aws-sdk-cloudwatchlogs 1.63.0 → 1.64.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8eed67c03b6fd8411e46d82c087afea97d39e8f7bd9af4823c798adbe2282b6d
-  data.tar.gz: 9db042afe652f53b242e49e1c0ca9a97140249c28507a11d8ffc8b6219c97f6c
+  metadata.gz: 4087e11ea4a4fdd5a3bb5b6f145623058784baa35826f4ad4f9a53a3c67507e9
+  data.tar.gz: 8acbc2d70e6210c680edf2c63cf5d82844f2ae6439d30293e88bb526f908aeb5
 SHA512:
-  metadata.gz: d77aaade04edf1626add5a96b5be41cad3209c3c9f82e99ec77537ebdd3fbd92c5e2b9f57466d0079f9dca2be30fd6c049a70ba54bb907f08f782d46e1e5335e
-  data.tar.gz: 6da09ec0189e23dd971e82167bbc748ecca6b1daafcbddb48ce8c0090b636ac2a9aab5bc470d6d85e225fe6edc0400e924c910350022cf380121b5b3af6f45ac
+  metadata.gz: a25f75cccb56f477488eb71d5dbbd9266aa3fea01146d1cd6a08df41ef9ec20edaadc077a17934d623f8188ea7855a1bd4e3f40ff6612100118fb68ad55ba3ba
+  data.tar.gz: f66ec8453de6a4483cc6b762b1a16bff9c86817c76f87f217788e8ce3909c44533092e383c8deecbfb28e4000d2f122a9d7c31cc805da0ccc6d1b129556de080

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.64.0 (2023-06-07)
+------------------
+
+* Feature - This change adds support for account level data protection policies using 3 new APIs, PutAccountPolicy, DeleteAccountPolicy and DescribeAccountPolicy. DescribeLogGroup API has been modified to indicate if account level policy is applied to the LogGroup via "inheritedProperties" list in the response.
+
 1.63.0 (2023-05-31)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.63.0
+1.64.0

data/lib/aws-sdk-cloudwatchlogs/client.rb

@@ -582,7 +582,7 @@ module Aws::CloudWatchLogs
     # enables CloudWatch Logs to decrypt this data whenever it is requested.
     #
     # If you attempt to associate a KMS key with the log group but the KMS
-    # keydoes not exist or the KMS key is disabled, you receive an
+    # key does not exist or the KMS key is disabled, you receive an
     # `InvalidParameterException` error.
     #
     # CloudWatch Logs supports only symmetric KMS keys. Do not associate an
@@ -683,6 +683,37 @@ module Aws::CloudWatchLogs
       req.send_request(options)
     end
 
+    # Deletes a CloudWatch Logs account policy.
+    #
+    # To use this operation, you must be signed on with the
+    # `logs:DeleteDataProtectionPolicy` and `logs:DeleteAccountPolicy`
+    # permissions.
+    #
+    # @option params [required, String] :policy_name
+    #   The name of the policy to delete.
+    #
+    # @option params [required, String] :policy_type
+    #   The type of policy to delete. Currently, the only valid value is
+    #   `DATA_PROTECTION_POLICY`.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_account_policy({
+    #     policy_name: "PolicyName", # required
+    #     policy_type: "DATA_PROTECTION_POLICY", # required, accepts DATA_PROTECTION_POLICY
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DeleteAccountPolicy AWS API Documentation
+    #
+    # @overload delete_account_policy(params = {})
+    # @param [Hash] params ({})
+    def delete_account_policy(params = {}, options = {})
+      req = build_request(:delete_account_policy, params)
+      req.send_request(options)
+    end
+
     # Deletes the data protection policy from the specified log group.
     #
     # For more information about data protection policies, see
@@ -929,6 +960,58 @@ module Aws::CloudWatchLogs
       req.send_request(options)
     end
 
+    # Returns a list of all CloudWatch Logs account policies in the account.
+    #
+    # @option params [required, String] :policy_type
+    #   Use this parameter to limit the returned policies to only the policies
+    #   that match the policy type that you specify. Currently, the only valid
+    #   value is `DATA_PROTECTION_POLICY`.
+    #
+    # @option params [String] :policy_name
+    #   Use this parameter to limit the returned policies to only the policy
+    #   with the name that you specify.
+    #
+    # @option params [Array<String>] :account_identifiers
+    #   If you are using an account that is set up as a monitoring account for
+    #   CloudWatch unified cross-account observability, you can use this to
+    #   specify the account ID of a source account. If you do, the operation
+    #   returns the account policy for the specified account. Currently, you
+    #   can specify only one account ID in this parameter.
+    #
+    #   If you omit this parameter, only the policy in the current account is
+    #   returned.
+    #
+    # @return [Types::DescribeAccountPoliciesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DescribeAccountPoliciesResponse#account_policies #account_policies} => Array&lt;Types::AccountPolicy&gt;
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.describe_account_policies({
+    #     policy_type: "DATA_PROTECTION_POLICY", # required, accepts DATA_PROTECTION_POLICY
+    #     policy_name: "PolicyName",
+    #     account_identifiers: ["AccountId"],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.account_policies #=> Array
+    #   resp.account_policies[0].policy_name #=> String
+    #   resp.account_policies[0].policy_document #=> String
+    #   resp.account_policies[0].last_updated_time #=> Integer
+    #   resp.account_policies[0].policy_type #=> String, one of "DATA_PROTECTION_POLICY"
+    #   resp.account_policies[0].scope #=> String, one of "ALL"
+    #   resp.account_policies[0].account_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DescribeAccountPolicies AWS API Documentation
+    #
+    # @overload describe_account_policies(params = {})
+    # @param [Hash] params ({})
+    def describe_account_policies(params = {}, options = {})
+      req = build_request(:describe_account_policies, params)
+      req.send_request(options)
+    end
+
     # Lists all your destinations. The results are ASCII-sorted by
     # destination name.
     #
@@ -1078,6 +1161,9 @@ module Aws::CloudWatchLogs
     #   log groups named `FooBar`, `aws/Foo`, and `GroupFoo` would match, but
     #   `foo`, `F/o/o` and `Froo` would not match.
     #
+    #   If you specify `logGroupNamePattern` in your request, then only `arn`,
+    #   `creationTime`, and `logGroupName` are included in the response.
+    #
     #   <note markdown="1"> `logGroupNamePattern` and `logGroupNamePrefix` are mutually exclusive.
     #   Only one of these parameters can be passed.
     #
@@ -1101,12 +1187,6 @@ module Aws::CloudWatchLogs
     #   account and all log groups in all source accounts that are linked to
     #   the monitoring account.
     #
-    #   <note markdown="1"> If you specify `includeLinkedAccounts` in your request, then
-    #   `metricFilterCount`, `retentionInDays`, and `storedBytes` are not
-    #   included in the response.
-    #
-    #    </note>
-    #
     # @return [Types::DescribeLogGroupsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeLogGroupsResponse#log_groups #log_groups} => Array&lt;Types::LogGroup&gt;
@@ -1136,6 +1216,8 @@ module Aws::CloudWatchLogs
     #   resp.log_groups[0].stored_bytes #=> Integer
     #   resp.log_groups[0].kms_key_id #=> String
     #   resp.log_groups[0].data_protection_status #=> String, one of "ACTIVATED", "DELETED", "ARCHIVED", "DISABLED"
+    #   resp.log_groups[0].inherited_properties #=> Array
+    #   resp.log_groups[0].inherited_properties[0] #=> String, one of "ACCOUNT_DATA_PROTECTION"
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DescribeLogGroups AWS API Documentation
@@ -1566,7 +1648,7 @@ module Aws::CloudWatchLogs
     # log events or filter the results using a filter pattern, a time range,
     # and the name of the log stream.
     #
-    # You must have the `logs;FilterLogEvents` permission to perform this
+    # You must have the `logs:FilterLogEvents` permission to perform this
     # operation.
     #
     # You can specify the log group to search by using either
@@ -2137,6 +2219,141 @@ module Aws::CloudWatchLogs
       req.send_request(options)
     end
 
+    # Creates an account-level data protection policy that applies to all
+    # log groups in the account. A data protection policy can help safeguard
+    # sensitive data that's ingested by your log groups by auditing and
+    # masking the sensitive log data. Each account can have only one
+    # account-level policy.
+    #
+    # Sensitive data is detected and masked when it is ingested into a log
+    # group. When you set a data protection policy, log events ingested into
+    # the log groups before that time are not masked.
+    #
+    # If you use `PutAccountPolicy` to create a data protection policy for
+    # your whole account, it applies to both existing log groups and all log
+    # groups that are created later in this account. The account policy is
+    # applied to existing log groups with eventual consistency. It might
+    # take up to 5 minutes before sensitive data in existing log groups
+    # begins to be masked.
+    #
+    # By default, when a user views a log event that includes masked data,
+    # the sensitive data is replaced by asterisks. A user who has the
+    # `logs:Unmask` permission can use a [GetLogEvents][1] or
+    # [FilterLogEvents][2] operation with the `unmask` parameter set to
+    # `true` to view the unmasked log events. Users with the `logs:Unmask`
+    # can also view unmasked data in the CloudWatch Logs console by running
+    # a CloudWatch Logs Insights query with the `unmask` query command.
+    #
+    # For more information, including a list of types of data that can be
+    # audited and masked, see [Protect sensitive log data with masking][3].
+    #
+    # To use the `PutAccountPolicy` operation, you must be signed on with
+    # the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy`
+    # permissions.
+    #
+    # The `PutAccountPolicy` operation applies to all log groups in the
+    # account. You can also use [PutDataProtectionPolicy][4] to create a
+    # data protection policy that applies to just one log group. If a log
+    # group has its own data protection policy and the account also has an
+    # account-level data protection policy, then the two policies are
+    # cumulative. Any sensitive term specified in either policy is masked.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html
+    # [2]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html
+    # [3]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html
+    # [4]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDataProtectionPolicy.html
+    #
+    # @option params [required, String] :policy_name
+    #   A name for the policy. This must be unique within the account.
+    #
+    # @option params [required, String] :policy_document
+    #   Specify the data protection policy, in JSON.
+    #
+    #   This policy must include two JSON blocks:
+    #
+    #   * The first block must include both a `DataIdentifer` array and an
+    #     `Operation` property with an `Audit` action. The `DataIdentifer`
+    #     array lists the types of sensitive data that you want to mask. For
+    #     more information about the available options, see [Types of data
+    #     that you can mask][1].
+    #
+    #     The `Operation` property with an `Audit` action is required to find
+    #     the sensitive data terms. This `Audit` action must contain a
+    #     `FindingsDestination` object. You can optionally use that
+    #     `FindingsDestination` object to list one or more destinations to
+    #     send audit findings to. If you specify destinations such as log
+    #     groups, Kinesis Data Firehose streams, and S3 buckets, they must
+    #     already exist.
+    #
+    #   * The second block must include both a `DataIdentifer` array and an
+    #     `Operation` property with an `Deidentify` action. The
+    #     `DataIdentifer` array must exactly match the `DataIdentifer` array
+    #     in the first block of the policy.
+    #
+    #     The `Operation` property with the `Deidentify` action is what
+    #     actually masks the data, and it must contain the ` "MaskConfig":
+    #     \{\}` object. The ` "MaskConfig": \{\}` object must be empty.
+    #
+    #   For an example data protection policy, see the **Examples** section on
+    #   this page.
+    #
+    #   The contents of the two `DataIdentifer` arrays must match exactly.
+    #
+    #   In addition to the two JSON blocks, the `policyDocument` can also
+    #   include `Name`, `Description`, and `Version` fields. The `Name` is
+    #   different than the operation's `policyName` parameter, and is used as
+    #   a dimension when CloudWatch Logs reports audit findings metrics to
+    #   CloudWatch.
+    #
+    #   The JSON specified in `policyDocument` can be up to 30,720 characters.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html
+    #
+    # @option params [required, String] :policy_type
+    #   Currently the only valid value for this parameter is
+    #   `DATA_PROTECTION_POLICY`.
+    #
+    # @option params [String] :scope
+    #   Currently the only valid value for this parameter is `GLOBAL`, which
+    #   specifies that the data protection policy applies to all log groups in
+    #   the account. If you omit this parameter, the default of `GLOBAL` is
+    #   used.
+    #
+    # @return [Types::PutAccountPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::PutAccountPolicyResponse#account_policy #account_policy} => Types::AccountPolicy
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.put_account_policy({
+    #     policy_name: "PolicyName", # required
+    #     policy_document: "AccountPolicyDocument", # required
+    #     policy_type: "DATA_PROTECTION_POLICY", # required, accepts DATA_PROTECTION_POLICY
+    #     scope: "ALL", # accepts ALL
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.account_policy.policy_name #=> String
+    #   resp.account_policy.policy_document #=> String
+    #   resp.account_policy.last_updated_time #=> Integer
+    #   resp.account_policy.policy_type #=> String, one of "DATA_PROTECTION_POLICY"
+    #   resp.account_policy.scope #=> String, one of "ALL"
+    #   resp.account_policy.account_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/PutAccountPolicy AWS API Documentation
+    #
+    # @overload put_account_policy(params = {})
+    # @param [Hash] params ({})
+    def put_account_policy(params = {}, options = {})
+      req = build_request(:put_account_policy, params)
+      req.send_request(options)
+    end
+
     # Creates a data protection policy for the specified log group. A data
     # protection policy can help safeguard sensitive data that's ingested
     # by the log group by auditing and masking the sensitive log data.
@@ -2156,11 +2373,21 @@ module Aws::CloudWatchLogs
     # For more information, including a list of types of data that can be
     # audited and masked, see [Protect sensitive log data with masking][3].
     #
+    # The `PutDataProtectionPolicy` operation applies to only the specified
+    # log group. You can also use [PutAccountPolicy][4] to create an
+    # account-level data protection policy that applies to all log groups in
+    # the account, including both existing log groups and log groups that
+    # are created level. If a log group has its own data protection policy
+    # and the account also has an account-level data protection policy, then
+    # the two policies are cumulative. Any sensitive term specified in
+    # either policy is masked.
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html
     # [2]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html
     # [3]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html
+    # [4]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutAccountPolicy.html
     #
     # @option params [required, String] :log_group_identifier
     #   Specify either the log group name or log group ARN.
@@ -2196,7 +2423,14 @@ module Aws::CloudWatchLogs
     #   For an example data protection policy, see the **Examples** section on
     #   this page.
     #
-    #   The contents of two `DataIdentifer` arrays must match exactly.
+    #   The contents of the two `DataIdentifer` arrays must match exactly.
+    #
+    #   In addition to the two JSON blocks, the `policyDocument` can also
+    #   include `Name`, `Description`, and `Version` fields. The `Name` is
+    #   used as a dimension when CloudWatch Logs reports audit findings
+    #   metrics to CloudWatch.
+    #
+    #   The JSON specified in `policyDocument` can be up to 30,720 characters.
     #
     #
     #
@@ -2328,11 +2562,11 @@ module Aws::CloudWatchLogs
     # @option params [Boolean] :force_update
     #   Specify true if you are updating an existing destination policy to
     #   grant permission to an organization ID instead of granting permission
-    #   to individual AWS accounts. Before you update a destination policy
-    #   this way, you must first update the subscription filters in the
-    #   accounts that send logs to this destination. If you do not, the
-    #   subscription filters might stop working. By specifying `true` for
-    #   `forceUpdate`, you are affirming that you have already updated the
+    #   to individual Amazon Web Services accounts. Before you update a
+    #   destination policy this way, you must first update the subscription
+    #   filters in the accounts that send logs to this destination. If you do
+    #   not, the subscription filters might stop working. By specifying `true`
+    #   for `forceUpdate`, you are affirming that you have already updated the
     #   subscription filters. For more information, see [ Updating an existing
     #   cross-account subscription][1]
     #
@@ -2392,6 +2626,8 @@ module Aws::CloudWatchLogs
     # * A batch of log events in a single request cannot span more than 24
     #   hours. Otherwise, the operation fails.
     #
+    # * Each log event can be no larger than 256 KB.
+    #
     # * The maximum number of log events in a batch is 10,000.
     #
     # * The quota of five requests per second per log stream has been
@@ -2708,7 +2944,7 @@ module Aws::CloudWatchLogs
     # @option params [required, Integer] :retention_in_days
     #   The number of days to retain the log events in the specified log
     #   group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180,
-    #   365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, and 3653.
+    #   365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.
     #
     #   To set a log group so that its log events do not expire, use
     #   [DeleteRetentionPolicy][1].
@@ -2760,8 +2996,9 @@ module Aws::CloudWatchLogs
     # it. If you are updating an existing filter, you must specify the
     # correct name in `filterName`.
     #
-    # To perform a `PutSubscriptionFilter` operation, you must also have the
-    # `iam:PassRole` permission.
+    # To perform a `PutSubscriptionFilter` operation for any destination
+    # except a Lambda function, you must also have the `iam:PassRole`
+    # permission.
     #
     #
     #
@@ -2848,7 +3085,7 @@ module Aws::CloudWatchLogs
     #
     # For more information, see [CloudWatch Logs Insights Query Syntax][1].
     #
-    # Queries time out after 15 minutes of runtime. If your queries are
+    # Queries time out after 60 minutes of runtime. If your queries are
     # timing out, reduce the time range being searched or partition your
     # query into a number of queries.
     #
@@ -2858,7 +3095,7 @@ module Aws::CloudWatchLogs
     # observability][2]. For a cross-account `StartQuery` operation, the
     # query definition must be defined in the monitoring account.
     #
-    # You can have up to 20 concurrent CloudWatch Logs insights queries,
+    # You can have up to 30 concurrent CloudWatch Logs insights queries,
     # including queries that have been added to dashboards.
     #
     #
@@ -3224,7 +3461,7 @@ module Aws::CloudWatchLogs
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cloudwatchlogs'
-      context[:gem_version] = '1.63.0'
+      context[:gem_version] = '1.64.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cloudwatchlogs/client_api.rb

@@ -16,6 +16,9 @@ module Aws::CloudWatchLogs
     AccessPolicy = Shapes::StringShape.new(name: 'AccessPolicy')
     AccountId = Shapes::StringShape.new(name: 'AccountId')
     AccountIds = Shapes::ListShape.new(name: 'AccountIds')
+    AccountPolicies = Shapes::ListShape.new(name: 'AccountPolicies')
+    AccountPolicy = Shapes::StructureShape.new(name: 'AccountPolicy')
+    AccountPolicyDocument = Shapes::StringShape.new(name: 'AccountPolicyDocument')
     AmazonResourceName = Shapes::StringShape.new(name: 'AmazonResourceName')
     Arn = Shapes::StringShape.new(name: 'Arn')
     AssociateKmsKeyRequest = Shapes::StructureShape.new(name: 'AssociateKmsKeyRequest')
@@ -29,6 +32,7 @@ module Aws::CloudWatchLogs
     DataProtectionStatus = Shapes::StringShape.new(name: 'DataProtectionStatus')
     Days = Shapes::IntegerShape.new(name: 'Days')
     DefaultValue = Shapes::FloatShape.new(name: 'DefaultValue')
+    DeleteAccountPolicyRequest = Shapes::StructureShape.new(name: 'DeleteAccountPolicyRequest')
     DeleteDataProtectionPolicyRequest = Shapes::StructureShape.new(name: 'DeleteDataProtectionPolicyRequest')
     DeleteDestinationRequest = Shapes::StructureShape.new(name: 'DeleteDestinationRequest')
     DeleteLogGroupRequest = Shapes::StructureShape.new(name: 'DeleteLogGroupRequest')
@@ -40,6 +44,8 @@ module Aws::CloudWatchLogs
     DeleteRetentionPolicyRequest = Shapes::StructureShape.new(name: 'DeleteRetentionPolicyRequest')
     DeleteSubscriptionFilterRequest = Shapes::StructureShape.new(name: 'DeleteSubscriptionFilterRequest')
     Descending = Shapes::BooleanShape.new(name: 'Descending')
+    DescribeAccountPoliciesRequest = Shapes::StructureShape.new(name: 'DescribeAccountPoliciesRequest')
+    DescribeAccountPoliciesResponse = Shapes::StructureShape.new(name: 'DescribeAccountPoliciesResponse')
     DescribeDestinationsRequest = Shapes::StructureShape.new(name: 'DescribeDestinationsRequest')
     DescribeDestinationsResponse = Shapes::StructureShape.new(name: 'DescribeDestinationsResponse')
     DescribeExportTasksRequest = Shapes::StructureShape.new(name: 'DescribeExportTasksRequest')
@@ -104,6 +110,8 @@ module Aws::CloudWatchLogs
     GetQueryResultsRequest = Shapes::StructureShape.new(name: 'GetQueryResultsRequest')
     GetQueryResultsResponse = Shapes::StructureShape.new(name: 'GetQueryResultsResponse')
     IncludeLinkedAccounts = Shapes::BooleanShape.new(name: 'IncludeLinkedAccounts')
+    InheritedProperties = Shapes::ListShape.new(name: 'InheritedProperties')
+    InheritedProperty = Shapes::StringShape.new(name: 'InheritedProperty')
     InputLogEvent = Shapes::StructureShape.new(name: 'InputLogEvent')
     InputLogEvents = Shapes::ListShape.new(name: 'InputLogEvents')
     InputLogStreamNames = Shapes::ListShape.new(name: 'InputLogStreamNames')
@@ -152,6 +160,9 @@ module Aws::CloudWatchLogs
     Percentage = Shapes::IntegerShape.new(name: 'Percentage')
     PolicyDocument = Shapes::StringShape.new(name: 'PolicyDocument')
     PolicyName = Shapes::StringShape.new(name: 'PolicyName')
+    PolicyType = Shapes::StringShape.new(name: 'PolicyType')
+    PutAccountPolicyRequest = Shapes::StructureShape.new(name: 'PutAccountPolicyRequest')
+    PutAccountPolicyResponse = Shapes::StructureShape.new(name: 'PutAccountPolicyResponse')
     PutDataProtectionPolicyRequest = Shapes::StructureShape.new(name: 'PutDataProtectionPolicyRequest')
     PutDataProtectionPolicyResponse = Shapes::StructureShape.new(name: 'PutDataProtectionPolicyResponse')
     PutDestinationPolicyRequest = Shapes::StructureShape.new(name: 'PutDestinationPolicyRequest')
@@ -189,6 +200,7 @@ module Aws::CloudWatchLogs
     ResultField = Shapes::StructureShape.new(name: 'ResultField')
     ResultRows = Shapes::ListShape.new(name: 'ResultRows')
     RoleArn = Shapes::StringShape.new(name: 'RoleArn')
+    Scope = Shapes::StringShape.new(name: 'Scope')
     SearchedLogStream = Shapes::StructureShape.new(name: 'SearchedLogStream')
     SearchedLogStreams = Shapes::ListShape.new(name: 'SearchedLogStreams')
     SequenceToken = Shapes::StringShape.new(name: 'SequenceToken')
@@ -226,6 +238,16 @@ module Aws::CloudWatchLogs
 
     AccountIds.member = Shapes::ShapeRef.new(shape: AccountId)
 
+    AccountPolicies.member = Shapes::ShapeRef.new(shape: AccountPolicy)
+
+    AccountPolicy.add_member(:policy_name, Shapes::ShapeRef.new(shape: PolicyName, location_name: "policyName"))
+    AccountPolicy.add_member(:policy_document, Shapes::ShapeRef.new(shape: AccountPolicyDocument, location_name: "policyDocument"))
+    AccountPolicy.add_member(:last_updated_time, Shapes::ShapeRef.new(shape: Timestamp, location_name: "lastUpdatedTime"))
+    AccountPolicy.add_member(:policy_type, Shapes::ShapeRef.new(shape: PolicyType, location_name: "policyType"))
+    AccountPolicy.add_member(:scope, Shapes::ShapeRef.new(shape: Scope, location_name: "scope"))
+    AccountPolicy.add_member(:account_id, Shapes::ShapeRef.new(shape: AccountId, location_name: "accountId"))
+    AccountPolicy.struct_class = Types::AccountPolicy
+
     AssociateKmsKeyRequest.add_member(:log_group_name, Shapes::ShapeRef.new(shape: LogGroupName, required: true, location_name: "logGroupName"))
     AssociateKmsKeyRequest.add_member(:kms_key_id, Shapes::ShapeRef.new(shape: KmsKeyId, required: true, location_name: "kmsKeyId"))
     AssociateKmsKeyRequest.struct_class = Types::AssociateKmsKeyRequest
@@ -257,6 +279,10 @@ module Aws::CloudWatchLogs
     DataAlreadyAcceptedException.add_member(:expected_sequence_token, Shapes::ShapeRef.new(shape: SequenceToken, location_name: "expectedSequenceToken"))
     DataAlreadyAcceptedException.struct_class = Types::DataAlreadyAcceptedException
 
+    DeleteAccountPolicyRequest.add_member(:policy_name, Shapes::ShapeRef.new(shape: PolicyName, required: true, location_name: "policyName"))
+    DeleteAccountPolicyRequest.add_member(:policy_type, Shapes::ShapeRef.new(shape: PolicyType, required: true, location_name: "policyType"))
+    DeleteAccountPolicyRequest.struct_class = Types::DeleteAccountPolicyRequest
+
     DeleteDataProtectionPolicyRequest.add_member(:log_group_identifier, Shapes::ShapeRef.new(shape: LogGroupIdentifier, required: true, location_name: "logGroupIdentifier"))
     DeleteDataProtectionPolicyRequest.struct_class = Types::DeleteDataProtectionPolicyRequest
 
@@ -290,6 +316,14 @@ module Aws::CloudWatchLogs
     DeleteSubscriptionFilterRequest.add_member(:filter_name, Shapes::ShapeRef.new(shape: FilterName, required: true, location_name: "filterName"))
     DeleteSubscriptionFilterRequest.struct_class = Types::DeleteSubscriptionFilterRequest
 
+    DescribeAccountPoliciesRequest.add_member(:policy_type, Shapes::ShapeRef.new(shape: PolicyType, required: true, location_name: "policyType"))
+    DescribeAccountPoliciesRequest.add_member(:policy_name, Shapes::ShapeRef.new(shape: PolicyName, location_name: "policyName"))
+    DescribeAccountPoliciesRequest.add_member(:account_identifiers, Shapes::ShapeRef.new(shape: AccountIds, location_name: "accountIdentifiers"))
+    DescribeAccountPoliciesRequest.struct_class = Types::DescribeAccountPoliciesRequest
+
+    DescribeAccountPoliciesResponse.add_member(:account_policies, Shapes::ShapeRef.new(shape: AccountPolicies, location_name: "accountPolicies"))
+    DescribeAccountPoliciesResponse.struct_class = Types::DescribeAccountPoliciesResponse
+
     DescribeDestinationsRequest.add_member(:destination_name_prefix, Shapes::ShapeRef.new(shape: DestinationName, location_name: "DestinationNamePrefix"))
     DescribeDestinationsRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: NextToken, location_name: "nextToken"))
     DescribeDestinationsRequest.add_member(:limit, Shapes::ShapeRef.new(shape: DescribeLimit, location_name: "limit"))
@@ -497,6 +531,8 @@ module Aws::CloudWatchLogs
     GetQueryResultsResponse.add_member(:status, Shapes::ShapeRef.new(shape: QueryStatus, location_name: "status"))
     GetQueryResultsResponse.struct_class = Types::GetQueryResultsResponse
 
+    InheritedProperties.member = Shapes::ShapeRef.new(shape: InheritedProperty)
+
     InputLogEvent.add_member(:timestamp, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "timestamp"))
     InputLogEvent.add_member(:message, Shapes::ShapeRef.new(shape: EventMessage, required: true, location_name: "message"))
     InputLogEvent.struct_class = Types::InputLogEvent
@@ -534,6 +570,7 @@ module Aws::CloudWatchLogs
     LogGroup.add_member(:stored_bytes, Shapes::ShapeRef.new(shape: StoredBytes, location_name: "storedBytes"))
     LogGroup.add_member(:kms_key_id, Shapes::ShapeRef.new(shape: KmsKeyId, location_name: "kmsKeyId"))
     LogGroup.add_member(:data_protection_status, Shapes::ShapeRef.new(shape: DataProtectionStatus, location_name: "dataProtectionStatus"))
+    LogGroup.add_member(:inherited_properties, Shapes::ShapeRef.new(shape: InheritedProperties, location_name: "inheritedProperties"))
     LogGroup.struct_class = Types::LogGroup
 
     LogGroupField.add_member(:name, Shapes::ShapeRef.new(shape: Field, location_name: "name"))
@@ -601,6 +638,15 @@ module Aws::CloudWatchLogs
 
     OutputLogEvents.member = Shapes::ShapeRef.new(shape: OutputLogEvent)
 
+    PutAccountPolicyRequest.add_member(:policy_name, Shapes::ShapeRef.new(shape: PolicyName, required: true, location_name: "policyName"))
+    PutAccountPolicyRequest.add_member(:policy_document, Shapes::ShapeRef.new(shape: AccountPolicyDocument, required: true, location_name: "policyDocument"))
+    PutAccountPolicyRequest.add_member(:policy_type, Shapes::ShapeRef.new(shape: PolicyType, required: true, location_name: "policyType"))
+    PutAccountPolicyRequest.add_member(:scope, Shapes::ShapeRef.new(shape: Scope, location_name: "scope"))
+    PutAccountPolicyRequest.struct_class = Types::PutAccountPolicyRequest
+
+    PutAccountPolicyResponse.add_member(:account_policy, Shapes::ShapeRef.new(shape: AccountPolicy, location_name: "accountPolicy"))
+    PutAccountPolicyResponse.struct_class = Types::PutAccountPolicyResponse
+
     PutDataProtectionPolicyRequest.add_member(:log_group_identifier, Shapes::ShapeRef.new(shape: LogGroupIdentifier, required: true, location_name: "logGroupIdentifier"))
     PutDataProtectionPolicyRequest.add_member(:policy_document, Shapes::ShapeRef.new(shape: DataProtectionPolicyDocument, required: true, location_name: "policyDocument"))
     PutDataProtectionPolicyRequest.struct_class = Types::PutDataProtectionPolicyRequest
@@ -879,6 +925,18 @@ module Aws::CloudWatchLogs
         o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
       end)
 
+      api.add_operation(:delete_account_policy, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DeleteAccountPolicy"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DeleteAccountPolicyRequest)
+        o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: OperationAbortedException)
+      end)
+
       api.add_operation(:delete_data_protection_policy, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DeleteDataProtectionPolicy"
         o.http_method = "POST"
@@ -985,6 +1043,18 @@ module Aws::CloudWatchLogs
         o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
       end)
 
+      api.add_operation(:describe_account_policies, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DescribeAccountPolicies"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DescribeAccountPoliciesRequest)
+        o.output = Shapes::ShapeRef.new(shape: DescribeAccountPoliciesResponse)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: OperationAbortedException)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
+      end)
+
       api.add_operation(:describe_destinations, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DescribeDestinations"
         o.http_method = "POST"
@@ -1224,6 +1294,18 @@ module Aws::CloudWatchLogs
         o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
       end)
 
+      api.add_operation(:put_account_policy, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "PutAccountPolicy"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: PutAccountPolicyRequest)
+        o.output = Shapes::ShapeRef.new(shape: PutAccountPolicyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: OperationAbortedException)
+        o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
+      end)
+
       api.add_operation(:put_data_protection_policy, Seahorse::Model::Operation.new.tap do |o|
         o.name = "PutDataProtectionPolicy"
         o.http_method = "POST"

data/lib/aws-sdk-cloudwatchlogs/endpoint_parameters.rb

@@ -50,9 +50,6 @@ module Aws::CloudWatchLogs
 
     def initialize(options = {})
       self[:region] = options[:region]
-      if self[:region].nil?
-        raise ArgumentError, "Missing required EndpointParameter: :region"
-      end
       self[:use_dual_stack] = options[:use_dual_stack]
       self[:use_dual_stack] = false if self[:use_dual_stack].nil?
       if self[:use_dual_stack].nil?

data/lib/aws-sdk-cloudwatchlogs/endpoint_provider.rb

@@ -14,42 +14,45 @@ module Aws::CloudWatchLogs
       use_dual_stack = parameters.use_dual_stack
       use_fips = parameters.use_fips
       endpoint = parameters.endpoint
-      if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
-        if Aws::Endpoints::Matchers.set?(endpoint)
-          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
-          end
-          if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-            raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
-          end
-          return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
+      if Aws::Endpoints::Matchers.set?(endpoint)
+        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
+          raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
         end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://logs-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
-          end
-          raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
+        if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+          raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
         end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
-            if Aws::Endpoints::Matchers.string_equals?(region, "us-gov-east-1")
-              return Aws::Endpoints::Endpoint.new(url: "https://logs.us-gov-east-1.amazonaws.com", headers: {}, properties: {})
+        return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
+      end
+      if Aws::Endpoints::Matchers.set?(region)
+        if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://logs-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
             end
-            if Aws::Endpoints::Matchers.string_equals?(region, "us-gov-west-1")
-              return Aws::Endpoints::Endpoint.new(url: "https://logs.us-gov-west-1.amazonaws.com", headers: {}, properties: {})
+            raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
+          end
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
+              if Aws::Endpoints::Matchers.string_equals?(region, "us-gov-east-1")
+                return Aws::Endpoints::Endpoint.new(url: "https://logs.us-gov-east-1.amazonaws.com", headers: {}, properties: {})
+              end
+              if Aws::Endpoints::Matchers.string_equals?(region, "us-gov-west-1")
+                return Aws::Endpoints::Endpoint.new(url: "https://logs.us-gov-west-1.amazonaws.com", headers: {}, properties: {})
+              end
+              return Aws::Endpoints::Endpoint.new(url: "https://logs-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
             end
-            return Aws::Endpoints::Endpoint.new(url: "https://logs-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
+            raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
           end
-          raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
-        end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://logs.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+          if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://logs.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
           end
-          raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
+          return Aws::Endpoints::Endpoint.new(url: "https://logs.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
         end
-        return Aws::Endpoints::Endpoint.new(url: "https://logs.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
       end
+      raise ArgumentError, "Invalid Configuration: Missing Region"
       raise ArgumentError, 'No endpoint could be resolved'
 
     end

data/lib/aws-sdk-cloudwatchlogs/endpoints.rb

@@ -81,6 +81,20 @@ module Aws::CloudWatchLogs
       end
     end
 
+    class DeleteAccountPolicy
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::CloudWatchLogs::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class DeleteDataProtectionPolicy
       def self.build(context)
         unless context.config.regional_endpoint
@@ -207,6 +221,20 @@ module Aws::CloudWatchLogs
       end
     end
 
+    class DescribeAccountPolicies
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::CloudWatchLogs::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class DescribeDestinations
       def self.build(context)
         unless context.config.regional_endpoint
@@ -459,6 +487,20 @@ module Aws::CloudWatchLogs
       end
     end
 
+    class PutAccountPolicy
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::CloudWatchLogs::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class PutDataProtectionPolicy
       def self.build(context)
         unless context.config.regional_endpoint

data/lib/aws-sdk-cloudwatchlogs/plugins/endpoints.rb

@@ -66,6 +66,8 @@ module Aws::CloudWatchLogs
             Aws::CloudWatchLogs::Endpoints::CreateLogGroup.build(context)
           when :create_log_stream
             Aws::CloudWatchLogs::Endpoints::CreateLogStream.build(context)
+          when :delete_account_policy
+            Aws::CloudWatchLogs::Endpoints::DeleteAccountPolicy.build(context)
           when :delete_data_protection_policy
             Aws::CloudWatchLogs::Endpoints::DeleteDataProtectionPolicy.build(context)
           when :delete_destination
@@ -84,6 +86,8 @@ module Aws::CloudWatchLogs
             Aws::CloudWatchLogs::Endpoints::DeleteRetentionPolicy.build(context)
           when :delete_subscription_filter
             Aws::CloudWatchLogs::Endpoints::DeleteSubscriptionFilter.build(context)
+          when :describe_account_policies
+            Aws::CloudWatchLogs::Endpoints::DescribeAccountPolicies.build(context)
           when :describe_destinations
             Aws::CloudWatchLogs::Endpoints::DescribeDestinations.build(context)
           when :describe_export_tasks
@@ -120,6 +124,8 @@ module Aws::CloudWatchLogs
             Aws::CloudWatchLogs::Endpoints::ListTagsForResource.build(context)
           when :list_tags_log_group
             Aws::CloudWatchLogs::Endpoints::ListTagsLogGroup.build(context)
+          when :put_account_policy
+            Aws::CloudWatchLogs::Endpoints::PutAccountPolicy.build(context)
           when :put_data_protection_policy
             Aws::CloudWatchLogs::Endpoints::PutDataProtectionPolicy.build(context)
           when :put_destination

data/lib/aws-sdk-cloudwatchlogs/types.rb

@@ -10,6 +10,49 @@
 module Aws::CloudWatchLogs
   module Types
 
+    # A structure that contains information about one CloudWatch Logs
+    # account policy.
+    #
+    # @!attribute [rw] policy_name
+    #   The name of the account policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_document
+    #   The policy document for this account policy.
+    #
+    #   The JSON specified in `policyDocument` can be up to 30,720
+    #   characters.
+    #   @return [String]
+    #
+    # @!attribute [rw] last_updated_time
+    #   The date and time that this policy was most recently updated.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] policy_type
+    #   The type of policy for this account policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] scope
+    #   The scope of the account policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] account_id
+    #   The Amazon Web Services account ID that the policy applies to.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/AccountPolicy AWS API Documentation
+    #
+    class AccountPolicy < Struct.new(
+      :policy_name,
+      :policy_document,
+      :last_updated_time,
+      :policy_type,
+      :scope,
+      :account_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] log_group_name
     #   The name of the log group.
     #   @return [String]
@@ -186,6 +229,24 @@ module Aws::CloudWatchLogs
       include Aws::Structure
     end
 
+    # @!attribute [rw] policy_name
+    #   The name of the policy to delete.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_type
+    #   The type of policy to delete. Currently, the only valid value is
+    #   `DATA_PROTECTION_POLICY`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DeleteAccountPolicyRequest AWS API Documentation
+    #
+    class DeleteAccountPolicyRequest < Struct.new(
+      :policy_name,
+      :policy_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] log_group_identifier
     #   The name or ARN of the log group that you want to delete the data
     #   protection policy for.
@@ -329,6 +390,51 @@ module Aws::CloudWatchLogs
       include Aws::Structure
     end
 
+    # @!attribute [rw] policy_type
+    #   Use this parameter to limit the returned policies to only the
+    #   policies that match the policy type that you specify. Currently, the
+    #   only valid value is `DATA_PROTECTION_POLICY`.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_name
+    #   Use this parameter to limit the returned policies to only the policy
+    #   with the name that you specify.
+    #   @return [String]
+    #
+    # @!attribute [rw] account_identifiers
+    #   If you are using an account that is set up as a monitoring account
+    #   for CloudWatch unified cross-account observability, you can use this
+    #   to specify the account ID of a source account. If you do, the
+    #   operation returns the account policy for the specified account.
+    #   Currently, you can specify only one account ID in this parameter.
+    #
+    #   If you omit this parameter, only the policy in the current account
+    #   is returned.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DescribeAccountPoliciesRequest AWS API Documentation
+    #
+    class DescribeAccountPoliciesRequest < Struct.new(
+      :policy_type,
+      :policy_name,
+      :account_identifiers)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_policies
+    #   An array of structures that contain information about the CloudWatch
+    #   Logs account policies that match the specified filters.
+    #   @return [Array<Types::AccountPolicy>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DescribeAccountPoliciesResponse AWS API Documentation
+    #
+    class DescribeAccountPoliciesResponse < Struct.new(
+      :account_policies)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] destination_name_prefix
     #   The prefix to match. If you don't specify a value, no prefix filter
     #   is applied.
@@ -443,6 +549,10 @@ module Aws::CloudWatchLogs
     #   log groups named `FooBar`, `aws/Foo`, and `GroupFoo` would match,
     #   but `foo`, `F/o/o` and `Froo` would not match.
     #
+    #   If you specify `logGroupNamePattern` in your request, then only
+    #   `arn`, `creationTime`, and `logGroupName` are included in the
+    #   response.
+    #
     #   <note markdown="1"> `logGroupNamePattern` and `logGroupNamePrefix` are mutually
     #   exclusive. Only one of these parameters can be passed.
     #
@@ -468,12 +578,6 @@ module Aws::CloudWatchLogs
     #   a null value, the operation returns all log groups in the monitoring
     #   account and all log groups in all source accounts that are linked to
     #   the monitoring account.
-    #
-    #   <note markdown="1"> If you specify `includeLinkedAccounts` in your request, then
-    #   `metricFilterCount`, `retentionInDays`, and `storedBytes` are not
-    #   included in the response.
-    #
-    #    </note>
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/DescribeLogGroupsRequest AWS API Documentation
@@ -1434,7 +1538,7 @@ module Aws::CloudWatchLogs
     #   are `Cancelled`, `Complete`, `Failed`, `Running`, `Scheduled`,
     #   `Timeout`, and `Unknown`.
     #
-    #   Queries time out after 15 minutes of runtime. To avoid having your
+    #   Queries time out after 60 minutes of runtime. To avoid having your
     #   queries time out, reduce the time range being searched or partition
     #   your query into a number of queries.
     #   @return [String]
@@ -1458,7 +1562,7 @@ module Aws::CloudWatchLogs
     #   @return [Integer]
     #
     # @!attribute [rw] message
-    #   The raw event message.
+    #   The raw event message. Each log event can be no larger than 256 KB.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/InputLogEvent AWS API Documentation
@@ -1582,7 +1686,8 @@ module Aws::CloudWatchLogs
     # @!attribute [rw] retention_in_days
     #   The number of days to retain the log events in the specified log
     #   group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150,
-    #   180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, and 3653.
+    #   180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and
+    #   3653.
     #
     #   To set a log group so that its log events do not expire, use
     #   [DeleteRetentionPolicy][1].
@@ -1619,6 +1724,11 @@ module Aws::CloudWatchLogs
     #   [1]: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDataProtectionPolicy.html
     #   @return [String]
     #
+    # @!attribute [rw] inherited_properties
+    #   Displays all the properties that this log group has inherited from
+    #   account-level settings.
+    #   @return [Array<String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/LogGroup AWS API Documentation
     #
     class LogGroup < Struct.new(
@@ -1629,7 +1739,8 @@ module Aws::CloudWatchLogs
       :arn,
       :stored_bytes,
       :kms_key_id,
-      :data_protection_status)
+      :data_protection_status,
+      :inherited_properties)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1916,6 +2027,92 @@ module Aws::CloudWatchLogs
       include Aws::Structure
     end
 
+    # @!attribute [rw] policy_name
+    #   A name for the policy. This must be unique within the account.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_document
+    #   Specify the data protection policy, in JSON.
+    #
+    #   This policy must include two JSON blocks:
+    #
+    #   * The first block must include both a `DataIdentifer` array and an
+    #     `Operation` property with an `Audit` action. The `DataIdentifer`
+    #     array lists the types of sensitive data that you want to mask. For
+    #     more information about the available options, see [Types of data
+    #     that you can mask][1].
+    #
+    #     The `Operation` property with an `Audit` action is required to
+    #     find the sensitive data terms. This `Audit` action must contain a
+    #     `FindingsDestination` object. You can optionally use that
+    #     `FindingsDestination` object to list one or more destinations to
+    #     send audit findings to. If you specify destinations such as log
+    #     groups, Kinesis Data Firehose streams, and S3 buckets, they must
+    #     already exist.
+    #
+    #   * The second block must include both a `DataIdentifer` array and an
+    #     `Operation` property with an `Deidentify` action. The
+    #     `DataIdentifer` array must exactly match the `DataIdentifer` array
+    #     in the first block of the policy.
+    #
+    #     The `Operation` property with the `Deidentify` action is what
+    #     actually masks the data, and it must contain the ` "MaskConfig":
+    #     \{\}` object. The ` "MaskConfig": \{\}` object must be empty.
+    #
+    #   For an example data protection policy, see the **Examples** section
+    #   on this page.
+    #
+    #   The contents of the two `DataIdentifer` arrays must match exactly.
+    #
+    #   In addition to the two JSON blocks, the `policyDocument` can also
+    #   include `Name`, `Description`, and `Version` fields. The `Name` is
+    #   different than the operation's `policyName` parameter, and is used
+    #   as a dimension when CloudWatch Logs reports audit findings metrics
+    #   to CloudWatch.
+    #
+    #   The JSON specified in `policyDocument` can be up to 30,720
+    #   characters.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_type
+    #   Currently the only valid value for this parameter is
+    #   `DATA_PROTECTION_POLICY`.
+    #   @return [String]
+    #
+    # @!attribute [rw] scope
+    #   Currently the only valid value for this parameter is `GLOBAL`, which
+    #   specifies that the data protection policy applies to all log groups
+    #   in the account. If you omit this parameter, the default of `GLOBAL`
+    #   is used.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/PutAccountPolicyRequest AWS API Documentation
+    #
+    class PutAccountPolicyRequest < Struct.new(
+      :policy_name,
+      :policy_document,
+      :policy_type,
+      :scope)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account_policy
+    #   The account policy that you created.
+    #   @return [Types::AccountPolicy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/PutAccountPolicyResponse AWS API Documentation
+    #
+    class PutAccountPolicyResponse < Struct.new(
+      :account_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] log_group_identifier
     #   Specify either the log group name or log group ARN.
     #   @return [String]
@@ -1951,7 +2148,15 @@ module Aws::CloudWatchLogs
     #   For an example data protection policy, see the **Examples** section
     #   on this page.
     #
-    #   The contents of two `DataIdentifer` arrays must match exactly.
+    #   The contents of the two `DataIdentifer` arrays must match exactly.
+    #
+    #   In addition to the two JSON blocks, the `policyDocument` can also
+    #   include `Name`, `Description`, and `Version` fields. The `Name` is
+    #   used as a dimension when CloudWatch Logs reports audit findings
+    #   metrics to CloudWatch.
+    #
+    #   The JSON specified in `policyDocument` can be up to 30,720
+    #   characters.
     #
     #
     #
@@ -2002,13 +2207,14 @@ module Aws::CloudWatchLogs
     # @!attribute [rw] force_update
     #   Specify true if you are updating an existing destination policy to
     #   grant permission to an organization ID instead of granting
-    #   permission to individual AWS accounts. Before you update a
-    #   destination policy this way, you must first update the subscription
-    #   filters in the accounts that send logs to this destination. If you
-    #   do not, the subscription filters might stop working. By specifying
-    #   `true` for `forceUpdate`, you are affirming that you have already
-    #   updated the subscription filters. For more information, see [
-    #   Updating an existing cross-account subscription][1]
+    #   permission to individual Amazon Web Services accounts. Before you
+    #   update a destination policy this way, you must first update the
+    #   subscription filters in the accounts that send logs to this
+    #   destination. If you do not, the subscription filters might stop
+    #   working. By specifying `true` for `forceUpdate`, you are affirming
+    #   that you have already updated the subscription filters. For more
+    #   information, see [ Updating an existing cross-account
+    #   subscription][1]
     #
     #   If you omit this parameter, the default of `false` is used.
     #
@@ -2297,7 +2503,8 @@ module Aws::CloudWatchLogs
     # @!attribute [rw] retention_in_days
     #   The number of days to retain the log events in the specified log
     #   group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150,
-    #   180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, and 3653.
+    #   180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and
+    #   3653.
     #
     #   To set a log group so that its log events do not expire, use
     #   [DeleteRetentionPolicy][1].

data/lib/aws-sdk-cloudwatchlogs.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-cloudwatchlogs/customizations'
 # @!group service
 module Aws::CloudWatchLogs
 
-  GEM_VERSION = '1.63.0'
+  GEM_VERSION = '1.64.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-cloudwatchlogs
 version: !ruby/object:Gem::Version
-  version: 1.63.0
+  version: 1.64.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-31 00:00:00.000000000 Z
+date: 2023-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core