AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-03-19 · Documentation low

File: AmazonCloudWatch/latest/logs/CWL_HLC_Endpoint.md

Summary

Restructured documentation to focus on event formatting, input modes, and request examples while removing setup guides for IAM users, API key management, and security best practices

Security assessment

The changes remove security-related sections about handling compromised API keys, IAM permissions, and CloudTrail logging. However, this appears to be a documentation restructuring rather than a direct response to a security vulnerability. There is no evidence of addressing a specific security weakness in the added content.

Diff

diff --git a/AmazonCloudWatch/latest/logs/CWL_HLC_Endpoint.md b/AmazonCloudWatch/latest/logs/CWL_HLC_Endpoint.md
index bc78bd3d7..f6c290688 100644
--- a//AmazonCloudWatch/latest/logs/CWL_HLC_Endpoint.md
+++ b//AmazonCloudWatch/latest/logs/CWL_HLC_Endpoint.md
@@ -5 +5 @@
-PrerequisitesOption 1: Simplified setup using the AWS console (recommended)Option 2: Manual setupSending logs to the HLC endpointControl permissions for generating and using CloudWatch Logs API keysHandle compromised CloudWatch Logs API keysLogging API key usage with CloudTrailBest practicesLimitations
+Input modesEvent field (required)Time field (optional)Content-TypeAccepted JSON value typesEndpoint formatRequest formatExample requestBest practicesLimitations
@@ -7 +7 @@ PrerequisitesOption 1: Simplified setup using the AWS console (recommended)Optio
-# Sending logs to CloudWatch Logs using HLC endpoint
+# Sending logs using the HLC endpoint (HLC Logs)
@@ -9 +9 @@ PrerequisitesOption 1: Simplified setup using the AWS console (recommended)Optio
-Amazon CloudWatch Logs supports an HTTP Log Collector (HLC) endpoint that allows you to send logs directly to CloudWatch Logs using a simple HTTP-based protocol. This feature simplifies log ingestion for applications and services without requiring AWS SDK integration.
+The HLC Logs endpoint (`/services/collector/event`) is based on the HTTP Log Collector (HLC) format.
@@ -11 +11 @@ Amazon CloudWatch Logs supports an HTTP Log Collector (HLC) endpoint that allows
-The HLC endpoint feature enables you to:
+If you are using bearer token authentication, complete the setup steps in [Setting up bearer token authentication](./CWL_HTTP_Endpoints_BearerTokenAuth.html) before proceeding.
@@ -13 +13 @@ The HLC endpoint feature enables you to:
-  * Send logs to CloudWatch Logs using HTTP-based protocol
+## Input modes
@@ -15 +15 @@ The HLC endpoint feature enables you to:
-  * Authenticate using IAM service-specific credentials (bearer tokens)
+Each event is a JSON object with a required `"event"` field. Optional metadata fields: `"time"`, `"host"`, `"source"`, `"sourcetype"`, `"index"`.
@@ -17 +17 @@ The HLC endpoint feature enables you to:
-  * Ingest logs without requiring AWS SDK integration
+**Single event:**
@@ -19 +18,0 @@ The HLC endpoint feature enables you to:
-  * Use simple HTTP POST requests from any application or service
@@ -20,0 +20 @@ The HLC endpoint feature enables you to:
+    {"event":"Hello world!","time":1486683865.0}
@@ -21,0 +22 @@ The HLC endpoint feature enables you to:
+**JSON array of events:**
@@ -24,151 +25,3 @@ The HLC endpoint feature enables you to:
-###### Note
-
-API key (bearer token) for HLC endpoint access is currently in preview and available in the following AWS Regions: `us-east-1`, `us-west-1`, `us-west-2`, and `us-east-2`. Please check this documentation for updates in future.
-
-## Prerequisites
-
-Before you can send logs using the HLC endpoint, you need to:
-
-  * Create an IAM user with CloudWatch Logs permissions
-
-  * Generate service-specific credentials (bearer token)
-
-  * Create a log group and log stream
-
-  * Enable bearer token authentication on the log group
-
-
-
-
-## Option 1: Simplified setup using the AWS console (recommended)
-
-The AWS Management Console provides a streamlined workflow to generate API keys for HLC endpoint access.
-
-###### To set up HLC endpoint access using the console
-
-  1. Sign in to the AWS Management Console.
-
-  2. Navigate to **CloudWatch** > **Settings** > **Logs**.
-
-  3. In the API Keys section, choose **Generate API key**.
-
-  4. For **API key expiration** , do one of the following:
-
-     * Select an API key expiration duration of **1** , **5** , **30** , **90** , or **365** days.
-
-     * Choose **Custom duration** to specify a custom API key expiration date.
-
-     * Select **Never expires** (not recommended).
-
-  5. Choose **Generate API key**.
-
-The console automatically:
-
-     * Creates a new IAM user with appropriate permissions
-
-     * Attaches the [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) managed policy (includes `logs:PutLogEvents` and `logs:CallWithBearerToken` permissions)
-
-     * Generates service-specific credentials (API key)
-
-  6. Copy and securely save the displayed credentials:
-
-     * **API Key ID** (Service-specific credential ID)
-
-     * **API Key Secret** (Bearer token)
-
-###### Important
-
-Save the API Key Secret immediately. It cannot be retrieved later. If you lose it, you'll need to generate a new API key.
-
-  7. Create the log group and log stream where your logs will be stored:
-    
-        # Create the log group
-    aws logs create-log-group \
-        --log-group-name /aws/hlc-logs/my-application \
-        --region us-east-1
-    
-    # Create the log stream
-    aws logs create-log-stream \
-        --log-group-name /aws/hlc-logs/my-application \
-        --log-stream-name application-stream-001 \
-        --region us-east-1
-
-  8. Enable bearer token authentication on the log group:
-    
-        aws logs put-bearer-token-authentication \
-        --log-group-identifier /aws/hlc-logs/my-application \
-        --bearer-token-authentication-enabled \
-        --region us-east-1
-
-Verify the configuration:
-    
-        aws logs describe-log-groups \
-        --log-group-name-prefix /aws/hlc-logs/my-application \
-        --region us-east-1
-
-
-
-
-**Permissions included:** The automatically created IAM user will have the following permissions:
-
-  * `logs:PutLogEvents` – Send log events to CloudWatch Logs
-
-  * `logs:CallWithBearerToken` – Authenticate using bearer token
-
-  * `kms:Describe*`, `kms:GenerateDataKey*`, `kms:Decrypt` – Access KMS-encrypted log groups (with condition restricting to logs service)
-
-
-
-
-## Option 2: Manual setup
-
-If you prefer more control over the IAM configuration or need to customize permissions, you can set up the HLC endpoint manually.
-
-### Step 1: Create an IAM user
-
-Create an IAM user that will be used for log ingestion:
-
-  1. Sign in to the AWS Management Console and navigate to IAM.
-
-  2. In the left navigation pane, choose **Users**.
-
-  3. Choose **Create user**.
-
-  4. Enter a user name (for example, `cloudwatch-logs-hlc-user`).
-
-  5. Choose **Next**.
-
-  6. Attach one of the following IAM policies:
-
-**Option A: Use the managed policy (recommended)**
-
-Attach the [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) managed policy.
-
-**Option B: Create a custom policy**
-
-Create and attach the following IAM policy:
-    
-        {
-        "Version": "2012-10-17",		 	 	 
-        "Statement": [
-            {
-                "Sid": "LogsAPIs",
-                "Effect": "Allow",
-                "Action": [
-                    "logs:CallWithBearerToken",
-                    "logs:PutLogEvents"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Sid": "KMSAPIs",
-                "Effect": "Allow",
-                "Action": [
-                    "kms:Describe*",
-                    "kms:GenerateDataKey*",
-                    "kms:Decrypt"
-                ],
-                "Condition": {
-                    "StringEquals": {
-                        "kms:ViaService": [
-                            "logs.*.amazonaws.com"
+    [
+      {"event":"msg1","time":1486683865.0},
+      {"event":"msg2","time":1486683866.0}
@@ -176,15 +28,0 @@ Create and attach the following IAM policy:
-                    }
-                },
-                "Resource": "arn:aws:kms:*:*:key/*"
-            }
-        ]
-    }
-
-  7. Choose **Next** and then **Create user**.
-
-
-
-
-###### Note