CloudWatch Pipelines update

Amazon Web Services has added drop and conditional processing to CloudWatch pipelines, giving teams a way to filter or route log records before they land in CloudWatch Logs. (docs.aws.amazon.com) CloudWatch pipelines is Amazon’s managed log collector for Amazon Web Services services, third-party tools, and custom sources, and it applies processors in sequence as data moves from one source to one destination. Amazon says an account can run as many as 330 pipelines, including up to 300 for CloudWatch Logs sources and 30 for other sources. (docs.aws.amazon.com) In the pipeline wizard, users can now add conditional rules with a `when` parameter so a processor acts only on matching records. Amazon also documents a “Keep original log” option for Amazon Web Services vended log sources, which stores a raw copy before any transformation for audits or investigations. (docs.aws.amazon.com) A log pipeline is the assembly line between a source and a destination: it parses, renames, enriches, or standardizes fields while data is still moving. In CloudWatch, those processors can also convert records into Open Cybersecurity Schema Framework, a shared security log format that Amazon promotes for analytics and compliance work. (docs.aws.amazon.com; aws.amazon.com) That matters because Amazon has been pushing CloudWatch beyond infrastructure dashboards into a single store for operational, security, and compliance data. In its December 2, 2025 launch note for the broader unified data platform, Amazon said teams could aggregate logs across accounts and Regions and analyze them in CloudWatch or Apache Iceberg-compatible tools. (aws.amazon.com) The new controls fit that pitch by letting customers decide which events should be transformed, which should be preserved in raw form, and which can be excluded before downstream storage and analysis. Amazon’s documentation also says pipeline processor configurations are logged in Amazon Web Services CloudTrail for auditing, and warns customers not to place passwords or application programming interface keys in those configurations. (docs.aws.amazon.com) CloudWatch pipelines still writes to a single sink today: CloudWatch Logs. Amazon says CloudWatch Logs sources are metered before pipeline processing, while third-party and Amazon Simple Storage Service sources are treated as custom logs and metered after processing; standard ingestion and storage charges still apply even though the pipeline feature itself carries no added fee. (docs.aws.amazon.com; docs.aws.amazon.com) Amazon has also tightened the permission model around the feature. Its identity and access management reference says callers may need `iam:PassRole`, and CloudWatch Logs sources also require `logs:PutPipelineRule` and `logs:DeletePipelineRule` for create, update, and delete operations. (docs.aws.amazon.com) The result is a more opinionated CloudWatch ingest layer: not just collecting logs, but deciding which records get changed, kept, or discarded before they become part of the permanent store. (docs.aws.amazon.com; docs.aws.amazon.com)