AWS AmazonCloudWatch documentation change
Summary
Updated examples to use 'amzn-s3-demo-bucket' instead of 'my-exported-logs', clarified SSE-KMS encryption steps, expanded IAM policy requirements for cross-account exports including KMS and ACL permissions, and improved placeholder values.
Security assessment
The changes enhance documentation about required IAM permissions (s3:PutObjectAcl, kms:GenerateDataKey, kms:Decrypt) and bucket policies for secure log exports, particularly for cross-account scenarios with encrypted buckets. However, there's no evidence of a specific security vulnerability being addressed.
Diff
diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasks.md b/AmazonCloudWatch/latest/logs/S3ExportTasks.md index b36db79d1..2f51e1e99 100644 --- a//AmazonCloudWatch/latest/logs/S3ExportTasks.md +++ b//AmazonCloudWatch/latest/logs/S3ExportTasks.md @@ -9 +9 @@ Same-account export (CLI)Cross-account export (CLI) -In the following example, you use an export task to export all data from a CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `my-exported-logs`. This example assumes that you have already created a log group called `my-log-group`. +In the following example, you use an export task to export all data from a CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `amzn-s3-demo-bucket`. This example assumes that you have already created a log group called `my-log-group`. @@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI) + * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (CLI) @@ -56 +56 @@ At a command prompt, run the following [create-bucket](https://docs.aws.amazon.c - aws s3api create-bucket --bucket my-exported-logs --create-bucket-configuration LocationConstraint=us-east-2 + aws s3api create-bucket --bucket amzn-s3-demo-bucket --create-bucket-configuration LocationConstraint=us-east-2 @@ -62 +62 @@ The following is example output. - "Location": "/my-exported-logs" + "Location": "/amzn-s3-demo-bucket" @@ -115 +115 @@ We recommend that you also include the account ID of the account where the S3 bu - 1. Create a file named `policy.json` and add the following access policy, changing `my-exported-logs` to the name of your S3 bucket and `Principal` to the endpoint of the Region where you are exporting log data, such as `us-west-1`. Use a text editor to create this policy file. Don't use the IAM console. + 1. Create a file named `policy.json` and add the following access policy, changing `amzn-s3-demo-bucket` to the name of your S3 bucket and `Principal` to the endpoint of the Region where you are exporting log data, such as `us-east-1`. Use a text editor to create this policy file. Don't use the IAM console. @@ -176 +176 @@ JSON - aws s3api put-bucket-policy --bucket my-exported-logs --policy file://policy.json + aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json @@ -185 +185 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI) +### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (CLI) @@ -248 +248 @@ The following is example output from this command: - "Arn": "arn:aws:kms:us-east-2:account_id:key/key_id", + "Arn": "arn:aws:kms:us-east-2:account-ARN:key/key_id", @@ -279 +279 @@ The following is example output from this command: - 4. Enter the following command, replacing `bucket-name` with the name of the bucket that you are exporting logs to. + 4. Enter the following command, replacing `amzn-s3-demo-bucket` with the name of the bucket that you are exporting logs to. @@ -281 +281 @@ The following is example output from this command: - aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration file://bucketencryption.json + aws s3api put-bucket-encryption --bucket amzn-s3-demo-bucket --server-side-encryption-configuration file://bucketencryption.json @@ -298 +298 @@ Use the following command to create the export task. After you create it, the ex - aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "my-exported-logs" --destination-prefix "export-task-output" + aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "amzn-s3-demo-bucket" --destination-prefix "export-task-output" @@ -321 +321 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI) + * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (CLI) @@ -341 +341 @@ At a command prompt, run the following [create-bucket](https://docs.aws.amazon.c - aws s3api create-bucket --bucket my-exported-logs --create-bucket-configuration LocationConstraint=us-east-2 + aws s3api create-bucket --bucket amzn-s3-demo-bucket --create-bucket-configuration LocationConstraint=us-east-2 @@ -347 +347 @@ The following is example output. - "Location": "/my-exported-logs" + "Location": "/amzn-s3-demo-bucket" @@ -352 +352 @@ The following is example output. -First, you must create a new IAM policy to enable CloudWatch Logs to have the `s3:PutObject` permission for the destination Amazon S3 bucket. +First, you must create a new IAM policy to enable CloudWatch Logs to have the `s3:PutObject` action for the destination Amazon S3 bucket in the destination account. @@ -354 +354,10 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s -To create the export task later, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with certain other permissions. You can create a policy that contains some of these other necessary permissions. +Along with `s3:PutObject` action, additional actions included in the policy depend on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. + + * If using KMS encryption, add the `kms:GenerateDataKey` and `kms:Decrypt` actions for the key resource + + * If ACLs are enabled on the bucket add the `s3:PutObjectAcl` action for the bucket resource + + + + +Change `amzn-s3-demo-bucket` to the name of your destination S3 bucket in the following policies. @@ -371 +380 @@ JSON - "Resource": "arn:aws:s3:::my-exported-logs/*" + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" @@ -391 +400 @@ JSON - "Resource": "arn:aws:s3:::>amzn-s3-demo-bucket/*" + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" @@ -405 +414,25 @@ JSON -To create the export task later, you must be signed on with the `AmazonS3ReadOnlyAccess` IAM role, the IAM policy that you just created, and also with the following permissions: +If the ACLs are enabled on destination bucket then add s3:PutObjectAcl to s3:PutObject Action block in the above policies. + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" + } + ] + } + + +To create an export task, you must be signed in with a IAM role that has the `AmazonS3ReadOnlyAccess` managed policy attached, the IAM policy created above, and also with the following permissions: @@ -453 +486 @@ We recommend that you also include the account ID of the account where the S3 bu - 1. Create a file named `policy.json` and add the following access policy, changing `my-exported-logs` to the name of your S3 bucket and `Principal` to the endpoint of the Region where you are exporting log data, such as `us-west-1`. Use a text editor to create this policy file. Don't use the IAM console. + 1. Create a file named `policy.json` and add the following access policy, changing `amzn-s3-demo-bucket` to the name of your destination S3 bucket, `Principal` to the endpoint of the Region where you are exporting log data, such as `us-west-1`. Use a text editor to create this policy file. Don't use the IAM console. @@ -487,2 +520,2 @@ JSON - "Resource": "arn:aws:s3:::my-exported-logs/*", - "Principal": { "Service": "logs.Region.amazonaws.com" }, + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", + "Principal": { "Service": "logs.us-east-1.amazonaws.com" }, @@ -524 +557 @@ JSON - aws s3api put-bucket-policy --bucket my-exported-logs --policy file://policy.json + aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json @@ -533 +566 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI) +### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (CLI) @@ -541 +574 @@ This procedure is necessary only if you are exporting to an S3 bucket that uses - * Replace `Region` with the Region of your logs. + * Replace `us-east-1` with the Region of your logs. @@ -544,0 +578,6 @@ This procedure is necessary only if you are exporting to an S3 bucket that uses + * Replace `123456789012` with the account number that owns the KMS key. + + * `key_id` with the kms-key Id. + + * `role_name` with the role used for creating export task. + @@ -570 +609 @@ JSON - "AWS": "arn:aws:iam::123456789012:root" + "AWS": "account-ARN" @@ -608 +647 @@ The following is example output from this command: - "Arn": "arn:aws:kms:us-east-2:account_id:key/key_id", + "Arn": "arn:aws:kms:us-east-1:123456789012:key/key_id", @@ -639 +678 @@ The following is example output from this command: - 4. Enter the following command, replacing `bucket-name` with the name of the bucket that you are exporting logs to. + 4. Enter the following command, replacing `amzn-s3-demo-bucket` with the name of the bucket that you are exporting logs to. @@ -641 +680 @@ The following is example output from this command: - aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration file://bucketencryption.json + aws s3api put-bucket-encryption --bucket amzn-s3-demo-bucket --server-side-encryption-configuration file://bucketencryption.json @@ -658 +697 @@ Use the following command to create the export task. After you create it, the ex - aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "my-exported-logs" --destination-prefix "export-task-output" + aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "amzn-s3-demo-bucket" --destination-prefix "export-task-output"