AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-12-07 · Documentation low

File: AmazonCloudWatch/latest/logs/S3ExportTasks.md

Summary

Updated section headers and step descriptions to explicitly indicate CLI-specific instructions for S3 export tasks. Added '(CLI)' suffix to multiple headings and updated cross-references between steps.

Security assessment

The changes primarily clarify that instructions are CLI-specific rather than console-based. While the documentation discusses security elements like IAM permissions and SSE-KMS encryption, these were already present in previous versions. The modifications don't introduce new security controls or address specific vulnerabilities.

Diff

diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasks.md b/AmazonCloudWatch/latest/logs/S3ExportTasks.md
index ff1a9d34d..b36db79d1 100644
--- a//AmazonCloudWatch/latest/logs/S3ExportTasks.md
+++ b//AmazonCloudWatch/latest/logs/S3ExportTasks.md
@@ -5 +5 @@
-Same-account exportCross-account export
+Same-account export (CLI)Cross-account export (CLI)
@@ -17 +17 @@ The details of how you set up the export depends on whether the Amazon S3 bucket
-  * Same-account export
+  * Same-account export (CLI)
@@ -19 +19 @@ The details of how you set up the export depends on whether the Amazon S3 bucket
-  * Cross-account export
+  * Cross-account export (CLI)
@@ -24 +24 @@ The details of how you set up the export depends on whether the Amazon S3 bucket
-## Same-account export
+## Same-account export (CLI)
@@ -30 +30 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * Step 1: Create an S3 bucket
+  * Create an S3 bucket (CLI)
@@ -32 +32 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * Step 2: Set up access permissions
+  * Set up access permissions (CLI)
@@ -34 +34 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * Step 3: Set permissions on an S3 bucket
+  * Set permissions on an S3 bucket (CLI)
@@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS
+  * (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI)
@@ -38 +38 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * Step 5: Create an export task
+  * Create an export task (CLI)
@@ -43 +43 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-### Step 1: Create an S3 bucket
+### Create an S3 bucket (CLI)
@@ -45 +45 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip to step 2.
+We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip this procedure.
@@ -65 +65 @@ The following is example output.
-### Step 2: Set up access permissions
+### Set up access permissions (CLI)
@@ -67 +67 @@ The following is example output.
-To create the export task in step 5, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with the following permissions:
+To create the export task later, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with the following permissions:
@@ -101 +101 @@ Create a role for identity federation. Follow the instructions in [Create a role
-### Step 3: Set permissions on an S3 bucket
+### Set permissions on an S3 bucket (CLI)
@@ -185 +185 @@ If the existing bucket already has one or more policies attached to it, add the
-### (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS
+### (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI)
@@ -187 +187 @@ If the existing bucket already has one or more policies attached to it, add the
-This step is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. 
+This procedure is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. 
@@ -288 +288 @@ If the command doesn't return an error, the process is successful.
-### Step 5: Create an export task
+### Create an export task (CLI)
@@ -294 +294 @@ Use the following command to create the export task. After you create it, the ex
-  1. Sign in with sufficient permissions as documented in Step 2: Set up access permissions.
+  1. Sign in with sufficient permissions as documented in Set up access permissions (CLI).
@@ -309 +309 @@ The following is example output.
-## Cross-account export
+## Cross-account export (CLI)
@@ -315 +315 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * Step 1: Create an S3 bucket
+  * Create an S3 bucket for cross-account export (CLI)
@@ -317 +317 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * Step 2: Set up access permissions
+  * Set up access permissions for cross-account export (CLI)
@@ -319 +319 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * Step 3: Set permissions on an S3 bucket
+  * Set permissions on an S3 bucket for cross-account export (CLI)
@@ -321 +321 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS
+  * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI)
@@ -323 +323 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * Step 5: Create an export task
+  * Create an export task for cross-account export (CLI)
@@ -328 +328 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-### Step 1: Create an S3 bucket
+### Create an S3 bucket for cross-account export (CLI)
@@ -350 +350 @@ The following is example output.
-### Step 2: Set up access permissions
+### Set up access permissions for cross-account export (CLI)
@@ -354 +354 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s
-To create the export task in step 5, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with certain other permissions. You can create a policy that contains some of these other necessary permissions.
+To create the export task later, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with certain other permissions. You can create a policy that contains some of these other necessary permissions.
@@ -405 +405 @@ JSON
-To create the export task in step 5, you must be signed on with the `AmazonS3ReadOnlyAccess` IAM role, the IAM policy that you just created, and also with the following permissions:
+To create the export task later, you must be signed on with the `AmazonS3ReadOnlyAccess` IAM role, the IAM policy that you just created, and also with the following permissions:
@@ -439 +439 @@ Create a role for identity federation. Follow the instructions in [Create a role
-### Step 3: Set permissions on an S3 bucket
+### Set permissions on an S3 bucket for cross-account export (CLI)
@@ -533 +533 @@ If the existing bucket already has one or more policies attached to it, add the
-### (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS
+### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI)
@@ -535 +535 @@ If the existing bucket already has one or more policies attached to it, add the
-This step is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. 
+This procedure is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. 
@@ -648 +648 @@ If the command doesn't return an error, the process is successful.
-### Step 5: Create an export task
+### Create an export task for cross-account export (CLI)
@@ -654 +654 @@ Use the following command to create the export task. After you create it, the ex
-  1. Sign in with sufficient permissions as documented in Step 2: Set up access permissions.
+  1. Sign in with sufficient permissions as documented in Set up access permissions (CLI).
@@ -677 +677 @@ Export log data to Amazon S3 using the console
-Describe export tasks
+Describe export tasks (CLI)