AWS AmazonCloudWatch documentation change
Summary
Added documentation for AI-assisted processor configuration feature, including IAM permission requirement (logs:GeneratePipeline), conditional processing rules, and 'Keep original log' toggle for audit/compliance purposes
Security assessment
This change documents new features rather than addressing a security vulnerability. It adds security documentation about IAM permissions required for AI-assisted configuration and introduces a compliance feature ('Keep original log' toggle) that preserves raw log data for audit trails, which enhances security posture but isn't fixing an existing issue.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/Creating-pipelines.md b/AmazonCloudWatch/latest/monitoring/Creating-pipelines.md index e22de9805..0f270c366 100644 --- a//AmazonCloudWatch/latest/monitoring/Creating-pipelines.md +++ b//AmazonCloudWatch/latest/monitoring/Creating-pipelines.md @@ -14,0 +15,10 @@ The pipeline configuration wizard guides you through creating your data pipeline +To configure processors using natural language, enable the **AI-assisted** toggle. Enter a description of the log transformations you need, and CloudWatch pipelines generates the processor configuration automatically. For AWS vended logs, a sample log event is also generated so you can verify the output before deploying. You can review and edit the generated configuration before creating the pipeline. + +###### Important + +To use AI-assisted processor configuration, you must have the `logs:GeneratePipeline` IAM permission. For more information, see [AI-assisted processor configuration permissions](./pipeline-iam-reference.html#ai-assisted-permissions). + +You can also add conditional processing rules to supported processors using the `when` parameter. Conditional processing lets you control which log entries a processor acts on. For the expression syntax and supported processors, see [Expression syntax for conditional processing](./conditional-processing.html). + +To preserve unmodified copies of your log data for audit or compliance purposes, enable the **Keep original log** toggle. When enabled, CloudWatch pipelines automatically stores a copy of each raw log event before any transformation takes place. This ensures that original data is always available for audits or investigations, even after processors modify the log events. The **Keep original log** toggle is only available for pipelines with a CloudWatch vended log source. +