AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-03-28 · Documentation medium

File: AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.md

Summary

Updated authentication recommendations for CloudWatch Logs HTTP endpoints, strongly recommending SigV4 over bearer token authentication for production workloads and clarifying appropriate use cases for each.

Security assessment

This change adds security best practice documentation by explicitly recommending the more secure SigV4 authentication (which uses short-term credentials) and deprecating the use of long-term bearer tokens (API keys) for production. It guides users toward stronger security postures by clarifying when each method is appropriate. While this promotes security, there is no concrete evidence it addresses a specific, recently discovered security issue; it appears to be a proactive documentation improvement.

Diff

diff --git a/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.md b/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.md
index c14b6917d..300112975 100644
--- a//AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.md
+++ b//AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.md
@@ -9 +9,5 @@ Common behaviorComparison of HTTP ingestion endpointsChoosing an endpoint
-Amazon CloudWatch Logs provides HTTP endpoints that allow you to send logs directly to CloudWatch Logs using simple HTTP POST requests. These endpoints support both bearer token and SigV4 authentication, making it easy to ingest logs from any application or service without requiring AWS SDK integration.
+Amazon CloudWatch Logs provides HTTP endpoints that allow you to send logs directly to CloudWatch Logs using simple HTTP POST requests. These endpoints support both SigV4 and bearer token authentication.
+
+###### Important
+
+We recommend using SigV4 authentication for all production workloads where AWS SDK integration is possible. SigV4 uses short-term credentials and provides the strongest security posture. Bearer token (API key) authentication is intended for scenarios where SigV4 is not feasible, such as third-party log forwarders that do not support AWS SDK integration. For more information, see [Alternatives to long-term access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles) in the _IAM User Guide_.
@@ -28 +32 @@ All endpoints support both SigV4 and bearer token authentication:
-  * **SigV4** – Standard AWS Signature Version 4 signing.
+  * **SigV4 (recommended)** – Standard AWS Signature Version 4 signing. Use SigV4 whenever your application or infrastructure supports the AWS SDK or can sign requests. SigV4 uses short-term credentials and is the most secure authentication method.