AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-06-10 · Documentation low

File: AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md

Summary

Added bearer token authentication as alternative to SigV4 for logs/metrics endpoints, updated extension requirements, and added timestamp validation limits

Security assessment

Introduces new authentication method (bearer tokens) and security controls (timestamp validation). Documents security features but doesn't indicate any vulnerability being fixed. Adds security documentation without evidence of security incident.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md
index 9d0f548f1..bfaa7fa22 100644
--- a//AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md
+++ b//AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.md
@@ -17 +17,10 @@ The logs endpoint follows the pattern `https://logs.`AWS Region`.amazonaws.com/v
-You must configure `LogGroup` and `LogStream` when you invoke CloudWatch Logs OpenTelemetry endpoint by setting `x-aws-log-group` and `x-aws-log-stream` HTTP headers to `LogGroup` and `LogStream` name respectively. For more information, see [Getting started](./CloudWatch-OTLPGettingStarted.html). The endpoint authenticates callers using Signature 4 authentication. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html).
+You must configure `LogGroup` and `LogStream` when you invoke CloudWatch Logs OpenTelemetry endpoint by setting `x-aws-log-group` and `x-aws-log-stream` HTTP headers to `LogGroup` and `LogStream` name respectively. For more information, see [Getting started](./CloudWatch-OTLPGettingStarted.html).
+
+The endpoint supports the following authentication methods:
+
+  * **AWS Signature Version 4 (SigV4)** – Recommended for workloads running on AWS. Uses short-term credentials via IAM roles. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html).
+
+  * **Bearer token (API key)** – For workloads running outside AWS or environments that do not support the AWS SDK. Requires bearer token authentication to be enabled on the target log group. For more information, see [Setting up bearer token authentication for Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html).
+
+
+
@@ -25 +34,8 @@ The metrics endpoint follows the pattern `https://monitoring.`AWS Region`.amazon
-You need to configure your OpenTelemetry collector to start sending metrics to CloudWatch. The endpoint authenticates callers using Signature 4 authentication. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html).
+You need to configure your OpenTelemetry collector to start sending metrics to CloudWatch. The endpoint supports two authentication methods:
+
+  * **AWS Signature Version 4 (SigV4)** – The recommended authentication method using short-term credentials. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html).
+
+  * **Bearer token (API key)** – For workloads running outside AWS or environments that do not support the AWS SDK. Uses a long-lived API key passed in the `Authorization` header. For more information, see [Setting up bearer token authentication for Metrics](./CloudWatch-OTLP-MetricsBearerTokenAuth.html).
+
+
+
@@ -56 +72 @@ Limit | Endpoint | Additional information
-Required collector extension |  [sigv4authextension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/sigv4authextension) |  To send metrics or traces to OTLP endpoint you must use sigv4authextension  
+Required collector extension |  [sigv4authextension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/sigv4authextension) |  To send metrics, logs, or traces to the OTLP endpoints you must use sigv4authextension. For the metrics and logs endpoints, you can alternatively authenticate with a bearer token using the [bearertokenauth extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/bearertokenauthextension). See [Setting up bearer token authentication for Metrics](./CloudWatch-OTLP-MetricsBearerTokenAuth.html) or [Setting up bearer token authentication for Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html).  
@@ -82,0 +99 @@ Maximum label count | 150 | Maximum number of labels across Resource/Scope/Datap
+Metrics created timestamps | 10 minutes in the future and 14 days in the past | Metrics can be created with a timestamp that is at most 10 minutes in the future and at most 14 days in the past. | 400