AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-04-04 · Documentation medium

File: AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md

Summary

Added documentation for pipeline condition keys (SourceName, SourceType) and AI-assisted processor configuration permissions (logs:GeneratePipeline)

Security assessment

This change adds documentation for IAM condition keys that enable fine-grained access control for pipeline creation based on source name/type, and documents a new permission for AI-assisted processor configuration. While these are security-related features (access control), there is no evidence they address a specific security vulnerability or incident. They appear to be new security controls for governance and feature access.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
index 8ad207115..1b2660fca 100644
--- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
+++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
@@ -5 +5 @@
-API caller permissionsSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies
+API caller permissionsPipeline condition keysAI-assisted processor configuration permissionsSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies
@@ -194,0 +195,75 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond
+## Pipeline condition keys
+
+CloudWatch pipelines supports IAM condition keys that let you restrict who can create pipelines based on the log source name and type. Use these condition keys to enforce governance policies across your organization.
+
+###### Available condition keys
+
+`observabilityadmin:SourceName`
+    
+
+Restricts pipeline creation to specific log source names.
+
+`observabilityadmin:SourceType`
+    
+
+Restricts pipeline creation to specific log source types.
+
+###### Example IAM policy restricting pipeline creation by source type
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowPipelineCreationForSpecificSourceType",
+                "Effect": "Allow",
+                "Action": "observabilityadmin:CreateTelemetryPipeline",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "observabilityadmin:SourceType": "cloudwatch_logs"
+                    }
+                }
+            }
+        ]
+    }
+
+###### Example IAM policy restricting pipeline creation by source name
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowPipelineCreationForSpecificSource",
+                "Effect": "Allow",
+                "Action": "observabilityadmin:CreateTelemetryPipeline",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "observabilityadmin:SourceName": "your-source-name"
+                    }
+                }
+            }
+        ]
+    }
+
+## AI-assisted processor configuration permissions
+
+To use AI-assisted processor configuration in the CloudWatch pipelines console, the IAM principal must have the `logs:GeneratePipeline` permission. This permission authorizes the generation of processor configurations from natural language descriptions.
+
+###### Example IAM policy for AI-assisted processor configuration
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowGeneratePipeline",
+                "Effect": "Allow",
+                "Action": "logs:GeneratePipeline",
+                "Resource": "*"
+            }
+        ]
+    }
+