AWS AmazonCloudWatch documentation change
Summary
Added IAM permission documentation for the AI-assisted processor configuration feature, including example IAM policy for logs:GeneratePipeline action
Security assessment
This change adds IAM permission documentation specifically for the new AI-assisted processor configuration feature. It provides security documentation about required permissions for using the feature, but there is no evidence of addressing a specific security vulnerability or incident. The change enhances security documentation by specifying the exact IAM policy needed for the new feature.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md index d35a18577..5883c20c0 100644 --- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md +++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md @@ -7 +7 @@ -API caller permissionsPipeline condition keysSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies +API caller permissionsPipeline condition keysAI-assisted processor configuration permissionsSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies @@ -252,0 +253,19 @@ Restricts pipeline creation to specific log source types. +## AI-assisted processor configuration permissions + +To use AI-assisted processor configuration in the CloudWatch pipelines console, the IAM principal must have the `logs:GeneratePipeline` permission. This permission authorizes the generation of processor configurations from natural language descriptions. + +###### Example IAM policy for AI-assisted processor configuration + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowGeneratePipeline", + "Effect": "Allow", + "Action": "logs:GeneratePipeline", + "Resource": "*" + } + ] + } +