AWS AmazonCloudWatch documentation change
Summary
Updated documentation headings and step references to clarify console-specific procedures for S3 export tasks. Added '(console)' qualifiers to differentiate from CLI instructions, removed step numbering in favor of descriptive headings, and updated cross-references.
Security assessment
The changes are primarily organizational/instructional clarifications rather than security-related updates. While IAM permissions and encryption (SSE-KMS) are mentioned, these are existing security controls being documented more clearly rather than new security features or vulnerability fixes. No concrete evidence of addressing a specific security vulnerability or weakness was found in the diff.
Diff
diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md b/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md index 1250bab6f..f44b1cac0 100644 --- a//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md +++ b//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md @@ -5 +5 @@ -Same-account exportCross-account export +Same-account export (console)Cross-account export (console) @@ -17 +17 @@ The details of how you set up the export depends on whether the Amazon S3 bucket - * Same-account export + * Same-account export (console) @@ -19 +19 @@ The details of how you set up the export depends on whether the Amazon S3 bucket - * Cross-account export + * Cross-account export (console) @@ -24 +24 @@ The details of how you set up the export depends on whether the Amazon S3 bucket -## Same-account export +## Same-account export (console) @@ -30 +30 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 1: Create an Amazon S3 bucket + * Create an Amazon S3 bucket (console) @@ -32 +32 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 2: Set up access permissions + * Set up access permissions (console) @@ -34 +34 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 3: Set permissions on an Amazon S3 bucket + * Set permissions on an Amazon S3 bucket (console) @@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS + * (Optional) Exporting to a bucket encrypted with SSE-KMS (console) @@ -38 +38 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * Step 5: Create an export task + * Create an export task (console) @@ -43 +43 @@ If the Amazon S3 bucket is in the same account as the logs that are being export -### Step 1: Create an Amazon S3 bucket +### Create an Amazon S3 bucket (console) @@ -68 +68 @@ The Amazon S3 bucket must reside in the same Region as the log data to export. C -### Step 2: Set up access permissions +### Set up access permissions (console) @@ -70 +70 @@ The Amazon S3 bucket must reside in the same Region as the log data to export. C -To create the export task in step 5, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with the following permissions: +To create the export task, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with the following permissions: @@ -104 +104 @@ Create a role for identity federation. Follow the instructions in [Create a role -### Step 3: Set permissions on an Amazon S3 bucket +### Set permissions on an Amazon S3 bucket (console) @@ -120 +120 @@ We recommend that you also include the account ID of the account where the S3 bu - 1. In the Amazon S3 console, choose the bucket that you created in step 1. + 1. In the Amazon S3 console, choose the bucket that you created. @@ -192 +192 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS +### (Optional) Exporting to a bucket encrypted with SSE-KMS (console) @@ -271 +271 @@ JSON - 16. Find the bucket that you created in [Step 1: Create an S3 bucket](./S3ExportTasks.html#CreateS3Bucket) and choose the bucket name. + 16. Find the bucket that you created in [Create an S3 bucket (CLI)](./S3ExportTasks.html#CreateS3Bucket) and choose the bucket name. @@ -288 +288 @@ JSON -### Step 5: Create an export task +### Create an export task (console) @@ -290 +290 @@ JSON -In this step, you create the export task for exporting logs from a log group. +In this procedure, you create the export task for exporting logs from a log group. @@ -294 +294 @@ In this step, you create the export task for exporting logs from a log group. - 1. Sign in with sufficient permissions as documented in Step 2: Set up access permissions. + 1. Sign in with sufficient permissions as documented in Set up access permissions (console). @@ -321 +321 @@ In this step, you create the export task for exporting logs from a log group. -## Cross-account export +## Cross-account export (console) @@ -327 +327 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 1: Create an Amazon S3 bucket + * Create an Amazon S3 bucket for cross-account export (console) @@ -329 +329 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 2: Set up access permissions + * Set up access permissions for cross-account export (console) @@ -331 +331 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 3: Set permissions on an S3 bucket + * Set permissions on an S3 bucket for cross-account export (console) @@ -333 +333 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS + * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (console) @@ -335 +335 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * Step 5: Create an export task + * Create an export task for cross-account export (console) @@ -340 +340 @@ If the Amazon S3 bucket is in a different account than the logs that are being e -### Step 1: Create an Amazon S3 bucket +### Create an Amazon S3 bucket for cross-account export (console) @@ -342 +342 @@ If the Amazon S3 bucket is in a different account than the logs that are being e -We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip to step 2. +We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip this procedure. @@ -365 +365 @@ The Amazon S3 bucket must reside in the same Region as the log data to export. C -### Step 2: Set up access permissions +### Set up access permissions for cross-account export (console) @@ -445 +445 @@ JSON -To create the export task in step 5, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role. You must also be signed on with the IAM policy that you just created, and also with the following permissions: +To create the export task, you'll need to be signed in with the `AmazonS3ReadOnlyAccess` IAM role. You must also be signed in with the IAM policy that you just created, and also with the following permissions: @@ -479 +479 @@ Create a role for identity federation. Follow the instructions in [Create a role -### Step 3: Set permissions on an S3 bucket +### Set permissions on an S3 bucket for cross-account export (console) @@ -495 +495 @@ We recommend that you also include the account ID of the account where the S3 bu - 1. In the Amazon S3 console, choose the bucket that you created in step 1. + 1. In the Amazon S3 console, choose the bucket that you created. @@ -578 +578 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS +### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (console) @@ -580 +580 @@ If the existing bucket already has one or more policies attached to it, add the -This step is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. +This procedure is necessary only if you are exporting to an S3 bucket that uses server-side encryption with AWS KMS keys. This encryption is known as SSE-KMS. @@ -669 +669 @@ JSON - 16. Find the bucket that you created in [Step 1: Create an S3 bucket](./S3ExportTasks.html#CreateS3Bucket) and choose the bucket name. + 16. Find the bucket that you created in [Create an S3 bucket (CLI)](./S3ExportTasks.html#CreateS3Bucket) and choose the bucket name. @@ -686 +686 @@ JSON -### Step 5: Create an export task +### Create an export task for cross-account export (console) @@ -688 +688 @@ JSON -In this step, you create the export task for exporting logs from a log group. +In this procedure, you create the export task for exporting logs from a log group. @@ -692 +692 @@ In this step, you create the export task for exporting logs from a log group. - 1. Sign in with sufficient permissions as documented in Step 2: Set up access permissions. + 1. Sign in with sufficient permissions as documented in Set up access permissions (console).