AWS AmazonCloudWatch documentation change
Summary
Updated section headers and step descriptions to explicitly indicate CLI-specific instructions for S3 export tasks. Added '(CLI)' suffix to multiple headings and updated cross-references between steps.
Security assessment
The changes primarily clarify that instructions are CLI-specific rather than console-based. While the documentation discusses security elements like IAM permissions and SSE-KMS encryption, these were already present in previous versions. The modifications don't introduce new security controls or address specific vulnerabilities.
Diff
diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasks.md b/AmazonCloudWatch/latest/logs/S3ExportTasks.md index ff1a9d34d..b36db79d1 100644 --- a//AmazonCloudWatch/latest/logs/S3ExportTasks.md +++ b//AmazonCloudWatch/latest/logs/S3ExportTasks.md @@ -5 +5 @@ -Same-account exportCross-account export +Same-account export (CLI)Cross-account export (CLI) @@ -17 +17 @@ The details of how you set up the export depends on whether the Amazon S3 bucket - * Same-account export + * Same-account export (CLI) @@ -19 +19 @@ The details of how you set up the export depends on whether the Amazon S3 bucket - * Cross-account export + * Cross-account export (CLI) @@ -24 +24 @@ The details of how you set up the export depends on whether the Amazon S3 bucket -## Same-account export +## Same-account export (CLI) @@ -30 +30 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 1: Create an S3 bucket + * Create an S3 bucket (CLI) @@ -32 +32 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 2: Set up access permissions + * Set up access permissions (CLI) @@ -34 +34 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 3: Set permissions on an S3 bucket + * Set permissions on an S3 bucket (CLI) @@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS + * (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI) @@ -38 +38 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 5: Create an export task + * Create an export task (CLI) @@ -43 +43 @@ If the Amazon S3 bucket is in the same account as the logs that are being export -### Step 1: Create an S3 bucket +### Create an S3 bucket (CLI) @@ -45 +45 @@ If the Amazon S3 bucket is in the same account as the logs that are being export -We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip to step 2. +We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip this procedure. @@ -65 +65 @@ The following is example output. -### Step 2: Set up access permissions +### Set up access permissions (CLI) @@ -67 +67 @@ The following is example output. -To create the export task in step 5, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with the following permissions: +To create the export task later, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with the following permissions: @@ -101 +101 @@ Create a role for identity federation. Follow the instructions in [Create a role -### Step 3: Set permissions on an S3 bucket +### Set permissions on an S3 bucket (CLI) @@ -185 +185 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS +### (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI) @@ -187 +187 @@ If the existing bucket already has one or more policies attached to it, add the -This step is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. +This procedure is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. @@ -288 +288 @@ If the command doesn't return an error, the process is successful. -### Step 5: Create an export task +### Create an export task (CLI) @@ -294 +294 @@ Use the following command to create the export task. After you create it, the ex - 1. Sign in with sufficient permissions as documented in Step 2: Set up access permissions. + 1. Sign in with sufficient permissions as documented in Set up access permissions (CLI). @@ -309 +309 @@ The following is example output. -## Cross-account export +## Cross-account export (CLI) @@ -315 +315 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 1: Create an S3 bucket + * Create an S3 bucket for cross-account export (CLI) @@ -317 +317 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 2: Set up access permissions + * Set up access permissions for cross-account export (CLI) @@ -319 +319 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 3: Set permissions on an S3 bucket + * Set permissions on an S3 bucket for cross-account export (CLI) @@ -321 +321 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS + * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI) @@ -323 +323 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 5: Create an export task + * Create an export task for cross-account export (CLI) @@ -328 +328 @@ If the Amazon S3 bucket is in a different account than the logs that are being e -### Step 1: Create an S3 bucket +### Create an S3 bucket for cross-account export (CLI) @@ -350 +350 @@ The following is example output. -### Step 2: Set up access permissions +### Set up access permissions for cross-account export (CLI) @@ -354 +354 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s -To create the export task in step 5, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with certain other permissions. You can create a policy that contains some of these other necessary permissions. +To create the export task later, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with certain other permissions. You can create a policy that contains some of these other necessary permissions. @@ -405 +405 @@ JSON -To create the export task in step 5, you must be signed on with the `AmazonS3ReadOnlyAccess` IAM role, the IAM policy that you just created, and also with the following permissions: +To create the export task later, you must be signed on with the `AmazonS3ReadOnlyAccess` IAM role, the IAM policy that you just created, and also with the following permissions: @@ -439 +439 @@ Create a role for identity federation. Follow the instructions in [Create a role -### Step 3: Set permissions on an S3 bucket +### Set permissions on an S3 bucket for cross-account export (CLI) @@ -533 +533 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS +### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI) @@ -535 +535 @@ If the existing bucket already has one or more policies attached to it, add the -This step is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. +This procedure is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. @@ -648 +648 @@ If the command doesn't return an error, the process is successful. -### Step 5: Create an export task +### Create an export task for cross-account export (CLI) @@ -654 +654 @@ Use the following command to create the export task. After you create it, the ex - 1. Sign in with sufficient permissions as documented in Step 2: Set up access permissions. + 1. Sign in with sufficient permissions as documented in Set up access permissions (CLI). @@ -677 +677 @@ Export log data to Amazon S3 using the console -Describe export tasks +Describe export tasks (CLI)