Amazon CloudWatch Logs

2017/09/21 - Amazon CloudWatch Logs - 2 new 2 updated api methods

AssociateKmsKey (new) Link ¶

Associates the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group.

Associating an AWS KMS CMK with a log group overrides any existing associations between the log group and a CMK. After a CMK is associated with a log group, all newly ingested data for the log group is encrypted using the CMK. This association is stored as long as the data encrypted with the CMK is still within Amazon CloudWatch Logs. This enables Amazon CloudWatch Logs to decrypt this data whenever it is requested.

Note that it can take up to 5 minutes for this operation to take effect.

If you attempt to associate a CMK with a log group but the CMK does not exist or the CMK is disabled, you will receive an InvalidParameterException error.

See also: AWS API Documentation

Request Syntax

client.associate_kms_key(
    logGroupName='string',
    kmsKeyId='string'
)
type logGroupName

string

param logGroupName

[REQUIRED]

The name of the log group.

type kmsKeyId

string

param kmsKeyId

[REQUIRED]

The Amazon Resource Name (ARN) of the CMK to use when encrypting log data. For more information, see Amazon Resource Names - AWS Key Management Service (AWS KMS).

returns

None

DisassociateKmsKey (new) Link ¶

Disassociates the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group.

After the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested.

Note that it can take up to 5 minutes for this operation to take effect.

See also: AWS API Documentation

Request Syntax

client.disassociate_kms_key(
    logGroupName='string'
)
type logGroupName

string

param logGroupName

[REQUIRED]

The name of the log group.

returns

None

CreateLogGroup (updated) Link ¶
Changes (request) 
{'kmsKeyId': 'string'}

Creates a log group with the specified name.

You can create up to 5000 log groups per account.

You must use the following guidelines when naming a log group:

  • Log group names must be unique within a region for an AWS account.

  • Log group names can be between 1 and 512 characters long.

  • Log group names consist of the following characters: a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen), '/' (forward slash), and '.' (period).

If you associate a AWS Key Management Service (AWS KMS) customer master key (CMK) with the log group, ingested data is encrypted using the CMK. This association is stored as long as the data encrypted with the CMK is still within Amazon CloudWatch Logs. This enables Amazon CloudWatch Logs to decrypt this data whenever it is requested.

If you attempt to associate a CMK with the log group but the CMK does not exist or the CMK is disabled, you will receive an InvalidParameterException error.

See also: AWS API Documentation

Request Syntax

client.create_log_group(
    logGroupName='string',
    kmsKeyId='string',
    tags={
        'string': 'string'
    }
)
type logGroupName

string

param logGroupName

[REQUIRED]

The name of the log group.

type kmsKeyId

string

param kmsKeyId

The Amazon Resource Name (ARN) of the CMK to use when encrypting log data. For more information, see Amazon Resource Names - AWS Key Management Service (AWS KMS).

type tags

dict

param tags

The key-value pairs to use for the tags.

  • (string) --

    • (string) --

returns

None

DescribeLogGroups (updated) Link ¶
Changes (response) 
{'logGroups': {'kmsKeyId': 'string'}}

Lists the specified log groups. You can list all your log groups or filter the results by prefix. The results are ASCII-sorted by log group name.

See also: AWS API Documentation

Request Syntax

client.describe_log_groups(
    logGroupNamePrefix='string',
    nextToken='string',
    limit=123
)
type logGroupNamePrefix

string

param logGroupNamePrefix

The prefix to match.

type nextToken

string

param nextToken

The token for the next set of items to return. (You received this token from a previous call.)

type limit

integer

param limit

The maximum number of items returned. If you don't specify a value, the default is up to 50 items.

rtype

dict

returns

Response Syntax

{
    'logGroups': [
        {
            'logGroupName': 'string',
            'creationTime': 123,
            'retentionInDays': 123,
            'metricFilterCount': 123,
            'arn': 'string',
            'storedBytes': 123,
            'kmsKeyId': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • logGroups (list) --

      The log groups.

      • (dict) --

        Represents a log group.

        • logGroupName (string) --

          The name of the log group.

        • creationTime (integer) --

          The creation time of the log group, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.

        • retentionInDays (integer) --

          The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.

        • metricFilterCount (integer) --

          The number of metric filters.

        • arn (string) --

          The Amazon Resource Name (ARN) of the log group.

        • storedBytes (integer) --

          The number of bytes stored.

        • kmsKeyId (string) --

          The Amazon Resource Name (ARN) of the CMK to use when encrypting log data.

    • nextToken (string) --

      The token for the next set of items to return. The token expires after 24 hours.