AWS opensearch-service documentation change
Summary
Added cross-account policy note for CloudWatch Logs monitoring accounts
Security assessment
Documents secure cross-account IAM policy configuration. Prevents misconfiguration but doesn't address specific vulnerability.
Diff
diff --git a/opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md b/opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md index e6db0b61a..6b0d102a4 100644 --- a//opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md +++ b//opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md @@ -185,0 +186,10 @@ JSON +###### Note + +If you use a Amazon CloudWatch Logs monitoring account to aggregate logs from multiple source accounts, you must update the `Resource` element in the IAM policy to include the log groups from each source account. For example: + + + "Resource": [ + "arn:aws:logs:us-east-1:111122223333:log-group:*", + "arn:aws:logs:us-east-1:444455556666:log-group:*" + ] +