AWS AmazonCloudWatch documentation change
Summary
Expanded CloudWatch pipelines to support metrics ingestion and processing (OpenTelemetry), added metrics-specific use cases, limits, processors, and pricing details. Enhanced security documentation regarding sensitive data in pipeline definitions.
Security assessment
The change strengthens security documentation by explicitly warning against including passwords/API keys in pipeline definitions and clarifying encryption limitations. However, there's no evidence of a specific security vulnerability being addressed - this is preventive guidance. The security impact is low as it clarifies existing risks rather than fixing vulnerabilities.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/cloudwatch-pipelines.md b/AmazonCloudWatch/latest/monitoring/cloudwatch-pipelines.md index 534ea5f49..4b15ba1e3 100644 --- a//AmazonCloudWatch/latest/monitoring/cloudwatch-pipelines.md +++ b//AmazonCloudWatch/latest/monitoring/cloudwatch-pipelines.md @@ -11 +11 @@ Pipeline componentsPricingRegion availability -CloudWatch pipelines is a fully managed data collector that ingests, transforms, and routes log data from AWS services, third-party applications, and custom sources to CloudWatch. Built-in processors let you enrich, filter, and standardize logs into formats like OCSF—without managing infrastructure or third-party tools. +CloudWatch pipelines is a fully managed data collector that ingests, transforms, and routes telemetry data—including logs and metrics—from AWS services, third-party applications, and custom sources to CloudWatch. Built-in processors let you enrich, filter, and standardize logs into formats like OCSF—without managing infrastructure or third-party tools. For metrics, CloudWatch pipelines processes and enriches OpenTelemetry (OTel) metrics inline during ingestion into CloudWatch. @@ -21,0 +22,11 @@ CloudWatch pipelines is fully integrated with the [logs management experience](h +For metrics, CloudWatch pipelines enables the following use cases: + + * **Enrichment** – Add business context such as team, cost center, or environment to metrics from sources you cannot modify + + * **Cost optimization** – Strip high-cardinality attributes to reduce storage costs + + * **Standardization** – Rename metrics and attributes to enforce naming conventions + + + + @@ -23,0 +35,2 @@ Output from pipelines is fully compatible with CloudWatch Logs features includin +For metrics pipelines, processed metrics are fully queryable via PromQL in Query Studio and compatible with CloudWatch Alarms and Anomaly Detection. + @@ -30 +43 @@ Be aware of the following limits that apply to CloudWatch pipelines - * Maximum number of pipelines per account: 330 + * Logs pipelines per account: 330 @@ -35,0 +49,6 @@ Be aware of the following limits that apply to CloudWatch pipelines + * Metrics pipelines per account: up to 300 + + * Up to 20 processors per pipeline (logs and metrics) + + * Metrics pipelines supported ingestion path: OTLP only + @@ -43 +62 @@ Each pipeline consists of the following components: - * **Source** – Defines where data originates from (Amazon S3 buckets, CloudWatch Logs, third-party integration). Each pipeline must have exactly one source. + * **Source** – Defines where data originates from (Amazon S3 buckets, CloudWatch Logs, CloudWatch Metrics (OTel), third-party integration). Each pipeline must have exactly one source. Metrics pipelines process OTel metrics on the OTLP ingestion path. @@ -45 +64 @@ Each pipeline consists of the following components: - * **Processors** (optional) – Transform, parse, and enrich log data as it flows through the pipeline. Processors are applied sequentially in the order they are defined. + * **Processors** (optional) – Transform, parse, and enrich telemetry data as it flows through the pipeline. Processors are applied sequentially in the order they are defined. Metrics pipelines support a distinct set of processors optimized for OTel metric attributes. @@ -47 +66 @@ Each pipeline consists of the following components: - * **Sink** – Defines the destination where processed log data is sent. Each pipeline must have exactly one sink. + * **Sink** – Defines the destination where processed data is sent. Supported sink types include `cloudwatch_logs` and `cloudwatch_metrics`. Each pipeline must have exactly one sink. @@ -54 +73 @@ Each pipeline consists of the following components: -Throughout the entire pipeline, your data remains protected with transport layer encryption, ensuring security and compliance requirements are met. +Throughout the entire pipeline, your data remains protected with transport layer encryption so that your data meets security and compliance requirements. @@ -58 +77 @@ Throughout the entire pipeline, your data remains protected with transport layer -Pipeline definitions are not encrypted and should never include sensitive data, such as personally identifiable information (PII). +Pipeline definitions are not encrypted with customer-provided keys and must never include sensitive data, such as passwords, API keys, or personally identifiable information (PII). @@ -67,0 +87,2 @@ CloudWatch pipelines is included with CloudWatch Logs at no additional cost. Sta +For metrics pipelines, standard CloudWatch OTel metrics ingestion and storage charges apply. There is no additional charge for pipeline processing. +