AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-04-25 · Documentation low

File: AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md

Summary

Added IAM permission documentation for the AI-assisted processor configuration feature, including example IAM policy for logs:GeneratePipeline action

Security assessment

This change adds IAM permission documentation specifically for the new AI-assisted processor configuration feature. It provides security documentation about required permissions for using the feature, but there is no evidence of addressing a specific security vulnerability or incident. The change enhances security documentation by specifying the exact IAM policy needed for the new feature.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
index d35a18577..5883c20c0 100644
--- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
+++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md
@@ -7 +7 @@
-API caller permissionsPipeline condition keysSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies
+API caller permissionsPipeline condition keysAI-assisted processor configuration permissionsSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies
@@ -252,0 +253,19 @@ Restricts pipeline creation to specific log source types.
+## AI-assisted processor configuration permissions
+
+To use AI-assisted processor configuration in the CloudWatch pipelines console, the IAM principal must have the `logs:GeneratePipeline` permission. This permission authorizes the generation of processor configurations from natural language descriptions.
+
+###### Example IAM policy for AI-assisted processor configuration
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowGeneratePipeline",
+                "Effect": "Allow",
+                "Action": "logs:GeneratePipeline",
+                "Resource": "*"
+            }
+        ]
+    }
+