feat(client-cloudwatch-logs): CloudWatchLogs launches GetLogObject API with streaming support for efficient log data retrieval. Logs added support for new AccountPolicy type METRIC_EXTRACTION_POLICY. For more information, see CloudWatch Logs API documentation

Author: awstools

clients/client-cloudwatch-logs/README.md

@@ -652,6 +652,14 @@ GetLogGroupFields
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cloudwatch-logs/command/GetLogGroupFieldsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudwatch-logs/Interface/GetLogGroupFieldsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudwatch-logs/Interface/GetLogGroupFieldsCommandOutput/)
 
+</details>
+<details>
+<summary>
+GetLogObject
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cloudwatch-logs/command/GetLogObjectCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudwatch-logs/Interface/GetLogObjectCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudwatch-logs/Interface/GetLogObjectCommandOutput/)
+
 </details>
 <details>
 <summary>

clients/client-cloudwatch-logs/src/CloudWatchLogs.ts

@@ -259,6 +259,11 @@ import {
   GetLogGroupFieldsCommandInput,
   GetLogGroupFieldsCommandOutput,
 } from "./commands/GetLogGroupFieldsCommand";
+import {
+  GetLogObjectCommand,
+  GetLogObjectCommandInput,
+  GetLogObjectCommandOutput,
+} from "./commands/GetLogObjectCommand";
 import {
   GetLogRecordCommand,
   GetLogRecordCommandInput,
@@ -487,6 +492,7 @@ const commands = {
   GetLogAnomalyDetectorCommand,
   GetLogEventsCommand,
   GetLogGroupFieldsCommand,
+  GetLogObjectCommand,
   GetLogRecordCommand,
   GetQueryResultsCommand,
   GetTransformerCommand,
@@ -1386,6 +1392,17 @@ export interface CloudWatchLogs {
     cb: (err: any, data?: GetLogGroupFieldsCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link GetLogObjectCommand}
+   */
+  getLogObject(args: GetLogObjectCommandInput, options?: __HttpHandlerOptions): Promise<GetLogObjectCommandOutput>;
+  getLogObject(args: GetLogObjectCommandInput, cb: (err: any, data?: GetLogObjectCommandOutput) => void): void;
+  getLogObject(
+    args: GetLogObjectCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GetLogObjectCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link GetLogRecordCommand}
    */

clients/client-cloudwatch-logs/src/CloudWatchLogsClient.ts

@@ -192,6 +192,7 @@ import {
 } from "./commands/GetLogAnomalyDetectorCommand";
 import { GetLogEventsCommandInput, GetLogEventsCommandOutput } from "./commands/GetLogEventsCommand";
 import { GetLogGroupFieldsCommandInput, GetLogGroupFieldsCommandOutput } from "./commands/GetLogGroupFieldsCommand";
+import { GetLogObjectCommandInput, GetLogObjectCommandOutput } from "./commands/GetLogObjectCommand";
 import { GetLogRecordCommandInput, GetLogRecordCommandOutput } from "./commands/GetLogRecordCommand";
 import { GetQueryResultsCommandInput, GetQueryResultsCommandOutput } from "./commands/GetQueryResultsCommand";
 import { GetTransformerCommandInput, GetTransformerCommandOutput } from "./commands/GetTransformerCommand";
@@ -327,6 +328,7 @@ export type ServiceInputTypes =
   | GetLogAnomalyDetectorCommandInput
   | GetLogEventsCommandInput
   | GetLogGroupFieldsCommandInput
+  | GetLogObjectCommandInput
   | GetLogRecordCommandInput
   | GetQueryResultsCommandInput
   | GetTransformerCommandInput
@@ -422,6 +424,7 @@ export type ServiceOutputTypes =
   | GetLogAnomalyDetectorCommandOutput
   | GetLogEventsCommandOutput
   | GetLogGroupFieldsCommandOutput
+  | GetLogObjectCommandOutput
   | GetLogRecordCommandOutput
   | GetQueryResultsCommandOutput
   | GetTransformerCommandOutput

clients/client-cloudwatch-logs/src/commands/DeleteAccountPolicyCommand.ts

@@ -64,7 +64,7 @@ export interface DeleteAccountPolicyCommandOutput extends __MetadataBearer {}
  * const client = new CloudWatchLogsClient(config);
  * const input = { // DeleteAccountPolicyRequest
  *   policyName: "STRING_VALUE", // required
- *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY", // required
+ *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY" || "METRIC_EXTRACTION_POLICY", // required
  * };
  * const command = new DeleteAccountPolicyCommand(input);
  * const response = await client.send(command);

clients/client-cloudwatch-logs/src/commands/DescribeAccountPoliciesCommand.ts

@@ -58,7 +58,7 @@ export interface DescribeAccountPoliciesCommandOutput extends DescribeAccountPol
  * // const { CloudWatchLogsClient, DescribeAccountPoliciesCommand } = require("@aws-sdk/client-cloudwatch-logs"); // CommonJS import
  * const client = new CloudWatchLogsClient(config);
  * const input = { // DescribeAccountPoliciesRequest
- *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY", // required
+ *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY" || "METRIC_EXTRACTION_POLICY", // required
  *   policyName: "STRING_VALUE",
  *   accountIdentifiers: [ // AccountIds
  *     "STRING_VALUE",
@@ -73,7 +73,7 @@ export interface DescribeAccountPoliciesCommandOutput extends DescribeAccountPol
  * //       policyName: "STRING_VALUE",
  * //       policyDocument: "STRING_VALUE",
  * //       lastUpdatedTime: Number("long"),
- * //       policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY",
+ * //       policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY" || "METRIC_EXTRACTION_POLICY",
  * //       scope: "ALL",
  * //       selectionCriteria: "STRING_VALUE",
  * //       accountId: "STRING_VALUE",

clients/client-cloudwatch-logs/src/commands/GetLogObjectCommand.ts

@@ -0,0 +1,126 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import { CloudWatchLogsClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../CloudWatchLogsClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import { GetLogObjectRequest, GetLogObjectResponse, GetLogObjectResponseFilterSensitiveLog } from "../models/models_0";
+import { de_GetLogObjectCommand, se_GetLogObjectCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link GetLogObjectCommand}.
+ */
+export interface GetLogObjectCommandInput extends GetLogObjectRequest {}
+/**
+ * @public
+ *
+ * The output of {@link GetLogObjectCommand}.
+ */
+export interface GetLogObjectCommandOutput extends GetLogObjectResponse, __MetadataBearer {}
+
+/**
+ * <p>Retrieves a large logging object (LLO) and streams it back. This API is used to fetch the content of large portions of log events that have been ingested through the PutOpenTelemetryLogs API.
+ *       When log events contain fields that would cause the total event size to exceed 1MB, CloudWatch Logs automatically processes up to 10 fields, starting with the largest fields. Each field is truncated as needed to keep
+ *       the total event size as close to 1MB as possible. The excess portions are stored as Large Log Objects (LLOs) and these fields are processed separately and LLO reference system fields (in the format <code>@ptr.$[path.to.field]</code>) are
+ *       added. The path in the reference field reflects the original JSON structure where the large field was located. For example, this could be <code>@ptr.$['input']['message']</code>, <code>@ptr.$['AAA']['BBB']['CCC']['DDD']</code>, <code>@ptr.$['AAA']</code>, or any other path matching your log structure.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CloudWatchLogsClient, GetLogObjectCommand } from "@aws-sdk/client-cloudwatch-logs"; // ES Modules import
+ * // const { CloudWatchLogsClient, GetLogObjectCommand } = require("@aws-sdk/client-cloudwatch-logs"); // CommonJS import
+ * const client = new CloudWatchLogsClient(config);
+ * const input = { // GetLogObjectRequest
+ *   unmask: true || false,
+ *   logObjectPointer: "STRING_VALUE", // required
+ * };
+ * const command = new GetLogObjectCommand(input);
+ * const response = await client.send(command);
+ * // { // GetLogObjectResponse
+ * //   fieldStream: { // GetLogObjectResponseStream Union: only one key present
+ * //     fields: { // FieldsData
+ * //       data: new Uint8Array(),
+ * //     },
+ * //     InternalStreamingException: { // InternalStreamingException
+ * //       message: "STRING_VALUE",
+ * //     },
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param GetLogObjectCommandInput - {@link GetLogObjectCommandInput}
+ * @returns {@link GetLogObjectCommandOutput}
+ * @see {@link GetLogObjectCommandInput} for command's `input` shape.
+ * @see {@link GetLogObjectCommandOutput} for command's `response` shape.
+ * @see {@link CloudWatchLogsClientResolvedConfig | config} for CloudWatchLogsClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You don't have sufficient permissions to perform this action.</p>
+ *
+ * @throws {@link InvalidOperationException} (client fault)
+ *  <p>The operation is not valid on the specified resource.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>A parameter is specified incorrectly.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>You have reached the maximum number of resources that can be created.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>The specified resource does not exist.</p>
+ *
+ * @throws {@link CloudWatchLogsServiceException}
+ * <p>Base exception class for all service exceptions from CloudWatchLogs service.</p>
+ *
+ *
+ * @public
+ */
+export class GetLogObjectCommand extends $Command
+  .classBuilder<
+    GetLogObjectCommandInput,
+    GetLogObjectCommandOutput,
+    CloudWatchLogsClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CloudWatchLogsClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("Logs_20140328", "GetLogObject", {
+    /**
+     * @internal
+     */
+    eventStream: {
+      output: true,
+    },
+  })
+  .n("CloudWatchLogsClient", "GetLogObjectCommand")
+  .f(void 0, GetLogObjectResponseFilterSensitiveLog)
+  .ser(se_GetLogObjectCommand)
+  .de(de_GetLogObjectCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: GetLogObjectRequest;
+      output: GetLogObjectResponse;
+    };
+    sdk: {
+      input: GetLogObjectCommandInput;
+      output: GetLogObjectCommandOutput;
+    };
+  };
+}

clients/client-cloudwatch-logs/src/commands/PutAccountPolicyCommand.ts

@@ -28,8 +28,9 @@ export interface PutAccountPolicyCommandInput extends PutAccountPolicyRequest {}
 export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse, __MetadataBearer {}
 
 /**
- * <p>Creates an account-level data protection policy, subscription filter policy, or field
- *       index policy that applies to all log groups or a subset of log groups in the account.</p>
+ * <p>Creates an account-level data protection policy, subscription filter policy, field index
+ *       policy, transformer policy, or metric extraction policy that applies to all log groups or a
+ *       subset of log groups in the account.</p>
  *          <p>To use this operation, you must be signed on with the correct permissions depending on the
  *       type of policy that you are creating.</p>
  *          <ul>
@@ -51,6 +52,11 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  *                <p>To create a field index policy, you must have the <code>logs:PutIndexPolicy</code> and
  *             <code>logs:PutAccountPolicy</code> permissions.</p>
  *             </li>
+ *             <li>
+ *                <p>To create a metric extraction policy, you must have the
+ *             <code>logs:PutMetricExtractionPolicy</code> and
+ *             <code>logs:PutAccountPolicy</code> permissions.</p>
+ *             </li>
  *          </ul>
  *          <p>
  *             <b>Data protection policy</b>
@@ -183,6 +189,57 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  *          <p>If you want to create a field index policy for a single log group, you can use <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutIndexPolicy.html">PutIndexPolicy</a> instead of <code>PutAccountPolicy</code>. If you do so, that log
  *       group will use only that log-group level policy, and will ignore the account-level policy that
  *       you create with <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutAccountPolicy.html">PutAccountPolicy</a>.</p>
+ *          <p>
+ *             <b>Metric extraction policy</b>
+ *          </p>
+ *          <p>A metric extraction policy controls whether CloudWatch Metrics can be created through the
+ *       Embedded Metrics Format (EMF) for log groups in your account. By default, EMF metric creation
+ *       is enabled for all log groups. You can use metric extraction policies to disable EMF metric
+ *       creation for your entire account or specific log groups.</p>
+ *          <p>When a policy disables EMF metric creation for a log group, log events in the EMF format
+ *       are still ingested, but no CloudWatch Metrics are created from them.</p>
+ *          <important>
+ *             <p>Creating a policy disables metrics for AWS features that use EMF to create metrics, such
+ *         as CloudWatch Container Insights and CloudWatch Application Signals. To prevent turning off
+ *         those features by accident, we recommend that you exclude the underlying log-groups through a
+ *         selection-criteria such as <code>LogGroupNamePrefix NOT IN ["/aws/containerinsights",
+ *         "/aws/ecs/containerinsights", "/aws/application-signals/data"]</code>.</p>
+ *          </important>
+ *          <p>Each account can have either one account-level metric extraction policy that applies to
+ *       all log groups, or up to 5 policies that are each scoped to a subset of log groups with the
+ *       <code>selectionCriteria</code> parameter. The selection criteria supports filtering by <code>LogGroupName</code> and
+ *       <code>LogGroupNamePrefix</code> using the operators <code>IN</code> and <code>NOT IN</code>. You can specify up to 50 values in each
+ *       <code>IN</code> or <code>NOT IN</code> list.</p>
+ *          <p>The selection criteria can be specified in these formats:</p>
+ *          <p>
+ *             <code>LogGroupName IN ["log-group-1", "log-group-2"]</code>
+ *          </p>
+ *          <p>
+ *             <code>LogGroupNamePrefix NOT IN ["/aws/prefix1", "/aws/prefix2"]</code>
+ *          </p>
+ *          <p>If you have multiple account-level metric extraction policies with selection criteria, no
+ *       two of them can have overlapping criteria. For example, if you have one policy with selection
+ *       criteria <code>LogGroupNamePrefix IN ["my-log"]</code>, you can't have another metric extraction policy
+ *       with selection criteria <code>LogGroupNamePrefix IN ["/my-log-prod"]</code> or <code>LogGroupNamePrefix IN
+ *       ["/my-logging"]</code>, as the set of log groups matching these prefixes would be a subset of the log
+ *       groups matching the first policy's prefix, creating an overlap.</p>
+ *          <p>When using <code>NOT IN</code>, only one policy with this operator is allowed per account.</p>
+ *          <p>When combining policies with <code>IN</code> and <code>NOT IN</code> operators, the overlap check ensures that
+ *       policies don't have conflicting effects. Two policies with <code>IN</code> and <code>NOT IN</code> operators do not
+ *       overlap if and only if every value in the <code>IN </code>policy is completely contained within some value
+ *       in the <code>NOT IN</code> policy. For example:</p>
+ *          <ul>
+ *             <li>
+ *                <p>If you have a <code>NOT IN</code> policy for prefix <code>"/aws/lambda"</code>, you can create an <code>IN</code> policy for
+ *           the exact log group name <code>"/aws/lambda/function1"</code> because the set of log groups matching
+ *           <code>"/aws/lambda/function1"</code> is a subset of the log groups matching <code>"/aws/lambda"</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>If you have a <code>NOT IN</code> policy for prefix <code>"/aws/lambda"</code>, you cannot create an <code>IN</code> policy
+ *           for prefix <code>"/aws"</code> because the set of log groups matching <code>"/aws"</code> is not a subset of the log
+ *           groups matching <code>"/aws/lambda"</code>.</p>
+ *             </li>
+ *          </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -192,7 +249,7 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  * const input = { // PutAccountPolicyRequest
  *   policyName: "STRING_VALUE", // required
  *   policyDocument: "STRING_VALUE", // required
- *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY", // required
+ *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY" || "METRIC_EXTRACTION_POLICY", // required
  *   scope: "ALL",
  *   selectionCriteria: "STRING_VALUE",
  * };
@@ -203,7 +260,7 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  * //     policyName: "STRING_VALUE",
  * //     policyDocument: "STRING_VALUE",
  * //     lastUpdatedTime: Number("long"),
- * //     policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY",
+ * //     policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY" || "FIELD_INDEX_POLICY" || "TRANSFORMER_POLICY" || "METRIC_EXTRACTION_POLICY",
  * //     scope: "ALL",
  * //     selectionCriteria: "STRING_VALUE",
  * //     accountId: "STRING_VALUE",

clients/client-cloudwatch-logs/src/commands/UntagLogGroupCommand.ts

@@ -34,10 +34,9 @@ export interface UntagLogGroupCommandOutput extends __MetadataBearer {}
  *          </important>
  *          <p>Removes the specified tags from the specified log group.</p>
  *          <p>To list the tags for a log group, use <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_ListTagsForResource.html">ListTagsForResource</a>. To add tags, use <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_TagResource.html">TagResource</a>.</p>
- *          <p>CloudWatch Logs doesn't support IAM policies that prevent users from assigning specified
- *       tags to log groups using the <code>aws:Resource/<i>key-name</i>
- *             </code> or
- *         <code>aws:TagKeys</code> condition keys. </p>
+ *          <p>When using IAM policies to control tag management for CloudWatch Logs log groups, the
+ *       condition keys <code>aws:Resource/key-name</code> and <code>aws:TagKeys</code> cannot be used to restrict which tags
+ *       users can assign. </p>
  *
  * @deprecated Please use the generic tagging API UntagResource
  * @example

clients/client-cloudwatch-logs/src/commands/index.ts

@@ -51,6 +51,7 @@ export * from "./GetIntegrationCommand";
 export * from "./GetLogAnomalyDetectorCommand";
 export * from "./GetLogEventsCommand";
 export * from "./GetLogGroupFieldsCommand";
+export * from "./GetLogObjectCommand";
 export * from "./GetLogRecordCommand";
 export * from "./GetQueryResultsCommand";
 export * from "./GetTransformerCommand";