AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2026-07-07 · Documentation low

File: opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md

Summary

Added cross-account policy note for CloudWatch Logs monitoring accounts

Security assessment

Documents secure cross-account IAM policy configuration. Prevents misconfiguration but doesn't address specific vulnerability.

Diff

diff --git a/opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md b/opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md
index e6db0b61a..6b0d102a4 100644
--- a//opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md
+++ b//opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md
@@ -185,0 +186,10 @@ JSON
+###### Note
+
+If you use a Amazon CloudWatch Logs monitoring account to aggregate logs from multiple source accounts, you must update the `Resource` element in the IAM policy to include the log groups from each source account. For example:
+    
+    
+    "Resource": [
+        "arn:aws:logs:us-east-1:111122223333:log-group:*",
+        "arn:aws:logs:us-east-1:444455556666:log-group:*"
+    ]
+