AWS AmazonCloudWatch documentation change
Summary
Added documentation for CloudWatch Metrics source type, including required IAM permissions and example policy. Introduced new condition keys for pipeline creation restrictions and reorganized condition key sections.
Security assessment
Added IAM permissions documentation for new CloudWatch Metrics source type (PutPipelineRule/DeletePipelineRule) and introduced new condition keys (observabilityadmin:SourceName/SourceType) for granular access control. These are security features enabling least-privilege policies.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md b/AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md index f5893caab..3423420a7 100644 --- a//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md +++ b//AmazonCloudWatch/latest/monitoring/pipeline-iam-reference.md @@ -7 +7 @@ -API caller permissionsSource role policiesResource policiesManaging resource policiesPipeline condition keysAI-assisted processor configuration permissions +API caller permissionsSource role policiesResource policiesManaging resource policiesPipeline condition keysSource role trust policy conditionsAI-assisted processor configuration permissions @@ -17,5 +17,6 @@ Use case | Integration method | Source type in pipeline configuration | IAM sect -**[Third-party integrations (API Pull)](./data-sources-third-party.html)** | Pipeline pulls from vendor API using stored credentials | `microsoft_office365`, `okta_sso`, `palo_alto_ngfw`, etc. | API caller permissions \+ Third-party sources (API Pull) \+ Resource policies -**[Third-party integrations (S3 delivery)](./data-sources-third-party.html)** | Vendor delivers files to your S3 bucket | `s3` | API caller permissions \+ Third-party sources (S3 delivery) \+ Resource policies -**[Custom data from S3](./data-sources-custom.html)** | Your applications write to S3, pipeline reads from bucket | `s3` | API caller permissions \+ Custom data from S3 \+ Resource policies -**[Custom data from CloudWatch Logs](./data-sources-custom.html)** | Your applications log to a CloudWatch Logs log group | `cloudwatch_logs` | API caller permissions \+ Custom data from CloudWatch Logs -**[Vended AWS service logs](./data-sources-aws-services.html)** | AWS services deliver logs to CloudWatch Logs (VPC Flow Logs, Route 53) | `cloudwatch_logs` | API caller permissions \+ Vended AWS service logs +**[Third-party integrations (API Pull)](./data-sources.html#data-sources-third-party)** | Pipeline pulls from vendor API using stored credentials | `microsoft_office365`, `okta_sso`, `palo_alto_ngfw`, etc. | API caller permissions \+ Third-party sources (API Pull) \+ Resource policies +**[Third-party integrations (S3 delivery)](./data-sources.html#data-sources-third-party)** | Vendor delivers files to your S3 bucket | `s3` | API caller permissions \+ Third-party sources (S3 delivery) \+ Resource policies +**[Custom data from S3](./data-sources.html#data-sources-custom)** | Your applications write to S3, pipeline reads from bucket | `s3` | API caller permissions \+ Custom data from S3 \+ Resource policies +**[Custom data from CloudWatch Logs](./data-sources.html#data-sources-custom)** | Your applications log to a CloudWatch Logs log group | `cloudwatch_logs` | API caller permissions \+ Custom data from CloudWatch Logs +**[Vended AWS service logs](./data-sources.html#data-sources-aws-services)** | AWS services deliver logs to CloudWatch Logs (VPC Flow Logs, Route 53) | `cloudwatch_logs` | API caller permissions \+ Vended AWS service logs +**[CloudWatch Metrics (OTel)](./data-sources.html#data-sources-metrics-otel)** | AWS services emit metrics via OTLP | `cloudwatch_metrics` | Pipeline rule permissions for CloudWatch Metrics sources @@ -91,0 +93,24 @@ When using `cloudwatch_logs` as a source, the API caller also needs permissions +### Pipeline rule permissions for CloudWatch Metrics sources + +When you use `cloudwatch_metrics` as a source, you need permissions for pipeline rule operations. To create or update a pipeline, grant the `cloudwatch:PutPipelineRule` permission. To delete a pipeline, grant the `cloudwatch:DeletePipelineRule` permission. Metrics pipelines do not require `iam:PassRole` or CloudWatch Logs resource policies. You can scope these actions down to the `dataset/default` resource. + +###### Example IAM policy for CloudWatch metrics pipeline rules + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PipelineRuleForCloudWatchMetrics", + "Effect": "Allow", + "Action": [ + "cloudwatch:PutPipelineRule", + "cloudwatch:DeletePipelineRule" + ], + "Resource": "arn:aws:cloudwatch:your-region:your-account-id:dataset/default" + } + ] + } + +**Reducing scope with condition keys** + @@ -630 +655,11 @@ Replace the following placeholders: -CloudWatch pipelines supports IAM condition keys that let you restrict who can create pipelines and which accounts can assume source roles. Use these condition keys to enforce governance policies across your organization. +CloudWatch pipelines supports IAM condition keys that let you restrict who can create pipelines based on the source name and type. Use these condition keys to enforce governance policies across your organization. + +###### Available condition keys + +`observabilityadmin:SourceName` + + +Restricts pipeline creation to specific source names. Applies to logs pipelines only. + +`observabilityadmin:SourceType` + @@ -632 +667 @@ CloudWatch pipelines supports IAM condition keys that let you restrict who can c -### CreateTelemetryPipeline conditions +Restricts pipeline creation to specific source types. @@ -661 +696 @@ Restricts pipeline creation to specific source types. Supported values include ` -### Source role trust policy conditions +## Source role trust policy conditions