AWS step-functions medium security documentation change
Summary
Restructured troubleshooting section, added details about CloudWatch Logs resource policy quotas (10 policies limit) and CLI commands for policy management
Security assessment
The change addresses potential security-related misconfigurations by documenting IAM permission requirements and CloudWatch Logs policy limits. The added error message 'AccessDeniedException' and policy quota enforcement help prevent insecure configurations that could lead to logging failures or unauthorized access. The 10-policy limit documentation helps avoid service disruptions that could impact security monitoring.
Diff
diff --git a/step-functions/latest/dg/cw-logs.md b/step-functions/latest/dg/cw-logs.md index 6fc6966d9..50c799fc8 100644 --- a//step-functions/latest/dg/cw-logs.md +++ b//step-functions/latest/dg/cw-logs.md @@ -5 +5 @@ -Configure loggingCloudWatch Logs payloadsIAM Policies for logging to CloudWatch LogsEvent log levels +Configure loggingCloudWatch Logs payloadsIAM Policies for logging to CloudWatch LogsEvent log levelsTroubleshooting @@ -90,17 +89,0 @@ The following is an example policy you can use to configure your permissions. As -###### - -Troubleshooting state machine logging to CloudWatch Logs - -If your state machine cannot send logs to CloudWatch Logs, try the following steps: - - 1. Verify your state machine's execution role has permission to log to CloudWatch Logs. - -When you call [CreateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateStateMachine.html) or [UpdateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_UpdateStateMachine.html) API endpoints, make sure the IAM role specified in the `roleArn` parameter provides the necessary permissions, shown in the preceding IAM policy example. - - 2. Verify the CloudWatch Logs resource policy does not exceed the 5,120 character limit. - -If the policy exceeds the character limit, prefix your log group names with `/aws/vendedlogs/states` to grant permissions to your state machines and avoid the limit. When you create a log group in the Step Functions console, the suggested log group names are already prefixed with `/aws/vendedlogs/states`. For more information on logging best practices, see [CloudWatch Logs resource policy size limits](./sfn-best-practices.html#bp-cwl). - - - - @@ -166,0 +150,35 @@ WaitStateExited | Logged | _Not logged_ | _Not logged_ | _Not logged_ +## Troubleshooting logging to CloudWatch Logs + +If your state machine cannot send logs to CloudWatch Logs or you receive the error: "`AccessDeniedException : The state machine IAM Role is not authorized to access the Log Destination`", try the following steps: + + 1. Verify your state machine's execution role has permission to log to CloudWatch Logs. + +When you call [CreateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateStateMachine.html) or [UpdateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_UpdateStateMachine.html) API endpoints, make sure the IAM role specified in the `roleArn` parameter provides the necessary permissions, shown in the preceding IAM policy example. + + 2. Verify the CloudWatch Logs resource policy does not exceed the 5,120 character limit. + +If the policy exceeds the character limit, prefix your log group names with `/aws/vendedlogs/states` to grant permissions to your state machines and avoid the limit. + +When you create a log group in the Step Functions console, the suggested log group names are already prefixed with `/aws/vendedlogs/states`. For more information on logging best practices, see [Avoiding CloudWatch resource policy size limits](./sfn-best-practices.html#bp-cwl). + + 3. Verify the number of CloudWatch Logs log resource policies in the account is less than **ten**. + +CloudWatch Logs has a quota of ten resource policies per region, per account. If you try to enable logging on a state machine that already has ten resource policies, the state machine will not be created nor updated, and you will receive an error. For more information about logging quotas, see [CloudWatch Logs quotas](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html) + +To verify the problem, check the number of resource policies using the CLI command: + +[`aws logs describe-resource-policies`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/describe-resource-policies.html) + +To resolve the problem, modify your existing resource policies. + +First, back up the existing policies. Then, join similar actions or resources into a new policy and use the following CLI command to create a new delivery source in the account: + +[`aws logs put-delivery-source`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/put-delivery-source.html) + +After backing up and updating the policies, remove any unused policies with the following command: + +[`aws logs delete-resource-policy --policy-name <PolicyNameToBeDeleted>`](https://docs.aws.amazon.com/cli/latest/reference/logs/delete-resource-policy.html) + + + +