[AWS docs] Required permissions under AWS custom logs

[octavioranieri]

Currently we only mention the required permissions under the parent AWS integration, which would cover all the AWS integrations:
https://www.elastic.co/docs/current/integrations/aws#aws-permissions

Users may need more granular of what’s required for the specifics instead of having all the permissions.

AWS custom logs docs should have the specific required permissions, similar to the Filebeat module:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#_aws_permissions_2

[lucabelluccini]

The request here could be expanded further, where we should have a way to include the documentation associated to a specific input in all integrations using it.

E.g. aws-s3 input is used in several integrations (O11y & Security owned) and in all of them generally the settings and prerequisites are similar.

[lucabelluccini]

FYI @alaudazzi / @eedugon do you know what might be the best way to put this under the radar?

[alaudazzi]

@lucabelluccini Thanks for raising this! It makes sense to provide more granular info where needed and consolidate similar settings to facilitate discoverability. I can follow up on this ticket.

[alaudazzi]

@lucabelluccini
I'm working on this ticket and I try to recap below what is needed:

• be more specific about the required permissions (check the Filbeat module as a good example)
• replicate/reference them in all the integrations that apply

Can you confirm this is correct?
Who can provide the input to update the docs?

[lucabelluccini]

Hello @alaudazzi

This specific issue was opened to enhance the Custom AWS Logs Integration to mention what are the permissions in order to pull data from S3 Bucket or CloudWatch.

For Cloudwatch we should refer/copy over https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-cloudwatch.html#_aws_permissions

For S3 Bucket we should refer/copy over https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#_aws_permissions_2

I think you can reach out the maintainers of Custom AWS Logs if you want to be certain of the list of permissions needed.
The owners can be looked up at https://github.com/elastic/integrations/blob/main/.github/CODEOWNERS#L75C1-L75C51

Once we do this, I think we can consider this issue as done.

---

As a follow up issue, our suggestion would be to ensure integrations which all use the same input (e.g. all integrations which allow to pull from AWS S3) should refer/include to the same permission set.

Doing this if we change the AWS S3 input and something changes at permissions level, it is easier to change it in one place and get it propagated to all integrations which make use of that input.

I think this is something bigger to be likely tackled with the integrations devs & your team as it would require to have some kind of include/import docs in each integration.
It also likely affects not only the O11y organization but also Security (as many integrations rely on it).
If you agree on this idea, I would kindly ask if you can spin off a separate issue (on the repo you think it's more suitable) and your team will prioritize according to your capacity/plans. WDYT?

[alaudazzi]

@lucabelluccini
Thank you for your feedback. It makes sense to track the second part in a separate issue: #11793.

[alaudazzi]

CC @kaiyan-sheng