0 +108,44 @@ JSON
+                        "aws:SourceArn": [
+                            "arn:aws:logs:us-east-1:111122223333:*"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+    
+
+The log group's resource policy limit is 51,200 bytes. Once this limit is reached, AWS cannot add new permissions. This requires customers to manually modify the policy to grant the `delivery.logs.amazonaws.com` service principal permissions on the `logs:CreateLogStream` and `logs:PutLogEvents` actions. Customers should use a log group name prefix with wildcards such as `/aws/vendedlogs/*` and use this log group name for future Delivery creation.
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "AWSLogDeliveryWrite20150319",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "delivery.logs.amazonaws.com"
+                    ]
+                },
+                "Action": [
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                ],
+                "Resource": [
+                    "arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:SourceAccount": [
+                            "0123456789"
+                        ]
+                    },
+                    "ArnLike": {