[BUILD-974] Update AWS deployments affected by: AWS CloudWatch Logs Tag Based Authorization Update Created: 12/Dec/22  Updated: 23/Dec/22  Resolved: 23/Dec/22

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Roberto Gomez Assignee: Roberto Gomez
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:

 Description   

We've been alerted of changes on AWS CloudWatch Logs Tag Based Authorization. The email received states: 

AWS is continuously on the lookout for opportunities to improve customer security, and as part of that effort, we recently updated our CloudWatch authorization strategy. As of October 30, 2022, tagging is supported for the “Destination” resource. Previously, CloudWatch Logs supported tagging only for the “Log Group” resource. We recommend that, for your IAM policies that are used to access the CreateLogGroup API, you add logs:TagResource permission to your IAM policies by January 31, 2023. The new logs:TagResource permission will not be required for existing accounts that previously used CreateLogGroup API with tags.

In order to tag new log groups using the CreateLogGroup API, we recommend you add logs:TagResource permission to your IAM policies [1]. Please see the following example of a recommended policy for CreateLogGroup API with Tags:

{
    "Version": "2012-10-17",
    "Statement": [
       

Unknown macro: {             "Action"}

    ]
}

We identified that you are using tagging APIs and recommend use the following new APIs that have “Resource” as the suffix, instead of “LogGroup”.

logs:TagResource
logs:UntagResource
logs:ListTagsForResource

The CloudWatch Logs team will not remove previous tagging APIs but the following APIs will no longer be actively developed:
TagLogGroup
UntagLogGroup
ListTagsLogGroup

 

After first inspection the following actions are required on our part:

 


Generated at Sun Feb 11 23:46:57 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.