AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-01-10 · Documentation low

File: AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md

Summary

Updated documentation for CloudWatch Logs S3 export tasks: replaced example bucket name 'my-exported-logs' with 'amzn-s3-demo-bucket', clarified encryption scenarios with 'destination Amazon S3 bucket' terminology, corrected KMS action names to include 'kms:' prefix, added explicit IAM policy example for ACL-enabled buckets requiring 's3:PutObjectAcl', and enhanced key policy instructions with detailed placeholders.

Security assessment

The changes enhance security documentation by correcting IAM policy actions ('kms:GenerateDataKey' instead of 'GenerateDataKey'), adding explicit guidance for ACL-enabled buckets, and providing precise placeholders for KMS key policies. These prevent misconfiguration risks but don't address a specific vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md b/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md
index f44b1cac0..0e9e01c8f 100644
--- a//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md
+++ b//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md
@@ -9 +9 @@ Same-account export (console)Cross-account export (console)
-In the following examples, you use the Amazon CloudWatch console to export all data from an Amazon CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `my-exported-logs`.
+In the following examples, you use the Amazon CloudWatch console to export all data from an Amazon CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `amzn-s3-demo-bucket`.
@@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export
-  * (Optional) Exporting to a bucket encrypted with SSE-KMS (console)
+  * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (console)
@@ -124 +124 @@ We recommend that you also include the account ID of the account where the S3 bu
-  3. In the **Bucket Policy Editor** , add the following policy. Change `my-exported-logs` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-west-1`, for **Principal**.
+  3. In the **Bucket Policy Editor** , add the following policy. Change `amzn-s3-demo-bucket` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-west-1`, for **Principal**.
@@ -192 +192 @@ If the existing bucket already has one or more policies attached to it, add the
-### (Optional) Exporting to a bucket encrypted with SSE-KMS (console)
+### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (console)
@@ -333 +333 @@ If the Amazon S3 bucket is in a different account than the logs that are being e
-  * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (console)
+  * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (console)
@@ -369 +369 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s
-The additional actions included in the policy depend on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. 
+Along with `s3:PutObject` action, additional actions included in the policy depend on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. 
@@ -371 +371 @@ The additional actions included in the policy depend on whether the destination
-  * If using KMS encryption, add the `GenerateDataKey` and `Decrypt` actions for the key resource
+  * If using KMS encryption, add the `kms:GenerateDataKey` and `kms:Decrypt` actions for the key resource
@@ -377,0 +378,2 @@ The additional actions included in the policy depend on whether the destination
+Change `amzn-s3-demo-bucket` to the name of your destination S3 bucket in the following policies.
+
@@ -402 +404 @@ JSON
-                "Resource": "arn:aws:s3:::my-exported-logs/*"
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
@@ -435,0 +438,23 @@ JSON
+If the ACLs are enabled on destination bucket then add s3:PutObjectAcl to s3:PutObject Action block in the above policies.
+
+JSON
+    
+
+****
+    
+    
+        {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                   "s3:PutObject",
+                   "s3:PutObjectAcl"
+                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
+            }
+        ]
+    }
+    
+
@@ -445 +470 @@ JSON
-To create the export task, you'll need to be signed in with the `AmazonS3ReadOnlyAccess` IAM role. You must also be signed in with the IAM policy that you just created, and also with the following permissions:
+To create an export task, you must be signed in with a IAM role that has the `AmazonS3ReadOnlyAccess` managed policy attached, the IAM policy created above, and also with the following permissions:
@@ -499 +524 @@ We recommend that you also include the account ID of the account where the S3 bu
-  3. In the **Bucket Policy Editor** , add the following policy. Change `my-exported-logs` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-west-1`, for **Principal**.
+  3. In the **Bucket Policy Editor** , add the following policy. Change `amzn-s3-demo-bucket` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-east-1`, for **Principal**.
@@ -578 +603 @@ If the existing bucket already has one or more policies attached to it, add the
-### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (console)
+### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (console)
@@ -610 +635 @@ Choose **Create Key**.
-  13. Add the following statement to the key policy statement list. When you do, replace `Region` with the Region of your logs and replace `account-ARN` with the ARN of the account that owns the KMS key.
+  13. Add the following statement to the key policy statement list. When you do, replace `us-east-1` with the Region of your logs, `account-ARN` with the ARN of the account that owns the KMS key, `123456789012` with the account number that owns the KMS key,`key_id` with the kms-key Id and `role_name` with the role used for creating export task.
@@ -659 +684 @@ JSON
-                "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id"
+                "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"