AWS eventbridge documentation change
Summary
Added CloudWatch Logs resource policy example and CLI command for EventBridge logging
Security assessment
The change documents security configuration by showing how to properly grant EventBridge permissions to write logs. While security-related, this is a standard permissions setup rather than addressing a specific vulnerability.
Diff
diff --git a/eventbridge/latest/userguide/eb-use-resource-based.md b/eventbridge/latest/userguide/eb-use-resource-based.md index d834b0369..8ab944dca 100644 --- a//eventbridge/latest/userguide/eb-use-resource-based.md +++ b//eventbridge/latest/userguide/eb-use-resource-based.md @@ -72,0 +73,28 @@ If you use the AWS Management Console to add CloudWatch Logs as the target of a +The following resource-based policy example allows EventBridge to write to all log groups that have names that start with `/aws/events/`. If you use a different naming policy for these types of logs, adjust the resource ARN accordingly. + + + { + "Effect": "Allow", + "Principal": { + "Service": [ + "events.amazonaws.com", + "delivery.logs.amazonaws.com" + ] + }, + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "arn:aws:logs:region:account-id:log-group:/aws/events/*:*" + } + +###### To create a resource policy for CloudWatch Logs using the AWS CLI + + * At a command prompt, enter the following command. + + aws logs put-resource-policy --policy-name EventBridgeToCWLogsPolicy \ + --policy-document '{"Version":"2012-10-17", "Statement":[{"Effect":"Allow","Principal":{"Service":["events.amazonaws.com","delivery.logs.amazonaws.com"]},"Action":["logs:CreateLogStream","logs:PutLogEvents"],"Resource":"arn:aws:logs:region:account-id:log-group:/aws/events/*:*"}]}' + + + +