AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-03-28 · Documentation low

File: AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md

Summary

Added detailed clarification about CloudWatch Logs resource policy creation, size limits, interaction with account-level policies, and how to inspect log group-level policies.

Security assessment

This change adds documentation about security features (resource policies) and their operational limits (51,200 bytes). It clarifies the precedence between account-level and log group-level policies, which is important for understanding access control. However, there is no evidence this change is in response to a specific security issue; it appears to be a documentation improvement for clarity and best practices.

Diff

diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md
index 54d1d1e63..77a311188 100644
--- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md
+++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.md
@@ -36 +36 @@ If any of these types of logs is already being sent to a log group in CloudWatch
-The log group where the logs are being sent must have a resource policy that includes certain permissions. If the log group currently does not have a resource policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, then AWS automatically creates the following policy for it when you begin sending the logs to CloudWatch Logs.
+The log group where the logs are being sent must have a resource policy that includes certain permissions. If the log group currently does not have a resource policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, then AWS automatically creates the following policy for it when you begin sending the logs to CloudWatch Logs. For newly created subscriptions, resource policies are configured at the log group level and have a maximum size of 51,200 bytes. If an existing account-level resource policy already grants permissions through wildcards, a separate log group level policy would not be created. To check the logGroup-level resource policy for a specific log group, use the `describe-resource-policies` command with the `--resource-arn` parameter set to the log group ARN and the `--policy-scope` parameter set to `RESOURCE`.