feat(client-cloudwatch-logs): Add support for account level subscription filter policies to PutAccountPolicy, DescribeAccountPolicies, and DeleteAccountPolicy APIs. Additionally, PutAccountPolicy has been modified with new optional "selectionCriteria" parameter for resource selection.

Author: awstools

clients/client-cloudwatch-logs/src/commands/DeleteAccountPolicyCommand.ts

@@ -28,9 +28,20 @@ export interface DeleteAccountPolicyCommandOutput extends __MetadataBearer {}
 
 /**
  * @public
- * <p>Deletes a CloudWatch Logs account policy.</p>
- *          <p>To use this operation, you must be signed on with the <code>logs:DeleteDataProtectionPolicy</code> and
- *       <code>logs:DeleteAccountPolicy</code> permissions.</p>
+ * <p>Deletes a CloudWatch Logs account policy. This stops the policy from applying to all log groups
+ *     or a subset of log groups in the account. Log-group level policies will still be in effect.</p>
+ *          <p>To use this operation, you must be signed on with the correct permissions depending on the type of policy
+ *       that you are deleting.</p>
+ *          <ul>
+ *             <li>
+ *                <p>To delete a data protection policy, you must have the <code>logs:DeleteDataProtectionPolicy</code> and
+ *         <code>logs:DeleteAccountPolicy</code> permissions.</p>
+ *             </li>
+ *             <li>
+ *                <p>To delete a subscription filter policy, you must have the <code>logs:DeleteSubscriptionFilter</code> and
+ *         <code>logs:DeleteAccountPolicy</code> permissions.</p>
+ *             </li>
+ *          </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -39,7 +50,7 @@ export interface DeleteAccountPolicyCommandOutput extends __MetadataBearer {}
  * const client = new CloudWatchLogsClient(config);
  * const input = { // DeleteAccountPolicyRequest
  *   policyName: "STRING_VALUE", // required
- *   policyType: "DATA_PROTECTION_POLICY", // required
+ *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY", // required
  * };
  * const command = new DeleteAccountPolicyCommand(input);
  * const response = await client.send(command);

clients/client-cloudwatch-logs/src/commands/DescribeAccountPoliciesCommand.ts

@@ -36,7 +36,7 @@ export interface DescribeAccountPoliciesCommandOutput extends DescribeAccountPol
  * // const { CloudWatchLogsClient, DescribeAccountPoliciesCommand } = require("@aws-sdk/client-cloudwatch-logs"); // CommonJS import
  * const client = new CloudWatchLogsClient(config);
  * const input = { // DescribeAccountPoliciesRequest
- *   policyType: "DATA_PROTECTION_POLICY", // required
+ *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY", // required
  *   policyName: "STRING_VALUE",
  *   accountIdentifiers: [ // AccountIds
  *     "STRING_VALUE",
@@ -50,8 +50,9 @@ export interface DescribeAccountPoliciesCommandOutput extends DescribeAccountPol
  * //       policyName: "STRING_VALUE",
  * //       policyDocument: "STRING_VALUE",
  * //       lastUpdatedTime: Number("long"),
- * //       policyType: "DATA_PROTECTION_POLICY",
+ * //       policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY",
  * //       scope: "ALL",
+ * //       selectionCriteria: "STRING_VALUE",
  * //       accountId: "STRING_VALUE",
  * //     },
  * //   ],

clients/client-cloudwatch-logs/src/commands/PutAccountPolicyCommand.ts

@@ -28,15 +28,20 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
 
 /**
  * @public
- * <p>Creates an account-level data protection policy that applies to all log groups in the account. A data protection policy can help safeguard sensitive
+ * <p>Creates an account-level data protection policy or subscription filter policy that applies to all log groups
+ *       or a subset of log groups in the account.</p>
+ *          <p>
+ *             <b>Data protection policy</b>
+ *          </p>
+ *          <p>A data protection policy can help safeguard sensitive
  *       data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only
- *     one account-level policy.</p>
+ *     one account-level data protection policy.</p>
  *          <important>
  *             <p>Sensitive data is detected and masked when it is ingested into a log group. When you set a
  *       data protection policy, log events ingested into the log groups before that time are not masked.</p>
  *          </important>
  *          <p>If you use <code>PutAccountPolicy</code> to create a data protection policy for your whole account, it applies to both existing log groups
- *     and all log groups that are created later in this account. The account policy is applied to existing log groups
+ *     and all log groups that are created later in this account. The account-level policy is applied to existing log groups
  *     with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.</p>
  *          <p>By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks.
  *       A user who has the <code>logs:Unmask</code> permission can use a
@@ -47,14 +52,43 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  *       console by running a CloudWatch Logs Insights query with the <code>unmask</code> query command.</p>
  *          <p>For more information, including a list of types of data that can be audited and masked, see
  *       <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html">Protect sensitive log data with masking</a>.</p>
- *          <p>To use the <code>PutAccountPolicy</code> operation, you must be signed on with the <code>logs:PutDataProtectionPolicy</code>
+ *          <p>To use the <code>PutAccountPolicy</code> operation for a data protection policy, you must be signed on with
+ *       the <code>logs:PutDataProtectionPolicy</code>
  *     and <code>logs:PutAccountPolicy</code> permissions.</p>
- *          <p>The <code>PutAccountPolicy</code> operation applies to all log groups in the account. You can also use
+ *          <p>The <code>PutAccountPolicy</code> operation applies to all log groups in the account. You can use
  *       <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDataProtectionPolicy.html">PutDataProtectionPolicy</a>
  *       to create a data protection policy that applies to just one log group.
  *       If a log group has its own data protection policy and
  *       the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term
  *       specified in either policy is masked.</p>
+ *          <p>
+ *             <b>Subscription filter policy</b>
+ *          </p>
+ *          <p>A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other Amazon Web Services services.
+ *       Account-level subscription filter policies apply to both existing log groups and log groups that are created later in
+ *       this account. Supported destinations are Kinesis Data Streams, Kinesis Data Firehose, and
+ *       Lambda. When log events are sent to the receiving service, they are Base64 encoded and
+ *       compressed with the GZIP format.</p>
+ *          <p>The following destinations are supported for subscription filters:</p>
+ *          <ul>
+ *             <li>
+ *                <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>
+ *             </li>
+ *             <li>
+ *                <p>An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>
+ *             </li>
+ *             <li>
+ *                <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>
+ *             </li>
+ *             <li>
+ *                <p>A logical destination in a different account created with <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html">PutDestination</a>, for cross-account
+ *         delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.</p>
+ *             </li>
+ *          </ul>
+ *          <p>Each account can have one account-level subscription filter policy.
+ *       If you are updating an existing filter, you must specify the correct name in <code>PolicyName</code>.
+ *       To perform a <code>PutAccountPolicy</code> subscription filter operation for any destination except a Lambda
+ *       function, you must also have the <code>iam:PassRole</code> permission.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -64,8 +98,9 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  * const input = { // PutAccountPolicyRequest
  *   policyName: "STRING_VALUE", // required
  *   policyDocument: "STRING_VALUE", // required
- *   policyType: "DATA_PROTECTION_POLICY", // required
+ *   policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY", // required
  *   scope: "ALL",
+ *   selectionCriteria: "STRING_VALUE",
  * };
  * const command = new PutAccountPolicyCommand(input);
  * const response = await client.send(command);
@@ -74,8 +109,9 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  * //     policyName: "STRING_VALUE",
  * //     policyDocument: "STRING_VALUE",
  * //     lastUpdatedTime: Number("long"),
- * //     policyType: "DATA_PROTECTION_POLICY",
+ * //     policyType: "DATA_PROTECTION_POLICY" || "SUBSCRIPTION_FILTER_POLICY",
  * //     scope: "ALL",
+ * //     selectionCriteria: "STRING_VALUE",
  * //     accountId: "STRING_VALUE",
  * //   },
  * // };

clients/client-cloudwatch-logs/src/commands/StartLiveTailCommand.ts

@@ -70,6 +70,9 @@ export interface StartLiveTailCommandOutput extends StartLiveTailResponse, __Met
  *             <p>You can end a session before it times out by closing the session stream or by closing the client that is receiving the
  *   stream. The session also ends if the established connection between the client and the server breaks.</p>
  *          </important>
+ *          <p>For examples of using an SDK to start a Live Tail session, see
+ *     <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/example_cloudwatch-logs_StartLiveTail_section.html">
+ *       Start a Live Tail session using an Amazon Web Services SDK</a>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-cloudwatch-logs/src/models/models_0.ts

@@ -29,6 +29,7 @@ export class AccessDeniedException extends __BaseException {
  */
 export const PolicyType = {
   DATA_PROTECTION_POLICY: "DATA_PROTECTION_POLICY",
+  SUBSCRIPTION_FILTER_POLICY: "SUBSCRIPTION_FILTER_POLICY",
 } as const;
 
 /**
@@ -85,6 +86,12 @@ export interface AccountPolicy {
    */
   scope?: Scope;
 
+  /**
+   * @public
+   * <p>The log group selection criteria for this subscription filter policy.</p>
+   */
+  selectionCriteria?: string;
+
   /**
    * @public
    * <p>The Amazon Web Services account ID that the policy applies to.</p>
@@ -970,7 +977,7 @@ export interface CreateLogGroupRequest {
    *          </ul>
    *          <p>If you omit this parameter, the default of <code>STANDARD</code> is used.</p>
    *          <important>
-   *             <p>After a log group is created, its class can't be changed.</p>
+   *             <p>The value of <code>logGroupClass</code> can't be changed after a log group is created.</p>
    *          </important>
    *          <p>For details about the features supported by each class, see
    *       <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html">Log classes</a>
@@ -1053,7 +1060,7 @@ export interface DeleteAccountPolicyRequest {
 
   /**
    * @public
-   * <p>The type of policy to delete. Currently, the only valid value is <code>DATA_PROTECTION_POLICY</code>.</p>
+   * <p>The type of policy to delete.</p>
    */
   policyType: PolicyType | undefined;
 }
@@ -1431,7 +1438,7 @@ export interface DescribeAccountPoliciesRequest {
   /**
    * @public
    * <p>Use this parameter to limit the returned policies to only the policies that match the policy type that you
-   *       specify. Currently, the only valid value is <code>DATA_PROTECTION_POLICY</code>.</p>
+   *       specify.</p>
    */
   policyType: PolicyType | undefined;
 
@@ -3885,8 +3892,11 @@ export interface PutAccountPolicyRequest {
 
   /**
    * @public
-   * <p>Specify the data protection policy, in JSON.</p>
-   *          <p>This policy must include two JSON blocks:</p>
+   * <p>Specify the policy, in JSON.</p>
+   *          <p>
+   *             <b>Data protection policy</b>
+   *          </p>
+   *          <p>A data protection policy must include two JSON blocks:</p>
    *          <ul>
    *             <li>
    *                <p>The first block must include both a <code>DataIdentifer</code> array and an
@@ -3919,13 +3929,57 @@ export interface PutAccountPolicyRequest {
    *     <code>Description</code>, and <code>Version</code> fields. The <code>Name</code> is different than the
    *       operation's <code>policyName</code> parameter, and is used as a dimension when
    *     CloudWatch Logs reports audit findings metrics to CloudWatch.</p>
-   *          <p>The JSON specified in <code>policyDocument</code> can be up to 30,720 characters.</p>
+   *          <p>The JSON specified in <code>policyDocument</code> can be up to 30,720 characters long.</p>
+   *          <p>
+   *             <b>Subscription filter policy</b>
+   *          </p>
+   *          <p>A subscription filter policy can include the following attributes in a JSON block:</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <b>DestinationArn</b> The ARN of the destination
+   *       to deliver log events to. Supported destinations are:</p>
+   *                <ul>
+   *                   <li>
+   *                      <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>A logical destination in a different account created with <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html">PutDestination</a>, for cross-account
+   *             delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.</p>
+   *                   </li>
+   *                </ul>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <b>RoleArn</b> The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log
+   *         events to the destination stream. You don't need to provide the ARN when you are working with
+   *         a logical destination for cross-account delivery.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <b>FilterPattern</b> A filter pattern for subscribing to a
+   *         filtered stream of log events.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <b>Distribution</b>The method used to distribute log data to the destination.
+   *         By default, log data is
+   *         grouped by log stream, but the grouping can be set to <code>Random</code> for a more even distribution.
+   *         This property is only applicable when the destination is an Kinesis Data Streams data stream.</p>
+   *             </li>
+   *          </ul>
    */
   policyDocument: string | undefined;
 
   /**
    * @public
-   * <p>Currently the only valid value for this parameter is <code>DATA_PROTECTION_POLICY</code>.</p>
+   * <p>The type of policy that you're creating or updating.</p>
    */
   policyType: PolicyType | undefined;
 
@@ -3936,6 +3990,18 @@ export interface PutAccountPolicyRequest {
    *     of <code>ALL</code> is used.</p>
    */
   scope?: Scope;
+
+  /**
+   * @public
+   * <p>Use this parameter to apply the subscription filter policy to a subset of log groups in the account.
+   *       Currently, the only supported filter is <code>LogGroupName NOT IN []</code>. The <code>selectionCriteria</code>
+   *     string can be up to 25KB in length. The length is determined by using its UTF-8 bytes.</p>
+   *          <p>Using the <code>selectionCriteria</code> parameter is useful to help prevent infinite loops.
+   *       For more information, see <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions-recursion-prevention.html">Log recursion prevention</a>.</p>
+   *          <p>Specifing <code>selectionCriteria</code> is valid only when you specify <code> SUBSCRIPTION_FILTER_POLICY</code>
+   *     for <code>policyType</code>.</p>
+   */
+  selectionCriteria?: string;
 }
 
 /**
@@ -4585,6 +4651,7 @@ export interface StartLiveTailRequest {
    * @public
    * <p>If you specify this parameter, then only log events in the log streams that you specify here are
    *     included in the Live Tail session.</p>
+   *          <p>If you specify this field, you can't also specify the <code>logStreamNamePrefixes</code> field.</p>
    *          <note>
    *             <p>You can specify this parameter only if you specify only one log group in <code>logGroupIdentifiers</code>.</p>
    *          </note>
@@ -4596,6 +4663,7 @@ export interface StartLiveTailRequest {
    * <p>If you specify this parameter, then only log events in the log streams that have names that start with the
    *       prefixes that you specify here are
    *       included in the Live Tail session.</p>
+   *          <p>If you specify this field, you can't also specify the <code>logStreamNames</code> field.</p>
    *          <note>
    *             <p>You can specify this parameter only if you specify only one log group in <code>logGroupIdentifiers</code>.</p>
    *          </note>