AWS AmazonCloudWatch documentation change
Summary
Added bearer token authentication documentation, configuration examples, and security best practices for API key handling
Security assessment
Documents new authentication method with explicit security guidance ('Never hardcode API keys'). Adds security feature documentation but no evidence of addressing existing vulnerability. Warning about hardcoded keys improves security posture proactively.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPSimplesetup.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPSimplesetup.md index bd1eaed00..e8fb6a4c3 100644 --- a//AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPSimplesetup.md +++ b//AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPSimplesetup.md @@ -7 +7 @@ -Supported receiversGetting startedCollector configuration examples +Supported receiversGetting startedAuthenticate with a bearer token (API key)Collector configuration examples @@ -113,0 +114,4 @@ Setup IAM permissions for on-premise hosts +###### Tip + +For on-premises hosts that only need to send metrics or logs, you can use bearer token authentication as a simpler alternative to configuring AWS access keys. Bearer tokens don't require the `aws configure` step or credential files on the host. For more information, see [Setting up bearer token authentication for Metrics](./CloudWatch-OTLP-MetricsBearerTokenAuth.html). + @@ -168,0 +173,8 @@ Setup IAM permissions for Kubernetes +## Authenticate with a bearer token (API key) + +If you don't need to configure AWS credentials on the host – for example, when running on non-AWS infrastructure, other cloud providers, or CI/CD pipelines – you can use bearer token authentication instead of SigV4. Bearer tokens are supported for the metrics and logs endpoints (separate API keys are required for each service). Bearer token authentication is not supported for traces. + +For setup instructions, see [Setting up bearer token authentication for Metrics](./CloudWatch-OTLP-MetricsBearerTokenAuth.html). For logs, see [Setting up bearer token authentication for Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html). + +For a collector configuration example using bearer tokens, see the bearer token metrics example in the collector configuration examples below. + @@ -343,0 +356,45 @@ The following is an example to send metrics using sigv4 to us-east-1. +**Metrics with bearer token authentication** + +The following is an example to send metrics using a bearer token to us-east-1. For setup instructions and security best practices, see [Setting up bearer token authentication for Metrics](./CloudWatch-OTLP-MetricsBearerTokenAuth.html). + + + extensions: + bearertokenauth: + filename: "/etc/otel/cw-api-key" + + receivers: + otlp: + protocols: + http: + endpoint: "0.0.0.0:4318" + + processors: + batch: + send_batch_size: 200 + timeout: 10s + + exporters: + otlphttp: + tls: + insecure: false + endpoint: "https://monitoring.us-east-1.amazonaws.com/v1/metrics" + auth: + authenticator: bearertokenauth + + service: + extensions: [bearertokenauth] + pipelines: + metrics: + receivers: [**otlp**] + processors: [**batch**] + exporters: [**otlphttp**] + + +###### Important + +Never hardcode API keys directly in collector configuration files. Use `filename` to read from a mounted secret, or `${env:VAR}` to read from an environment variable injected by your secrets manager. + +###### Note + +Unlike SigV4, bearer tokens don't require AWS credentials files, IAM roles, or IRSA configuration. The collector can run on any platform without AWS SDK dependencies. +