AWS AmazonCloudWatch documentation change
Summary
Expanded documentation for CloudWatch Logs scheduled queries S3 destinations to include detailed configuration for same-account and cross-account delivery, plus encryption with customer-managed KMS keys, including required IAM policies and bucket policies.
Security assessment
This change adds comprehensive documentation about security features including cross-account access controls, encryption with customer-managed KMS keys, and detailed IAM policy requirements. It provides security best practices for configuring permissions and encryption but does not indicate a specific security vulnerability being fixed. The documentation helps users properly secure their scheduled query results.
Diff
diff --git a/AmazonCloudWatch/latest/logs/scheduled-queries-s3-destination.md b/AmazonCloudWatch/latest/logs/scheduled-queries-s3-destination.md index 77480fd35..58df073e1 100644 --- a//AmazonCloudWatch/latest/logs/scheduled-queries-s3-destination.md +++ b//AmazonCloudWatch/latest/logs/scheduled-queries-s3-destination.md @@ -4,0 +5,2 @@ +Delivering results to an Amazon S3 bucket in the same accountDelivering results to an Amazon S3 bucket in another accountEncrypting results with a customer managed AWS KMS key + @@ -11 +13,51 @@ When using Amazon S3 as a destination, query results are stored as JSON files in -The Amazon S3 destination configuration includes the following options: +You can deliver query results to an Amazon S3 bucket in the same AWS account as the scheduled query or to a bucket in a different AWS account. You can also optionally encrypt query results using a customer managed AWS KMS key (SSE-KMS). + +## Delivering results to an Amazon S3 bucket in the same account + +When the destination Amazon S3 bucket is in the same AWS account as the scheduled query, you can browse and select the bucket directly from the console. + +###### To configure a same-account Amazon S3 destination (console) + + 1. In the **Post query results to S3** section, for **S3 bucket** , select **This account**. + + 2. For **Amazon S3 URI** , enter the Amazon S3 bucket and prefix where results will be stored (for example, `s3://my-bucket/query-results/`), or choose **Browse Amazon S3** to navigate and select an existing Amazon S3 location. + + 3. (Optional) To encrypt results with a customer managed AWS KMS key, enter the ARN of the AWS KMS key in the **KMS key ARN** field. The key must be in the same AWS Region as the destination Amazon S3 bucket. If you don't specify a AWS KMS key, the bucket's default encryption settings apply. + + 4. In the **IAM role for posting query results to Amazon S3** section, choose **Auto-create a new role with default permissions** to automatically set up the required permissions, or choose **Use an existing role** to select an existing IAM role with the required policies. + + + + +The destination delivery IAM role requires the following permissions: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::my-bucket/prefix/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } + } + ] + } + +## Delivering results to an Amazon S3 bucket in another account + +You can deliver scheduled query results to an Amazon S3 bucket in a different AWS account. When using a cross-account bucket, you must provide the Amazon S3 URI and the account ID of the bucket-owning account. + +###### To configure a cross-account Amazon S3 destination (console) + + 1. In the **Post query results to S3** section, for **S3 bucket** , select **Another account** and provide the account ID of the bucket-owning account as input. + + 2. For **Amazon S3 URI** , enter the full Amazon S3 URI of the destination bucket and prefix in the other account (for example, `s3://cross-account-bucket/query-results/`). + + 3. (Optional) To encrypt results with a customer managed AWS KMS key, enter the ARN of the AWS KMS key in the **KMS key ARN** field. The key must be in the same AWS Region as the destination Amazon S3 bucket. + + 4. In the **IAM role for posting query results to Amazon S3** section, choose **Auto-create a new role with default permissions** to automatically set up the required permissions, or choose **Use an existing role** to select an existing IAM role with the required policies. @@ -13 +64,0 @@ The Amazon S3 destination configuration includes the following options: -**Amazon S3 URI** @@ -16 +66,0 @@ The Amazon S3 destination configuration includes the following options: -The bucket and optional prefix where results will be stored (for example, `s3://my-bucket/query-results/`). Enter the full Amazon S3 URI in the box. @@ -18 +68 @@ The bucket and optional prefix where results will be stored (for example, `s3:// -**View Amazon S3** +Cross-account delivery requires permissions on both sides. The destination delivery IAM role in the source account requires the following permissions: @@ -21 +71,15 @@ The bucket and optional prefix where results will be stored (for example, `s3:// -Choose this option to open the Amazon S3 console in a new tab, allowing you to verify the bucket exists and check its configuration. + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::cross-account-bucket/prefix/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } + } + ] + } @@ -23 +87 @@ Choose this option to open the Amazon S3 console in a new tab, allowing you to v -**Browse Amazon S3** +The Amazon S3 bucket policy in the destination account must grant the source account's IAM role permission to write objects: @@ -26 +90,14 @@ Choose this option to open the Amazon S3 console in a new tab, allowing you to v -Choose this option to open the Amazon S3 browser, where you can navigate and select an existing Amazon S3 location without manually typing the URI. + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowScheduledQueryRolePutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/my-s3-delivery-role" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::cross-account-bucket/prefix/*" + } + ] + } @@ -28 +105 @@ Choose this option to open the Amazon S3 browser, where you can navigate and sel -Required IAM permissions for Amazon S3 destinations: +## Encrypting results with a customer managed AWS KMS key @@ -30 +107 @@ Required IAM permissions for Amazon S3 destinations: - * `s3:PutObject` \- Permission to write query result files to the specified Amazon S3 bucket +You can optionally specify a customer managed AWS KMS key to encrypt query results delivered to Amazon S3 using SSE-KMS. The AWS KMS key can be in the same account as the scheduled query or in a different account. @@ -31,0 +109 @@ Required IAM permissions for Amazon S3 destinations: +When you specify a AWS KMS key, the scheduled query uses that key to encrypt results via SSE-KMS. When you don't specify a AWS KMS key, the bucket's default encryption settings apply. If the bucket is configured with default SSE-KMS encryption using a customer managed key, the destination delivery IAM role must still have `kms:GenerateDataKey` permission on that key. @@ -32,0 +111 @@ Required IAM permissions for Amazon S3 destinations: +The destination delivery IAM role requires `kms:GenerateDataKey` permission on the AWS KMS key. The following example shows the required permissions for an Amazon S3 destination with a customer managed AWS KMS key: @@ -35 +114,60 @@ Required IAM permissions for Amazon S3 destinations: -The IAM role for posting query results to Amazon S3 must be configured separately from the IAM role for scheduled query execution. This separation allows for fine-grained access control, where the execution role can run queries while the Amazon S3 role specifically handles result delivery. + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::my-bucket/prefix/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } + }, + { + "Effect": "Allow", + "Action": "kms:GenerateDataKey", + "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", + "Condition": { + "StringEquals": { + "kms:ViaService": "s3.us-east-1.amazonaws.com" + }, + "StringLike": { + "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::my-bucket*" + } + } + } + ] + } + +When the AWS KMS key is in a different account than the destination delivery IAM role, the AWS KMS key policy in the key-owning account must explicitly grant the role access: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowScheduledQueryRoleToEncrypt", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/my-s3-delivery-role" + }, + "Action": "kms:GenerateDataKey", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "s3.us-east-1.amazonaws.com" + }, + "StringLike": { + "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::my-bucket*" + } + } + } + ] + } + +###### Note + +When the AWS KMS key and the destination delivery IAM role are in the same account, the IAM identity policy alone is sufficient if the AWS KMS key policy includes the default "Enable IAM policies" root statement. An explicit AWS KMS key policy grant is only required if the key policy does not delegate to IAM. + +The IAM role for posting query results to Amazon S3 must be configured separately from the IAM role for scheduled query execution. This separation allows for fine-grained access control, where the execution role can run queries while the Amazon S3 role specifically handles result delivery. Both roles must include a trust policy that allows the CloudWatch Logs service (`logs.amazonaws.com`) to assume the role.