AWS AmazonCloudWatch documentation change
Summary
Updated documentation for CloudWatch Logs S3 export tasks: replaced example bucket name 'my-exported-logs' with 'amzn-s3-demo-bucket', clarified encryption scenarios with 'destination Amazon S3 bucket' terminology, corrected KMS action names to include 'kms:' prefix, added explicit IAM policy example for ACL-enabled buckets requiring 's3:PutObjectAcl', and enhanced key policy instructions with detailed placeholders.
Security assessment
The changes enhance security documentation by correcting IAM policy actions ('kms:GenerateDataKey' instead of 'GenerateDataKey'), adding explicit guidance for ACL-enabled buckets, and providing precise placeholders for KMS key policies. These prevent misconfiguration risks but don't address a specific vulnerability.
Diff
diff --git a/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md b/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md index f44b1cac0..0e9e01c8f 100644 --- a//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md +++ b//AmazonCloudWatch/latest/logs/S3ExportTasksConsole.md @@ -9 +9 @@ Same-account export (console)Cross-account export (console) -In the following examples, you use the Amazon CloudWatch console to export all data from an Amazon CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `my-exported-logs`. +In the following examples, you use the Amazon CloudWatch console to export all data from an Amazon CloudWatch Logs log group named `my-log-group` to an Amazon S3 bucket named `amzn-s3-demo-bucket`. @@ -36 +36 @@ If the Amazon S3 bucket is in the same account as the logs that are being export - * (Optional) Exporting to a bucket encrypted with SSE-KMS (console) + * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (console) @@ -124 +124 @@ We recommend that you also include the account ID of the account where the S3 bu - 3. In the **Bucket Policy Editor** , add the following policy. Change `my-exported-logs` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-west-1`, for **Principal**. + 3. In the **Bucket Policy Editor** , add the following policy. Change `amzn-s3-demo-bucket` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-west-1`, for **Principal**. @@ -192 +192 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Exporting to a bucket encrypted with SSE-KMS (console) +### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS (console) @@ -333 +333 @@ If the Amazon S3 bucket is in a different account than the logs that are being e - * (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (console) + * (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (console) @@ -369 +369 @@ First, you must create a new IAM policy to enable CloudWatch Logs to have the `s -The additional actions included in the policy depend on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. +Along with `s3:PutObject` action, additional actions included in the policy depend on whether the destination bucket uses AWS KMS encryption or has ACLs enabled using the [S3 Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) setting. @@ -371 +371 @@ The additional actions included in the policy depend on whether the destination - * If using KMS encryption, add the `GenerateDataKey` and `Decrypt` actions for the key resource + * If using KMS encryption, add the `kms:GenerateDataKey` and `kms:Decrypt` actions for the key resource @@ -377,0 +378,2 @@ The additional actions included in the policy depend on whether the destination +Change `amzn-s3-demo-bucket` to the name of your destination S3 bucket in the following policies. + @@ -402 +404 @@ JSON - "Resource": "arn:aws:s3:::my-exported-logs/*" + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" @@ -435,0 +438,23 @@ JSON +If the ACLs are enabled on destination bucket then add s3:PutObjectAcl to s3:PutObject Action block in the above policies. + +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" + } + ] + } + + @@ -445 +470 @@ JSON -To create the export task, you'll need to be signed in with the `AmazonS3ReadOnlyAccess` IAM role. You must also be signed in with the IAM policy that you just created, and also with the following permissions: +To create an export task, you must be signed in with a IAM role that has the `AmazonS3ReadOnlyAccess` managed policy attached, the IAM policy created above, and also with the following permissions: @@ -499 +524 @@ We recommend that you also include the account ID of the account where the S3 bu - 3. In the **Bucket Policy Editor** , add the following policy. Change `my-exported-logs` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-west-1`, for **Principal**. + 3. In the **Bucket Policy Editor** , add the following policy. Change `amzn-s3-demo-bucket` to the name of your S3 bucket. Be sure to specify the correct Region endpoint, such as `us-east-1`, for **Principal**. @@ -578 +603 @@ If the existing bucket already has one or more policies attached to it, add the -### (Optional) Exporting to a bucket encrypted with SSE-KMS for cross-account export (console) +### (Optional) Exporting to a destination Amazon S3 bucket encrypted with SSE-KMS for cross-account export (console) @@ -610 +635 @@ Choose **Create Key**. - 13. Add the following statement to the key policy statement list. When you do, replace `Region` with the Region of your logs and replace `account-ARN` with the ARN of the account that owns the KMS key. + 13. Add the following statement to the key policy statement list. When you do, replace `us-east-1` with the Region of your logs, `account-ARN` with the ARN of the account that owns the KMS key, `123456789012` with the account number that owns the KMS key,`key_id` with the kms-key Id and `role_name` with the role used for creating export task. @@ -659 +684 @@ JSON - "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id" + "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"