AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-04-10 · Documentation low

File: AmazonCloudWatch/latest/logs/create-scheduled-query.md

Summary

Updated CloudWatch Logs scheduled query creation documentation to add cross-account S3 bucket selection, optional KMS encryption for results, and clarified IAM role creation options with auto-create and existing role choices.

Security assessment

The changes add documentation for security features including cross-account S3 bucket configuration (requiring account ID for external buckets) and optional KMS key ARN specification for SSE-KMS encryption of query results. The IAM role section updates clarify permission requirements but don't indicate a security vulnerability fix.

Diff

diff --git a/AmazonCloudWatch/latest/logs/create-scheduled-query.md b/AmazonCloudWatch/latest/logs/create-scheduled-query.md
index 5d521f20a..9915ca976 100644
--- a//AmazonCloudWatch/latest/logs/create-scheduled-query.md
+++ b//AmazonCloudWatch/latest/logs/create-scheduled-query.md
@@ -69 +69 @@ Console
-    1. For **Amazon S3 URI** , enter the Amazon S3 bucket and prefix where results will be stored (for example, `s3://my-bucket/query-results/`).
+    1. For **S3 bucket** , select **This account** if the destination bucket is in the same AWS account, or select **Another account** if the bucket is in a different AWS account and provide the account ID of the bucket-owning account as input.
@@ -71 +71 @@ Console
-    2. Choose **View Amazon S3** to open the Amazon S3 console in a new tab and verify the bucket configuration.
+    2. For **Amazon S3 URI** , enter the Amazon S3 bucket and prefix where results will be stored (for example, `s3://my-bucket/query-results/`). If you selected **This account** , you can choose **Browse Amazon S3** to navigate and select an existing Amazon S3 location.
@@ -73 +73 @@ Console
-    3. Choose **Browse Amazon S3** to select an existing Amazon S3 location using the Amazon S3 browser.
+    3. (Optional) For **KMS key ARN** , enter the ARN of a customer managed AWS KMS key to encrypt the query results using SSE-KMS. The key must be in the same AWS Region as the destination Amazon S3 bucket.
@@ -75 +75 @@ Console
-  8. In the **IAM role for posting query results to Amazon S3** section:
+  8. In the **IAM role for posting query results to Amazon S3** section, choose one of the following options:
@@ -77 +77 @@ Console
-    1. For **Select an IAM role** , choose an existing IAM role with the required policies, or choose **create a new role in IAM console** to create a new role.
+    1. Choose **Auto-create a new role with default permissions** to automatically set up an IAM role with the permissions required for CloudWatch Logs to deliver query results to Amazon S3.
@@ -79 +79 @@ Console
-    2. Use the search field to find and select the appropriate IAM role from the list.
+    2. Choose **Use an existing role** to select an existing IAM role with the required policies for CloudWatch Logs to deliver query results to Amazon S3. Use the search field to find and select the appropriate IAM role from the list.
@@ -81 +81 @@ Console
-  9. In the **IAM role for scheduled query execution** section:
+  9. In the **IAM role for scheduled query execution** section, choose one of the following options:
@@ -83 +83 @@ Console
-    1. For **Select an IAM role** , choose an existing IAM role with the required policies, or choose **create a new role in IAM console** to create a new role.
+    1. Choose **Auto-create a new role with default permissions** to automatically set up an IAM role with the permissions required for CloudWatch Logs to execute scheduled queries.
@@ -85 +85 @@ Console
-    2. Use the search field to find and select the appropriate IAM role from the list.
+    2. Choose **Use an existing role** to select an existing IAM role with the required policies for CloudWatch Logs to execute scheduled queries. Use the search field to find and select the appropriate IAM role from the list.