AWS AmazonCloudWatch high security documentation change
Summary
Comprehensive restructuring of IAM documentation for CloudWatch pipelines. Added use-case specific guidance with detailed policy examples, emphasized scoping permissions using condition keys, clarified timing requirements for resource policies, and improved documentation for preventing confused deputy attacks.
Security assessment
The changes add significant security documentation including: 1) Implementation of IAM condition keys (iam:PassedToService, iam:AssociatedResourceARN) to prevent privilege escalation, 2) Guidance for aws:SourceAccount/aws:SourceArn in trust policies to mitigate confused deputy risks, 3) Explicit instructions for KMS decryption permissions, 4) Time-bound requirements for resource policy creation to prevent data loss, 5) Scoped logging permissions using logs:data_source_name condition keys.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md index 5883c20c0..f5893caab 100644 --- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md +++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md @@ -7 +7 @@ -API caller permissionsPipeline condition keysAI-assisted processor configuration permissionsSource-specific IAM policiesTrust relationshipsResource policiesManaging resource policies +API caller permissionsSource role policiesResource policiesManaging resource policiesPipeline condition keysAI-assisted processor configuration permissions @@ -11 +11 @@ API caller permissionsPipeline condition keysAI-assisted processor configuration -This section provides detailed IAM requirements for CloudWatch pipelines, including permissions for API callers, source-specific policies, trust relationships, and resource policies. +This section provides IAM requirements for CloudWatch pipelines. Permissions vary based on your data source and integration method. @@ -13 +13 @@ This section provides detailed IAM requirements for CloudWatch pipelines, includ -## API caller permissions +The following table helps you identify which IAM sections apply to your use case. @@ -15 +15,7 @@ This section provides detailed IAM requirements for CloudWatch pipelines, includ -Any role specified in the pipeline configuration that calls the `CreateTelemetryPipeline` API (such as S3 source roles, Secrets Manager access roles, or CloudWatch Logs source roles) must have specific permissions to pass roles. +Use case | Integration method | Source type in pipeline configuration | IAM sections you need +---|---|---|--- +**[Third-party integrations (API Pull)](./data-sources-third-party.html)** | Pipeline pulls from vendor API using stored credentials | `microsoft_office365`, `okta_sso`, `palo_alto_ngfw`, etc. | API caller permissions \+ Third-party sources (API Pull) \+ Resource policies +**[Third-party integrations (S3 delivery)](./data-sources-third-party.html)** | Vendor delivers files to your S3 bucket | `s3` | API caller permissions \+ Third-party sources (S3 delivery) \+ Resource policies +**[Custom data from S3](./data-sources-custom.html)** | Your applications write to S3, pipeline reads from bucket | `s3` | API caller permissions \+ Custom data from S3 \+ Resource policies +**[Custom data from CloudWatch Logs](./data-sources-custom.html)** | Your applications log to a CloudWatch Logs log group | `cloudwatch_logs` | API caller permissions \+ Custom data from CloudWatch Logs +**[Vended AWS service logs](./data-sources-aws-services.html)** | AWS services deliver logs to CloudWatch Logs (VPC Flow Logs, Route 53) | `cloudwatch_logs` | API caller permissions \+ Vended AWS service logs @@ -17 +23 @@ Any role specified in the pipeline configuration that calls the `CreateTelemetry -**PassRole permissions** +###### Note @@ -19 +25 @@ Any role specified in the pipeline configuration that calls the `CreateTelemetry -Required for any roles specified in the pipeline configuration (S3 source roles, Secrets Manager access roles, or CloudWatch Logs source roles). +S3-based sources (`s3`) require a resource policy after pipeline creation. CloudWatch Logs sources (`cloudwatch_logs`) do not. @@ -21 +27 @@ Required for any roles specified in the pipeline configuration (S3 source roles, -###### Example IAM policy for S3 sources +## API caller permissions @@ -22,0 +29 @@ Required for any roles specified in the pipeline configuration (S3 source roles, +The IAM principal that calls `CreateTelemetryPipeline` needs `iam:PassRole` permission for any roles referenced in the pipeline configuration. @@ -24,13 +31 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "PassRoleForS3Source", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role" - } - ] - } - -###### Example IAM policy for Secrets Manager sources +###### Example PassRole policy template @@ -43 +38 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - "Sid": "PassRoleForSecretsManagerSource", + "Sid": "PassRoleForPipelineSource", @@ -46 +41,11 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role" + "Resource": "arn:aws:iam::your-account-id:role/your-source-role", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "service-principal" + ], + "iam:AssociatedResourceARN": [ + "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" + ] + } + } @@ -51 +56 @@ Required for any roles specified in the pipeline configuration (S3 source roles, -###### Example IAM Policy for CloudWatch Logs Sources +Replace `service-principal` with the value from the following table based on your use case. @@ -52,0 +58,7 @@ Required for any roles specified in the pipeline configuration (S3 source roles, +Use case | Service principal value +---|--- +Third-party (API Pull) | `telemetry-pipelines.observabilityadmin.amazonaws.com` +Third-party (S3 delivery) | `telemetry-pipelines.observabilityadmin.amazonaws.com` +Custom data from S3 | `telemetry-pipelines.observabilityadmin.amazonaws.com` +Custom data from CloudWatch Logs | `logs.amazonaws.com` +Vended AWS service logs | `logs.amazonaws.com` @@ -54,11 +66 @@ Required for any roles specified in the pipeline configuration (S3 source roles, - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "PassRoleForCloudWatchLogsSource", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role"" - } - ] - } +###### Note @@ -66 +68 @@ Required for any roles specified in the pipeline configuration (S3 source roles, -**Pipeline rule permissions** +The `Condition` block is recommended but optional. Without it, the role can be passed to any service. @@ -68 +70,3 @@ Required for any roles specified in the pipeline configuration (S3 source roles, -When using `cloudwatch_logs` source for Create/Update operations (`logs:PutPipelineRule`) and Delete operations (`logs:DeletePipelineRule`) the role must also have permissions to perform those operations. +### Pipeline rule permissions (CloudWatch Logs sources only) + +When using `cloudwatch_logs` as a source, the API caller also needs permissions for pipeline rule operations. The `logs:PutPipelineRule` permission is required for `CreateTelemetryPipeline` and `UpdateTelemetryPipeline` operations. The `logs:DeletePipelineRule` permission is required for `DeleteTelemetryPipeline` operations. @@ -88 +92,5 @@ When using `cloudwatch_logs` source for Create/Update operations (`logs:PutPipel -**Reducing scope with condition keys** +## Source role policies + +Each pipeline requires a dedicated IAM role that the service assumes to read your data. The following subsections provide the complete policies (permission and trust) for each use case. + +### Third-party sources (API Pull) @@ -90 +98 @@ When using `cloudwatch_logs` source for Create/Update operations (`logs:PutPipel -To scope down the permission policy to telemetry pipelines, you can specify Condition Keys as shown in the following examples: +This section applies to Microsoft Office 365, Microsoft Entra ID, Okta SSO, Palo Alto NGFW, and other vendor API integrations that store credentials in AWS Secrets Manager. @@ -92 +100,5 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond -###### Example IAM policy for S3 sources (basic) +**Permission policy** + +The following policy allows the role to retrieve your stored API credentials. + +###### Example IAM policy for Secrets Manager sources @@ -99 +111 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Sid": "PassRoleForS3Source", + "Sid": "secrets-manager-access", @@ -101,2 +113,10 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role" + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:your-secret-name*" + }, + { + "Sid": "kms-access", + "Effect": "Allow", + "Action": "kms:Decrypt", + "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id" @@ -107 +127,7 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond -###### Example IAM policy for S3 sources (scoped down with condition keys) +###### Note + +The `kms:Decrypt` statement is only required if your secret in Secrets Manager is encrypted with a customer-managed KMS key. + +**Trust policy** + +###### Example Trust policy for API Pull sources @@ -114 +139,0 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Sid": "PassRoleForS3Source", @@ -116,12 +141,4 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role", - "Condition": { - "StringEquals": { - "iam:PassedToService": [ - "telemetry-pipelines.observabilityadmin.amazonaws.com" - ], - "iam:AssociatedResourceARN": [ - "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" - ] - } - } + "Principal": { + "Service": "telemetry-pipelines.observabilityadmin.amazonaws.com" + }, + "Action": "sts:AssumeRole" @@ -132 +149,5 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond -###### Example IAM policy for Secrets Manager sources (basic) +#### Complete IAM setup for API Pull pipelines + +The following example shows all the IAM policies needed to create a third-party API Pull pipeline end to end. + +**Caller identity policy** — attach to the principal calling `CreateTelemetryPipeline`: @@ -139 +160 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Sid": "PassRoleForSecretsManagerSource", + "Sid": "CreateApiPullPipeline", @@ -141,2 +162,5 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role" + "Action": [ + "observabilityadmin:CreateTelemetryPipeline", + "iam:PassRole" + ], + "Resource": "*" @@ -147 +171 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond -###### Example IAM policy for Secrets Manager sources (scoped down with condition keys) +**Source role permission policy** — attach to the role the pipeline assumes: @@ -154 +178 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Sid": "PassRoleForSecretsManagerSource", + "Sid": "SecretsManagerAccess", @@ -156,6 +180,2 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role", - "Condition": { - "StringEquals": { - "iam:PassedToService": [ - "telemetry-pipelines.observabilityadmin.amazonaws.com" + "Action": [ + "secretsmanager:GetSecretValue" @@ -163,5 +183 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond - "iam:AssociatedResourceARN": [ - "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" - ] - } - } + "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:your-secret-name*" @@ -172 +188 @@ To scope down the permission policy to telemetry pipelines, you can specify Cond -###### Example IAM policy for CloudWatch Logs sources (scoped down with condition keys) +**Source role trust policy** :