AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-25 · Documentation medium

File: AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md

Summary

Expanded IAM policy examples to clarify log-group vs log-stream ARN formats, added resource type explanations, and restructured examples with granular permissions

Security assessment

The change significantly improves security documentation by providing precise examples for least-privilege policies, distinguishing between log-group and log-stream level permissions. This helps prevent overly permissive policies but doesn't address any specific security vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md b/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md
index a894e4190..691f68d63 100644
--- a//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md
+++ b//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md
@@ -58 +58,10 @@ This policy has one statement that grants permissions to create log groups and l
-The wildcard character (*) at the end of the `Resource` value means that the statement allows permission for the `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`, and `logs:DescribeLogStreams` actions on any log group. To limit this permission to a specific log group, replace the wildcard character (*) in the resource ARN with the specific log group ARN. For more information about the sections within an IAM policy statement, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html) in _IAM User Guide_. For a list showing all of the CloudWatch Logs actions, see [CloudWatch Logs permissions reference](./permissions-reference-cwl.html).
+The wildcard character (*) in the `Resource` value grants permission for the listed actions on any CloudWatch Logs resource.
+
+  * **To limit permissions to specific log group actions** (e.g., `CreateLogGroup`, `DescribeLogStreams`), replace the wildcard with the log group ARN—`arn:aws:logs:`us-west-2`:`123456789012`:log-group:`MyLogGroup``
+
+  * **To limit permissions to specific log stream actions** (e.g., `CreateLogStream`, `PutLogEvents`), replace the wildcard with the log stream ARN—`arn:aws:logs:`us-west-2`:`123456789012`:log-group:`MyLogGroup`:*` (matches all streams) or `arn:aws:logs:`us-west-2`:`123456789012`:log-group:`MyLogGroup`:log-stream:`MyStream`` (specific stream)
+
+
+
+
+See the [service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) for which resource type each API requires.
@@ -285 +294 @@ In this section, you can find example user policies that grant permissions for v
-  * Example 3: Allow access to one log group
+  * Example 3: Allow access to one log group / log stream
@@ -349 +358 @@ JSON
-#### Example 3: Allow access to one log group
+#### Example 3: Allow access to one log group / log stream
@@ -351 +360 @@ JSON
-The following policy allows a user to read and write log events in one specified log group.
+CloudWatch Logs has two resource types with different ARN formats:
@@ -353 +362 @@ The following policy allows a user to read and write log events in one specified
-###### Important
+  * **Log group** : `arn:aws:logs:`region`:`account`:log-group:`LogGroupName``
@@ -355 +364 @@ The following policy allows a user to read and write log events in one specified
-The `:*` at the end of the log group name in the `Resource` line is required to indicate that the policy applies to all log streams in this log group. If you omit `:*`, the policy will not be enforced.
+  * **Log stream** : `arn:aws:logs:`region`:`account`:log-group:`LogGroupName`:log-stream:`StreamName``
@@ -357 +365,0 @@ The `:*` at the end of the log group name in the `Resource` line is required to
-JSON
@@ -360 +367,0 @@ JSON
-****
@@ -361,0 +369,24 @@ JSON
+When writing IAM policies, the ARN format you use must match the resource type the API authorizes on. See the [service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) for which resource type each API requires.
+
+##### Example 3a: Allow access to log-group-level actions on a specific log group
+    
+    
+    {
+       "Version":"2012-10-17", 
+       "Statement":[
+          {
+          "Action": [
+            "logs:DeleteLogGroup",
+            "logs:PutRetentionPolicy",
+            "logs:PutSubscriptionFilter",
+            "logs:DescribeLogStreams"
+          ],
+          "Effect": "Allow",
+          "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName"
+          }
+       ]
+    }
+
+These actions authorize on the `log-group` resource type. The standard ARN format (without `:*`) is supported.
+
+##### Example 3b: Allow access to log-stream-level actions on a specific log group
@@ -370 +400,0 @@ JSON
-            "logs:DescribeLogStreams",
@@ -379,0 +410,29 @@ JSON
+These actions authorize on the `log-stream` resource type. The `:*` suffix is required to match all log streams within the log group, or specify a specific stream with `:log-stream:`StreamName``.
+
+##### Example 3c: Combined policy for both log-group and log-stream actions
+    
+    
+    {
+       "Version":"2012-10-17", 
+       "Statement":[
+          {
+            "Action": [
+              "logs:DeleteLogGroup",
+              "logs:PutRetentionPolicy",
+              "logs:DescribeLogStreams",
+              "logs:FilterLogEvents"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName"
+          },
+          {
+            "Action": [
+              "logs:CreateLogStream",
+              "logs:PutLogEvents",
+              "logs:GetLogEvents"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
+          }
+       ]
+    }