Uploaded image for project: 'Build'
  1. Build
  2. BUILD-974

Update AWS deployments affected by: AWS CloudWatch Logs Tag Based Authorization Update

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Neutral
    • None
    • None
    • None
    • None

    Description

      We've been alerted of changes on AWS CloudWatch Logs Tag Based Authorization. The email received states: 

      AWS is continuously on the lookout for opportunities to improve customer security, and as part of that effort, we recently updated our CloudWatch authorization strategy. As of October 30, 2022, tagging is supported for the “Destination” resource. Previously, CloudWatch Logs supported tagging only for the “Log Group” resource. We recommend that, for your IAM policies that are used to access the CreateLogGroup API, you add logs:TagResource permission to your IAM policies by January 31, 2023. The new logs:TagResource permission will not be required for existing accounts that previously used CreateLogGroup API with tags.

      In order to tag new log groups using the CreateLogGroup API, we recommend you add logs:TagResource permission to your IAM policies [1]. Please see the following example of a recommended policy for CreateLogGroup API with Tags:

      {
          "Version": "2012-10-17",
          "Statement": [
             

      Unknown macro: {             "Action"}

          ]
      }

      We identified that you are using tagging APIs and recommend use the following new APIs that have “Resource” as the suffix, instead of “LogGroup”.

      logs:TagResource
      logs:UntagResource
      logs:ListTagsForResource

      The CloudWatch Logs team will not remove previous tagging APIs but the following APIs will no longer be actively developed:
      TagLogGroup
      UntagLogGroup
      ListTagsLogGroup

       

      After first inspection the following actions are required on our part:

       

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              roberto.gomez Roberto Gomez
              roberto.gomez Roberto Gomez
              Foundation
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Work Started:

                Checklists

                  Task DoR