AWS systems-manager-automation-runbooks documentation change
Summary
Added requirement for AWS CLI/Tools for Windows PowerShell installation on target instances when using LogDestination parameter
Security assessment
The change introduces a prerequisite for CLI tools but does not address security vulnerabilities or add security features. The security checks for S3 bucket policies and ACLs were already documented. This update focuses on operational requirements rather than security controls.
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collectecsinstancelogs.md b/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collectecsinstancelogs.md index 44a11b487..be6d9944e 100644 --- a//systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collectecsinstancelogs.md +++ b//systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collectecsinstancelogs.md @@ -11 +11 @@ The `AWSSupport-CollectECSInstanceLogs` runbook collects operating system and Am -If you specify a value for the `LogDestination` parameter, the automation evaluates the policy status of the Amazon Simple Storage Service (Amazon S3) bucket you specify. To help with the security of the logs gathered from your Amazon EC2 instance, if the policy status `isPublic` is set to `true` , or if the access control list (ACL) grants `READ|WRITE` permissions to the `All Users` Amazon S3 predefined group, the logs are not uploaded. Additionaly, if the provided bucket is not available in your account, the logs are not uploaded. For more information about Amazon S3 predefined groups, see [ Amazon S3 predefined groups](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#specifying-grantee-predefined-groups) in the _Amazon Simple Storage Service User Guide_ . +If you specify a value for the `LogDestination` parameter, the target instance must have the AWS Command Line Interface (AWS CLI) for Linux instances or Tools for Windows PowerShell for Windows instances installed. The automation evaluates the policy status of the Amazon Simple Storage Service (Amazon S3) bucket you specify. To help with the security of the logs gathered from your Amazon EC2 instance, if the policy status `isPublic` is set to `true` , or if the access control list (ACL) grants `READ|WRITE` permissions to the `All Users` Amazon S3 predefined group, the logs are not uploaded. Additionaly, if the provided bucket is not available in your account, the logs are not uploaded. For more information about Amazon S3 predefined g roups, see [ Amazon S3 predefined groups](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#specifying-grantee-predefined-groups) in the _Amazon Simple Storage Service User Guide_ .