AWS API Changes

2023/07/07 - Amazon CloudWatch Logs - 3 updated api methods

Changes Add CMK encryption support for CloudWatch Logs Insights query result data

AssociateKmsKey (updated)

Link ¶
Changes (request)

{'resourceIdentifier': 'string'}

Associates the specified KMS key with either one log group in the account, or with all stored CloudWatch Logs query insights results in the account.

When you use AssociateKmsKey , you specify either the logGroupName parameter or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.

Specify the logGroupName parameter to cause all log events stored in the log group to be encrypted with that key. Only the log events ingested after the key is associated are encrypted with that key. Associating a KMS key with a log group overrides any existing associations between the log group and a KMS key. After a KMS key is associated with a log group, all newly ingested data for the log group is encrypted using the KMS key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested. Associating a key with a log group does not cause the results of queries of that log group to be encrypted with that key. To have query results encrypted with a KMS key, you must use an AssociateKmsKey operation with the resourceIdentifier parameter that specifies a query-result resource.
Specify the resourceIdentifier parameter with a query-result resource, to use that key to encrypt the stored results of all future StartQuery operations in the account. The response from a GetQueryResults operation will still return the query results in plain text. Even if you have not associated a key with your query results, the query results are encrypted when stored, using the default CloudWatch Logs method. If you run a query from a monitoring account that queries logs in a source account, the query results key from the monitoring account, if any, is used.

Warning

If you delete the key that is used to encrypt log events or log group query results, then all the associated stored log events or query results that were encrypted with that key will be unencryptable and unusable.

Note

CloudWatch Logs supports only symmetric KMS keys. Do not use an associate an asymmetric KMS key with your log group or query results. For more information, see Using Symmetric and Asymmetric Keys.

It can take up to 5 minutes for this operation to take effect.

If you attempt to associate a KMS key with a log group but the KMS key does not exist or the KMS key is disabled, you receive an InvalidParameterException error.

See also: AWS API Documentation

Request Syntax

client.associate_kms_key(
    logGroupName='string',
    kmsKeyId='string',
    resourceIdentifier='string'
)

type logGroupName

string

param logGroupName

The name of the log group.

In your AssociateKmsKey operation, you must specify either the resourceIdentifier parameter or the logGroup parameter, but you can't specify both.

type kmsKeyId

string

param kmsKeyId

[REQUIRED]

The Amazon Resource Name (ARN) of the KMS key to use when encrypting log data. This must be a symmetric KMS key. For more information, see Amazon Resource Names and Using Symmetric and Asymmetric Keys.

type resourceIdentifier

string

param resourceIdentifier

Specifies the target for this operation. You must specify one of the following:

Specify the following ARN to have future GetQueryResults operations in this account encrypt the results with the specified KMS key. Replace REGION and ACCOUNT_ID with your Region and account ID. arn:aws:logs:REGION:ACCOUNT_ID:query-result:*
Specify the ARN of a log group to have CloudWatch Logs use the KMS key to encrypt log events that are ingested and stored by that log group. The log group ARN must be in the following format. Replace REGION and ACCOUNT_ID with your Region and account ID. arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME

In your AssociateKmsKey operation, you must specify either the resourceIdentifier parameter or the logGroup parameter, but you can't specify both.

returns

None

DisassociateKmsKey (updated)

Link ¶
Changes (request)

{'resourceIdentifier': 'string'}

Disassociates the specified KMS key from the specified log group or from all CloudWatch Logs Insights query results in the account.

When you use DisassociateKmsKey , you specify either the logGroupName parameter or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.

Specify the logGroupName parameter to stop using the KMS key to encrypt future log events ingested and stored in the log group. Instead, they will be encrypted with the default CloudWatch Logs method. The log events that were ingested while the key was associated with the log group are still encrypted with that key. Therefore, CloudWatch Logs will need permissions for the key whenever that data is accessed.
Specify the resourceIdentifier parameter with the query-result resource to stop using the KMS key to encrypt the results of all future StartQuery operations in the account. They will instead be encrypted with the default CloudWatch Logs method. The results from queries that ran while the key was associated with the account are still encrypted with that key. Therefore, CloudWatch Logs will need permissions for the key whenever that data is accessed.

It can take up to 5 minutes for this operation to take effect.

See also: AWS API Documentation

Request Syntax

client.disassociate_kms_key(
    logGroupName='string',
    resourceIdentifier='string'
)

type logGroupName

string

param logGroupName

The name of the log group.

In your DisassociateKmsKey operation, you must specify either the resourceIdentifier parameter or the logGroup parameter, but you can't specify both.

type resourceIdentifier

string

param resourceIdentifier

Specifies the target for this operation. You must specify one of the following:

Specify the ARN of a log group to stop having CloudWatch Logs use the KMS key to encrypt log events that are ingested and stored by that log group. After you run this operation, CloudWatch Logs encrypts ingested log events with the default CloudWatch Logs method. The log group ARN must be in the following format. Replace REGION and ACCOUNT_ID with your Region and account ID. arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME
Specify the following ARN to stop using this key to encrypt the results of future StartQuery operations in this account. Replace REGION and ACCOUNT_ID with your Region and account ID. arn:aws:logs:REGION:ACCOUNT_ID:query-result:*

In your DisssociateKmsKey operation, you must specify either the resourceIdentifier parameter or the logGroup parameter, but you can't specify both.

returns

None

GetQueryResults (updated)

Link ¶
Changes (response)

{'encryptionKey': 'string'}

Returns the results from the specified query.

Only the fields requested in the query are returned, along with a @ptr field, which is the identifier for the log record. You can use the value of @ptr in a GetLogRecord operation to get the full log record.

GetQueryResults does not start running a query. To run a query, use StartQuery.

If the value of the Status field in the output is Running , this operation returns only partial results. If you see a value of Scheduled or Running for the status, you can retry the operation later to see the final results.

If you are using CloudWatch cross-account observability, you can use this operation in a monitoring account to start queries in linked source accounts. For more information, see CloudWatch cross-account observability.

See also: AWS API Documentation

Request Syntax

client.get_query_results(
    queryId='string'
)

type queryId

string

param queryId

[REQUIRED]

The ID number of the query.

rtype

dict

returns

Response Syntax

{
    'results': [
        [
            {
                'field': 'string',
                'value': 'string'
            },
        ],
    ],
    'statistics': {
        'recordsMatched': 123.0,
        'recordsScanned': 123.0,
        'bytesScanned': 123.0
    },
    'status': 'Scheduled'|'Running'|'Complete'|'Failed'|'Cancelled'|'Timeout'|'Unknown',
    'encryptionKey': 'string'
}

Response Structure

(dict) --
- results (list) --
  
  The log events that matched the query criteria during the most recent time it ran.
  
  The results value is an array of arrays. Each log event is one object in the top-level array. Each of these log event objects is an array of field / value pairs.
  - (list) --
    - (dict) --
      
      Contains one field from one log event returned by a CloudWatch Logs Insights query, along with the value of that field.
      
      For more information about the fields that are generated by CloudWatch logs, see Supported Logs and Discovered Fields.
      - field (string) --
        
        The log event field.
      - value (string) --
        
        The value of this field.
- statistics (dict) --
  
  Includes the number of log events scanned by the query, the number of log events that matched the query criteria, and the total number of bytes in the scanned log events. These values reflect the full raw results of the query.
  - recordsMatched (float) --
    
    The number of log events that matched the query string.
  - recordsScanned (float) --
    
    The total number of log events scanned during the query.
  - bytesScanned (float) --
    
    The total number of bytes in the log events scanned during the query.
- status (string) --
  
  The status of the most recent running of the query. Possible values are Cancelled , Complete , Failed , Running , Scheduled , Timeout , and Unknown .
  
  Queries time out after 60 minutes of runtime. To avoid having your queries time out, reduce the time range being searched or partition your query into a number of queries.
- encryptionKey (string) --
  
  If you associated an KMS key with the CloudWatch Logs Insights query results in this account, this field displays the ARN of the key that's used to encrypt the query results when StartQuery stores them.