AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-01-10 · Documentation low

File: AmazonCloudWatch/latest/logs/S3ExportTasks.md

Summary

Updated examples to use 'amzn-s3-demo-bucket' instead of 'my-exported-logs', clarified SSE-KMS encryption steps, expanded IAM policy requirements for cross-account exports including KMS and ACL permissions, and improved placeholder values.

Security assessment

The changes enhance documentation about required IAM permissions (s3:PutObjectAcl, kms:GenerateDataKey, kms:Decrypt) and bucket policies for secure log exports, particularly for cross-account scenarios with encrypted buckets. However, there's no evidence of a specific security vulnerability being addressed.

Diff

diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasks.md b/AmazonCloudWatch/latest/logs/S3ExportTasks.md
index b36db79d1..2f51e1e99 100644
--- a//AmazonCloudWatch/latest/logs/S3ExportTasks.md
+++ b//AmazonCloudWatch/latest/logs/S3ExportTasks.md
@@ -9 +9 @@ Same-account export (CLI)Cross-account export (CLI)
-In the following example, you use an export task to export all data from a CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `my-exported-logs`. This example assumes that you have already created a log group called `my-log-group`.
+In the following example, you use an export task to export all data from a CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `amzn-s3-demo-bucket`. This example assumes that you have already created a log group called `my-log-group`.
@@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI)
+  * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (CLI)
@@ -56 +56 @@ At a command prompt, run the following [create-bucket](https://docs.aws.amazon.c
-    aws s3api create-bucket --bucket my-exported-logs --create-bucket-configuration LocationConstraint=us-east-2
+    aws s3api create-bucket --bucket amzn-s3-demo-bucket --create-bucket-configuration LocationConstraint=us-east-2
@@ -62 +62 @@ The following is example output.
-        "Location": "/my-exported-logs"
+        "Location": "/amzn-s3-demo-bucket"
@@ -115 +115 @@ We recommend that you also include the account ID of the account where the S3 bu
-  1. Create a file named `policy.json` and add the following access policy, changing `my-exported-logs` to the name of your S3 bucket and `Principal` to the endpoint of the Region where you are exporting log data, such as `us-west-1`. Use a text editor to create this policy file. Don't use the IAM console.
+  1. Create a file named `policy.json` and add the following access policy, changing `amzn-s3-demo-bucket` to the name of your S3 bucket and `Principal` to the endpoint of the Region where you are exporting log data, such as `us-east-1`. Use a text editor to create this policy file. Don't use the IAM console.
@@ -176 +176 @@ JSON
-        aws s3api put-bucket-policy --bucket my-exported-logs --policy file://policy.json
+        aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json
@@ -185 +185 @@ If the existing bucket already has one or more policies attached to it, add the
-### (Optional) Exporting to a bucket encrypted with SSE-KMS (CLI)
+### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (CLI)
@@ -248 +248 @@ The following is example output from this command:
-            "Arn": "arn:aws:kms:us-east-2:account_id:key/key_id",
+            "Arn": "arn:aws:kms:us-east-2:account-ARN:key/key_id",
@@ -279 +279 @@ The following is example output from this command:
-  4. Enter the following command, replacing `bucket-name` with the name of the bucket that you are exporting logs to.
+  4. Enter the following command, replacing `amzn-s3-demo-bucket` with the name of the bucket that you are exporting logs to.
@@ -281 +281 @@ The following is example output from this command:
-        aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration file://bucketencryption.json
+        aws s3api put-bucket-encryption --bucket amzn-s3-demo-bucket --server-side-encryption-configuration file://bucketencryption.json
@@ -298 +298 @@ Use the following command to create the export task. After you create it, the ex
-        aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "my-exported-logs" --destination-prefix "export-task-output"
+        aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "amzn-s3-demo-bucket" --destination-prefix "export-task-output"
@@ -321 +321 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI)
+  * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (CLI)
@@ -341 +341 @@ At a command prompt, run the following [create-bucket](https://docs.aws.amazon.c
-    aws s3api create-bucket --bucket my-exported-logs --create-bucket-configuration LocationConstraint=us-east-2
+    aws s3api create-bucket --bucket amzn-s3-demo-bucket --create-bucket-configuration LocationConstraint=us-east-2
@@ -347 +347 @@ The following is example output.
-        "Location": "/my-exported-logs"
+        "Location": "/amzn-s3-demo-bucket"
@@ -352 +352 @@ The following is example output.
-First, you must create a new IAM policy to enable CloudWatch Logs to have the `s3:PutObject` permission for the destination Amazon S3 bucket.
+First, you must create a new IAM policy to enable CloudWatch Logs to have the `s3:PutObject` action for the destination Amazon S3 bucket in the destination account. 
@@ -354 +354,10 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s
-To create the export task later, you'll need to be signed on with the `AmazonS3ReadOnlyAccess` IAM role and with certain other permissions. You can create a policy that contains some of these other necessary permissions.
+Along with `s3:PutObject` action, additional actions included in the policy depend on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. 
+
+  * If using KMS encryption, add the `kms:GenerateDataKey` and `kms:Decrypt` actions for the key resource
+
+  * If ACLs are enabled on the bucket add the `s3:PutObjectAcl` action for the bucket resource
+
+
+
+
+Change `amzn-s3-demo-bucket` to the name of your destination S3 bucket in the following policies.
@@ -371 +380 @@ JSON
-                "Resource": "arn:aws:s3:::my-exported-logs/*"
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
@@ -391 +400 @@ JSON
-                "Resource": "arn:aws:s3:::>amzn-s3-demo-bucket/*"
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
@@ -405 +414,25 @@ JSON
-To create the export task later, you must be signed on with the `AmazonS3ReadOnlyAccess` IAM role, the IAM policy that you just created, and also with the following permissions:
+If the ACLs are enabled on destination bucket then add s3:PutObjectAcl to s3:PutObject Action block in the above policies.
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                   "s3:PutObject",
+                   "s3:PutObjectAcl"
+                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
+            }
+        ]
+    }
+    
+
+To create an export task, you must be signed in with a IAM role that has the `AmazonS3ReadOnlyAccess` managed policy attached, the IAM policy created above, and also with the following permissions:
@@ -453 +486 @@ We recommend that you also include the account ID of the account where the S3 bu
-  1. Create a file named `policy.json` and add the following access policy, changing `my-exported-logs` to the name of your S3 bucket and `Principal` to the endpoint of the Region where you are exporting log data, such as `us-west-1`. Use a text editor to create this policy file. Don't use the IAM console.
+  1. Create a file named `policy.json` and add the following access policy, changing `amzn-s3-demo-bucket` to the name of your destination S3 bucket, `Principal` to the endpoint of the Region where you are exporting log data, such as `us-west-1`. Use a text editor to create this policy file. Don't use the IAM console.
@@ -487,2 +520,2 @@ JSON
-              "Resource": "arn:aws:s3:::my-exported-logs/*",
-              "Principal": { "Service": "logs.Region.amazonaws.com" },
+              "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+              "Principal": { "Service": "logs.us-east-1.amazonaws.com" },
@@ -524 +557 @@ JSON
-        aws s3api put-bucket-policy --bucket my-exported-logs --policy file://policy.json
+        aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json
@@ -533 +566 @@ If the existing bucket already has one or more policies attached to it, add the
-### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (CLI)
+### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (CLI)
@@ -541 +574 @@ This procedure is necessary only if you are exporting to an S3 bucket that uses
-     * Replace `Region` with the Region of your logs. 
+     * Replace `us-east-1` with the Region of your logs. 
@@ -544,0 +578,6 @@ This procedure is necessary only if you are exporting to an S3 bucket that uses
+     * Replace `123456789012` with the account number that owns the KMS key.
+
+     * `key_id` with the kms-key Id.
+
+     * `role_name` with the role used for creating export task.
+
@@ -570 +609 @@ JSON
-                    "AWS": "arn:aws:iam::123456789012:root"
+                    "AWS": "account-ARN"
@@ -608 +647 @@ The following is example output from this command:
-            "Arn": "arn:aws:kms:us-east-2:account_id:key/key_id",
+            "Arn": "arn:aws:kms:us-east-1:123456789012:key/key_id",
@@ -639 +678 @@ The following is example output from this command:
-  4. Enter the following command, replacing `bucket-name` with the name of the bucket that you are exporting logs to.
+  4. Enter the following command, replacing `amzn-s3-demo-bucket` with the name of the bucket that you are exporting logs to.
@@ -641 +680 @@ The following is example output from this command:
-        aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration file://bucketencryption.json
+        aws s3api put-bucket-encryption --bucket amzn-s3-demo-bucket --server-side-encryption-configuration file://bucketencryption.json
@@ -658 +697 @@ Use the following command to create the export task. After you create it, the ex
-        aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "my-exported-logs" --destination-prefix "export-task-output"
+        aws logs create-export-task --profile CWLExportUser --task-name "my-log-group-09-10-2015" --log-group-name "my-log-group" --from 1441490400000 --to 1441494000000 --destination "amzn-s3-demo-bucket" --destination-prefix "export-task-output"