Details
-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
None
-
None
Description
We've been alerted of changes on AWS CloudWatch Logs Tag Based Authorization. The email received states:
AWS is continuously on the lookout for opportunities to improve customer security, and as part of that effort, we recently updated our CloudWatch authorization strategy. As of October 30, 2022, tagging is supported for the “Destination” resource. Previously, CloudWatch Logs supported tagging only for the “Log Group” resource. We recommend that, for your IAM policies that are used to access the CreateLogGroup API, you add logs:TagResource permission to your IAM policies by January 31, 2023. The new logs:TagResource permission will not be required for existing accounts that previously used CreateLogGroup API with tags.
In order to tag new log groups using the CreateLogGroup API, we recommend you add logs:TagResource permission to your IAM policies [1]. Please see the following example of a recommended policy for CreateLogGroup API with Tags:
{
"Version": "2012-10-17",
"Statement": [
Unknown macro: { "Action"}]
}We identified that you are using tagging APIs and recommend use the following new APIs that have “Resource” as the suffix, instead of “LogGroup”.
logs:TagResource
logs:UntagResource
logs:ListTagsForResource
The CloudWatch Logs team will not remove previous tagging APIs but the following APIs will no longer be actively developed:
TagLogGroup
UntagLogGroup
ListTagsLogGroup
After first inspection the following actions are required on our part:
- Update the terraform script for magnolia-mgmt-event-handler lambda.
- Keep an eye on updates for libraries we rely on to create log groups:
- Amplify for magnolia-mgmt-ui
- Terraform aws provider's cloudwatch_log_group