AWS AmazonCloudWatch documentation change
Summary
Updated terminology from 'S3 bucket' to 'Amazon S3 bucket' throughout the document for consistency. Added guidance about S3 Object Ownership ACL requirements in IAM policies.
Security assessment
The change adds documentation about required IAM policy configurations when using S3 Object Ownership ACLs (s3:PutObjectAcl action), which is a security-related best practice for access control. However, there is no evidence this addresses a specific disclosed security vulnerability.
Diff
diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md b/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md index 86a240ef4..3f9120952 100644 --- a//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md +++ b//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md @@ -34 +34 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 3: Set permissions on an S3 bucket + * Step 3: Set permissions on an Amazon S3 bucket @@ -49 +49 @@ We recommend that you use a bucket that was created specifically for CloudWatch -The S3 bucket must reside in the same Region as the log data to export. CloudWatch Logs doesn't support exporting data to S3 buckets in a different Region. +The Amazon S3 bucket must reside in the same Region as the log data to export. CloudWatch Logs doesn't support exporting data to Amazon S3 buckets in a different Region. @@ -51 +51 @@ The S3 bucket must reside in the same Region as the log data to export. CloudWat -###### To create an S3 bucket +###### To create an Amazon S3 bucket @@ -104 +104 @@ Create a role for identity federation. Follow the instructions in [Create a role -### Step 3: Set permissions on an S3 bucket +### Step 3: Set permissions on an Amazon S3 bucket @@ -106 +106 @@ Create a role for identity federation. Follow the instructions in [Create a role -By default, all S3 buckets and objects are private. Only the resource owner, the AWS account that created the bucket, can access the bucket and any objects that it contains. However, the resource owner can choose to grant access permissions to other resources and users by writing an access policy. +By default, all Amazon S3 buckets and objects are private. Only the resource owner, the AWS account that created the bucket, can access the bucket and any objects that it contains. However, the resource owner can choose to grant access permissions to other resources and users by writing an access policy. @@ -112 +112 @@ When you set the policy, we recommend that you include a randomly generated stri -To make exports to S3 buckets more secure, we now require you to specify the list of source accounts that are allowed to export log data to your S3 bucket. +To make exports to Amazon S3 buckets more secure, we now require you to specify the list of source accounts that are allowed to export log data to your S3 bucket. @@ -114 +114 @@ To make exports to S3 buckets more secure, we now require you to specify the lis -In the following example, the list of account IDs in the `aws:SourceAccount` key would be the accounts from which a user can export log data to your S3 bucket. The `aws:SourceArn` key would be the resource for which the action is being taken. You may restrict this to a specific log group, or use a wildcard as shown in this example. +In the following example, the list of account IDs in the `aws:SourceAccount` key would be the accounts from which a user can export log data to your Amazon S3 bucket. The `aws:SourceArn` key would be the resource for which the action is being taken. You may restrict this to a specific log group, or use a wildcard as shown in this example. @@ -183 +183 @@ JSON - 4. Choose **Save** to set the policy that you just added as the access policy on your bucket. This policy enables CloudWatch Logs to export log data to your S3 bucket. The bucket owner has full permissions on all of the exported objects. + 4. Choose **Save** to set the policy that you just added as the access policy on your bucket. This policy enables CloudWatch Logs to export log data to your Amazon S3 bucket. The bucket owner has full permissions on all of the exported objects. @@ -194 +194 @@ If the existing bucket already has one or more policies attached to it, add the -This step is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. +This step is necessary only if you are exporting to an Amazon S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. @@ -310 +310 @@ In this step, you create the export task for exporting logs from a log group. - 9. For **S3 bucket name** , choose an S3 bucket. + 9. For **S3 bucket name** , choose an &S3; bucket. @@ -346 +346 @@ We recommend that you use a bucket that was created specifically for CloudWatch -The S3 bucket must reside in the same Region as the log data to export. CloudWatch Logs doesn't support exporting data to S3 buckets in a different Region. +The Amazon S3 bucket must reside in the same Region as the log data to export. CloudWatch Logs doesn't support exporting data to Amazon S3 buckets in a different Region. @@ -348 +348 @@ The S3 bucket must reside in the same Region as the log data to export. CloudWat -###### To create an S3 bucket +###### To create an Amazon S3 bucket @@ -369 +369 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s -The policy that you create depends on whether the destination bucket uses AWS KMS encryption. +The policy that you create depends on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. If ACLs are enabled on the bucket use the `s3:PutObjectAcl` action instead.