AWS AmazonCloudWatch documentation change
Summary
Added the same detailed clarification about CloudWatch Logs resource policy creation, size limits, and inspection as in the related CWL document.
Security assessment
This is a parallel update to another documentation file, adding the same security feature documentation about resource policies, their size limits, and policy precedence. Like the previous change, it improves clarity on security controls but does not indicate a response to a specific security vulnerability.
Diff
diff --git a/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md b/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md index ee4a99f60..ce055b3a8 100644 --- a//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md +++ b//AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-CloudWatchLogs.md @@ -74 +74 @@ JSON -The log group where the logs are being sent must have a resource policy that includes certain permissions. If the log group currently does not have a resource policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, then AWS automatically creates the following policy for it when you begin sending the logs to CloudWatch Logs. +The log group where the logs are being sent must have a resource policy that includes certain permissions. If the log group currently does not have a resource policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, then AWS automatically creates the following policy for it when you begin sending the logs to CloudWatch Logs. For newly created subscriptions, resource policies are configured at the log group level and have a maximum size of 51,200 bytes. If an existing account-level resource policy already grants permissions through wildcards, a separate log group level policy would not be created. To check the logGroup-level resource policy for a specific log group, use the `describe-resource-policies` command with the `--resource-arn` parameter set to the log group ARN and the `--policy-scope` parameter set to `RESOURCE`.