AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-06-25 · Documentation low

File: cli/latest/reference/logs/put-account-policy.md

Summary

Added warning section about administrative scope of PutAccountPolicy and conflict resolution between account-level/log-group-level policies

Security assessment

The change adds documentation about security best practices (restricting PutAccountPolicy permissions to administrators) and clarifies policy conflict resolution. While it improves security awareness, there's no evidence of a specific security vulnerability being addressed.

Diff

diff --git a/cli/latest/reference/logs/put-account-policy.md b/cli/latest/reference/logs/put-account-policy.md
index 249a07bd3..5a2b4a554 100644
--- a//cli/latest/reference/logs/put-account-policy.md
+++ b//cli/latest/reference/logs/put-account-policy.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.9 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.11 Command Reference](../../index.html) »
@@ -60,0 +61,16 @@ Creates an account-level data protection policy, subscription filter policy, fie
+### Warning
+
+> `PutAccountPolicy` is an account-wide administrative operation intended for CloudWatch Logs administrators. Because it affects all log groups (or a broad subset) in the account, you should grant `logs:PutAccountPolicy` permissions only to administrators who manage logging configuration across the account, not to application teams or individual log group owners.
+
+**Conflict resolution between account-level and log-group-level policies**
+
+When both an account-level policy and a log-group-level policy of the same type apply to a log group, the resolution depends on the policy type:
+
+  * _Data protection_ — The two policies are cumulative. Any sensitive term specified in either the account-level or the log-group-level policy is masked.
+  * _Subscription filters_ — Account-level and log-group-level subscription filters are additive. A log group can have up to 1 account-level and up to 2 log-group-level subscription filters.
+  * _Transformers_ — A log-group-level transformer overrides the account-level transformer. If a log group has its own transformer, it ignores the account-level transformer policy.
+  * _Field index policies_ — If a log group has its own field index policy (created with `PutIndexPolicy` ), any account-level policy that uses `LogGroupNamePrefix` selection criteria or has no selection criteria is ignored for that log group. However, account-level policies that use `DataSourceName` and `DataSourceType` selection criteria still apply alongside the log-group-level policy.
+  * _Metric extraction policies_ — Metric extraction policies are account-level only and have no log-group-level equivalent, so no conflict resolution applies.
+
+
+
@@ -556 +572 @@ accountPolicy -> (structure)
-  * [AWS CLI 2.35.9 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.11 Command Reference](../../index.html) »