Chore: Update edot cloud forwarder for AWS documentation

docs/reference/edot-cloud-forwarder/aws.md

@@ -1,4 +1,4 @@
 ---
 navigation_title: AWS
 description: Set up the EDOT Cloud Forwarder for AWS to bring your AWS logs to Elastic Observability.
 applies_to:
@@ -16,10 +16,10 @@
 
 {{edot-cf}} for AWS provides the EDOT Collector as a Lambda function that collects and forwards logs to Elastic Observability on {{serverless-full}}. {{edot-cf}} for AWS supports the following log sources:
 
-| Log source | Description |
+| AWS Service | Telemetry Description |
 | --- | --- |
-| VPC Flow | Logs generated by a Virtual Private Cloud (VPC) |
-| ELB Access | Logs generated by an Elastic Load Balancer (ELB) |
+| Virtual Private Cloud (VPC) | [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) to capture information about IP traffic  |
+| Elastic Load Balancer (ELB) | [Access logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html) for your Application Load Balancer |
 % | CloudWatch {applies_to}`product: planned` | Logs generated by AWS CloudWatch |
 
 Read on to learn how to set up {{edot-cf}} for AWS.
@@ -58,6 +58,7 @@
 - Access logging enabled, with the bucket as the destination
 
 :::
+
 <!--
 :::{tab-item} CloudWatch
 
@@ -87,8 +88,9 @@
 
 Before deploying {{edot-cf}} for AWS, keep these points in mind:
 
-- Deploy a separate CloudFormation stack for each log type, for example VPC Flow Logs or ELB Logs. Each CloudFormation stack can only process one log source and format at a time.
+- Deploy a separate CloudFormation stack for each log type, for example VPC Flow Logs or ELB Access Logs. Each CloudFormation stack can only process one log type and format at a time.
 - Logs stored in S3 must be placed in separate buckets. Each log type should reside in its own dedicated bucket.
+- The CloudFormation stack deployment region must match the region of the S3 bucket.
 
 ## Download the template [download-templates]
 
@@ -128,12 +130,13 @@
 
 | Setting            | Description |
 | ------------------ | --- |
-| `EdotCloudForwarderS3LogsType` | The encoding format for logs in the S3 bucket. Supported options:<br>- `vpc_flow_log`: VPC Flow logs<br>- `elb_access_log`: Elastic Load Balancer (ELB) Access logs<br>- `s3_access_log`: S3 Access logs<br>- `json`: JSON-formatted logs |
-| `S3LogsJsonEncodingMode` | _(Required if `EdotCloudForwarderS3LogsType` is `json`)_<br>Defines how JSON logs are structured:<br>- `body` _(default)_: Stores logs in the request body<br>- `body_with_inline_attributes`: Logs include inline attributes |
+| `EdotCloudForwarderS3LogsType` | The encoding format for logs in the S3 bucket. Supported options:<br>- `vpcflow`: VPC Flow Logs<br>- `elbaccess`: ELB Access logs|
 | `SourceS3BucketARN` | Amazon Resource Name (ARN) of the S3 bucket where logs are stored. This bucket will trigger the `edot-cloud-forwarder` Lambda function automatically. |
+% | `S3LogsJsonEncodingMode` | _(Required if `EdotCloudForwarderS3LogsType` is `json`)_<br>Defines how JSON logs are structured:<br>- `body` _(default)_: Stores logs in the request body<br>- `body_with_inline_attributes`: Logs include inline attributes |
 
 ::::
-<!--
+
+<!-- TODO: Enable when CloudWatch logs are supported
 ::::{tab-item} CloudWatch
 
 For CloudWatch logs, use the following settings:
@@ -146,28 +149,35 @@
 The log group must already exist in your AWS account and region. If the ARN points to a non-existent log group, stack deployment or updates might fail.
 :::
 ::::
+
 -->
+
 :::::
 
 ### Optional settings
 
 These are optional settings you can set in the CloudFormation template:
 
-| Setting            | Description |
-| ------------------- | --- |
-| `EdotCloudForwarderTimeout` | Maximum execution time for the Lambda function, measured in seconds. Default value is `300` seconds. Minimum value is `1` second. Maximum value is `900` seconds. |
-| `EdotCloudForwarderVersion` | Version of the EDOT Cloud Forwarder. Expected format is semantic versioning, for example `0.1.5`. Defaults to the latest available patch version. Don't change this value unless advised by Elastic Support. |
-| `EdotCloudForwarderMemorySize` | Set the allocated memory for the Lambda function, measured in megabytes. Default value is `1024` MB. Minimum value is `128` MB. Maximum value is `10240` MB. | 
-| `EdotCloudForwarderConcurrentExecutions` | Set the maximum number of reserved concurrent executions for the Lambda function. Default value is `50`. Make sure this value doesn't exceed your AWS account's concurrency limit. |
+| Setting            | Description                                                                                                                                                                                                  |
+| ------------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `EdotCloudForwarderTimeout` | Maximum execution time for the Lambda function, measured in seconds. Default value is `300` seconds. Minimum value is `1` second. Maximum value is `900` seconds.                                            |
+| `EdotCloudForwarderVersion` | Version of the EDOT Cloud Forwarder. Expected format is semantic versioning, for example `0.2.4`. Defaults to the latest available patch version. Don't change this value unless advised by Elastic Support. |
+| `EdotCloudForwarderMemorySize` | Set the allocated memory for the Lambda function, measured in megabytes. Default value is `512` MB. Minimum value is `128` MB. Maximum value is `10240` MB.                                                  | 
+| `EdotCloudForwarderConcurrentExecutions` | Set the maximum number of reserved concurrent executions for the Lambda function. Default value is `5`. Make sure this value doesn't exceed your AWS account's concurrency limit.                            |
+| `EdotCloudForwarderExporterMaxQueueSize` | Set the internal OTLP exporter queue size. Default is `50` MB. You may incease this based on the data volume.                                                                                                |
 
+Default values of `EdotCloudForwarderMemorySize` and `EdotCloudForwarderConcurrentExecutions` should be sufficient for most use cases. 
+However, depending on your data volumes (individual Signal size such as size of S3 object per VPC log entry), you may need to finetune them.
+Key indications for the need of tuning these parameters are Lambda throttling and Lambda timeouts.
+Along with these, you may also need to adjust `EdotCloudForwarderExporterMaxQueueSize` to export higher data volumes.
 
 ## Deployment examples
 
 The following examples use the CloudFormation template files hosted in the [public S3 bucket](#download-templates).
 
 - Use the `--template-url` flag to reference a template hosted on S3. 
 - To always use the most recent stable templates, use the `latest` path. For example, `v0/latest`.  
-- To pin a specific version, replace `latest` with the desired version tag. For example, `v0/v0.1.5`.  
+- To pin a specific version, replace `latest` with the desired version tag. For example, `v0/v0.2.4`.  
 
 Alternatively, if you have downloaded the template file, you can use the `--template-body file://<path>` option with a local template file.
 
@@ -186,7 +196,7 @@
     ParameterKey=SourceS3BucketARN,ParameterValue=your-s3-vpc-bucket-arn \
     ParameterKey=OTLPEndpoint,ParameterValue="<placeholder>" \
     ParameterKey=ElasticAPIKey,ParameterValue="<placeholder>" \
-    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="vpc_flow_log"
+    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="vpcflow"
 ```
 ::::
 
@@ -204,10 +214,89 @@
     ParameterKey=SourceS3BucketARN,ParameterValue=your-s3-alb-bucket-arn \
     ParameterKey=OTLPEndpoint,ParameterValue="<placeholder>" \
     ParameterKey=ElasticAPIKey,ParameterValue="<placeholder>" \
-    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="elb_access_log"
+    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="elbaccess"
 ```
 ::::
-<!--
+
+<!-- To be added post GA
+
+::::{tab-item} S3 Access logs
+
+This example deploys a CloudFormation stack to collect S3 Access logs stored in an S3 bucket.
+
+```sh
+aws cloudformation create-stack \
+  --stack-name edot-cloud-forwarder-s3-access \
+  --template-url https://edot-cloud-forwarder.s3.amazonaws.com/v0/latest/cloudformation/s3_logs-cloudformation.yaml \
+  --capabilities CAPABILITY_NAMED_IAM \
+  --region eu-central-1 \
+  --parameters \
+    ParameterKey=SourceS3BucketARN,ParameterValue=your-s3-access-logs-bucket-arn \
+    ParameterKey=OTLPEndpoint,ParameterValue="<placeholder>" \
+    ParameterKey=ElasticAPIKey,ParameterValue="<placeholder>" \
+    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="s3_access_log"
+```
+::::
+
+::::{tab-item} CloudTrail logs
+
+This example deploys a CloudFormation stack to collect CloudTrail logs stored in an S3 bucket.
+
+```sh
+aws cloudformation create-stack \
+  --stack-name edot-cloud-forwarder-cloudtrail \
+  --template-url https://edot-cloud-forwarder.s3.amazonaws.com/v0/latest/cloudformation/s3_logs-cloudformation.yaml \
+  --capabilities CAPABILITY_NAMED_IAM \
+  --region eu-central-1 \
+  --parameters \
+    ParameterKey=SourceS3BucketARN,ParameterValue=your-cloudtrail-bucket-arn \
+    ParameterKey=OTLPEndpoint,ParameterValue="<placeholder>" \
+    ParameterKey=ElasticAPIKey,ParameterValue="<placeholder>" \
+    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="cloudtrail_log"
+```
+::::
+
+::::{tab-item} WAF logs
+
+This example deploys a CloudFormation stack to collect AWS WAF logs stored in an S3 bucket.
+
+```sh
+aws cloudformation create-stack \
+  --stack-name edot-cloud-forwarder-waf \
+  --template-url https://edot-cloud-forwarder.s3.amazonaws.com/v0/latest/cloudformation/s3_logs-cloudformation.yaml \
+  --capabilities CAPABILITY_NAMED_IAM \
+  --region eu-central-1 \
+  --parameters \
+    ParameterKey=SourceS3BucketARN,ParameterValue=arn:aws:s3:::aws-waf-logs-your-bucket-arn \
+    ParameterKey=OTLPEndpoint,ParameterValue="<placeholder>" \
+    ParameterKey=ElasticAPIKey,ParameterValue="<placeholder>" \
+    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="waf_log"
+```
+
+:::{note}
+Replace `aws-waf-logs-your-bucket-name` with your actual WAF logging bucket ARN. Remember that the bucket name must start with `aws-waf-logs-` as required by AWS WAF.
+:::
+::::
+
+::::{tab-item} JSON logs
+
+This example deploys a CloudFormation stack to collect JSON-formatted logs stored in an S3 bucket.
+
+```sh
+aws cloudformation create-stack \
+  --stack-name edot-cloud-forwarder-json \
+  --template-url https://edot-cloud-forwarder.s3.amazonaws.com/v0/latest/cloudformation/s3_logs-cloudformation.yaml \
+  --capabilities CAPABILITY_NAMED_IAM \
+  --region eu-central-1 \
+  --parameters \
+    ParameterKey=SourceS3BucketARN,ParameterValue=your-json-logs-bucket-arn \
+    ParameterKey=OTLPEndpoint,ParameterValue="<placeholder>" \
+    ParameterKey=ElasticAPIKey,ParameterValue="<placeholder>" \
+    ParameterKey=EdotCloudForwarderS3LogsType,ParameterValue="json" \
+    ParameterKey=S3LogsJsonEncodingMode,ParameterValue="body"
+```
+::::
+
 ::::{tab-item} CloudWatch logs
 
 This example deploys a CloudFormation stack to collect CloudWatch logs sent to a Log Group.
@@ -224,10 +313,12 @@
     ParameterKey=SourceCloudWatchLogGroupARN,ParameterValue="<your-log-group-arn>"
 ```
 
+-->
+
 :::{note}
 The `--capabilities CAPABILITY_NAMED_IAM` flag is required because this CloudFormation template creates AWS Identity and Access Management (IAM) resources. More specifically, it creates a named IAM role (`LambdaExecutionRole`) for the Lambda function. To acknowledge that AWS CloudFormation might create or modify IAM resources with custom names, you must specify the `CAPABILITY_NAMED_IAM` capability. 
 :::
--->
+
 ::::
 :::::
 
@@ -309,6 +400,27 @@
 6. Review your configuration and select **Submit** to deploy the stack.  
 7. Monitor the progress until the stack reaches the `CREATE_COMPLETE` state. 
 
+<!-- To be added at GA
+## Deployment using the AWS Serverless Application Repository
+
+In addition to deploying via CloudFormation templates, you can deploy the EDOT Cloud Forwarder application directly from the AWS Serverless Application Repository (SAR).
+
+:::{note}
+The same [deployment considerations](#deployment-considerations) apply to SAR deployments, including the requirement to deploy separate serverless applications for each log type and ensure the deployment region matches your S3 bucket region.
+:::
+
+To deploy from SAR, follow these steps:
+
+1. Navigate to **AWS Serverless Application Repository** in the AWS Management Console.
+2. Search for `edot-cloud-forwarder-s3-logs` and select the application.
+3. Select **Deploy**.
+4. **Configure the application settings**: You will be prompted to fill in the same parameters described in the [Required settings](#required-settings), [Log source settings](#log-source-settings), and [Optional settings](#optional-settings) sections. Refer to those sections for details on each parameter.
+5. **Acknowledge IAM role creation**: At the bottom of the page, check the box to acknowledge that the application will create custom IAM roles. This is required for the forwarder to access your S3 bucket and send data to Elastic Observability.
+6. Select **Deploy**.
+
+The deployment process will start, and a CloudFormation stack will be created with all the necessary resources. You can monitor the progress in the AWS CloudFormation console under **Stacks**.
+-->
+
 ## CloudFormation stack resources
 
 The CloudFormation templates create a number of resources to process logs from a specific log source.
@@ -333,7 +445,10 @@
 The main Lambda function, `LambdaFunction`, is the core component for processing S3 logs. S3 event notifications are handled dynamically using `CustomNotificationUpdater` and `NotificationUpdaterLambda`. 
 
 CloudWatch logs ensure detailed monitoring of Lambda executions. IAM roles and permissions control access between S3 and Lambda functions, while `S3FailureBucketARN` prevents data loss by capturing unprocessed logs.
-<!--
+
+
+<!-- TODO: Enable when CloudWatch logs are supported
+
 ### Resources for CloudWatch Logs
 
 This is a list of resources created by the stack when CloudWatch logs are the source.
@@ -351,7 +466,69 @@
 The CloudWatch Log Subscription Filter, `CloudWatchLogSubscriptionFilter`, ensures logs are correctly forwarded to the Lambda function. The Lambda function, `LambdaFunction`, serves as the core processing unit for CloudWatch logs. 
 
 CloudWatch Log Groups help monitor execution performance and debug issues. IAM permissions (`LambdaExecutionRole`, `LambdaPermissionCloudWatch`) control interactions between CloudWatch and Lambda, while the failure bucket, `S3FailureBucketARN`, helps prevent data loss in case of processing errors.
+
 -->
+## Kibana integration setup
+
+After {{edot-cf}} for AWS is successfully running and forwarding logs to Elastic Observability, you can install pre-built integrations in Kibana to visualize your data with out-of-the-box dashboards and visualizations.
+
+### Install integrations
+
+To set up data visualization for your AWS logs:
+
+1. **Navigate to Kibana**: Log into your Elastic Cloud deployment and open Kibana.
+
+2. **Access Integrations**: Go to **Management** → **Integrations** in the Kibana navigation menu.
+
+3. **Search and install**: Search for the appropriate integration based on your log type and install it:
+
+| **AWS Log Type** | **Integration Name** | **Description** |
+|------------------|---------------------|-----------------|
+| ELB Access Logs | **AWS ELB OpenTelemetry Assets** | Dashboards and visualizations for Elastic Load Balancer logs |
+| VPC Flow Logs | **AWS VPC Flow Logs OpenTelemetry Assets** | Dashboards and visualizations for VPC flow log data |
+
+4. **Access dashboards**: Once installed, navigate to **Dashboard** to view the pre-built dashboards for your AWS log data.
+
+### Benefits
+
+This allows you to immediately start analyzing your AWS infrastructure without building dashboards from scratch.
+
+## Error handling and retrying
+
+{{edot-cf}} store Lambda invocation events related to retryable errors at the S3 bucket specified by `S3FailureBucketARN` parameter.
+Retryable errors here include, 
+ - Network errors when attempting to forward to OTLPEndpoint
+ - Invalid or expired ElasticApiKey
+ - Lambda triggered by events that mismatch EdotCloudForwarderS3LogsType selection 
+
+These errors can be replayed manually to back-fill any gaps in your data.
+
+### Replay failed events
+
+To replay errors simply invoke the Lambda with manual trigger type `replayFailedEvents`,
+
+```sh
+aws lambda invoke \
+  --function-name <LAMBDA_NAME> \
+  --payload '{ "replayFailedEvents": {"replayFailedEvents":{"dryrun":false,"removeOnSuccess":true}}}' \
+  --cli-binary-format raw-in-base64-out /dev/null
+```
+Replace `<LAMBDA_NAME>` with the name from your deployment.
+
+Table below explains supported configuration options,
+
+| Option          | Description                                                                                                                                   | Default |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------|
+| dryrun          | Run the command without processing actual backup events. Useful to understand details about replaying error files from Lambda CloudWatch logs | false   |
+| removeOnSuccess | Configure whether to remove error event from S3 error destination, if processing is successful                                                | true    |
+
+When successful, you should see `"StatusCode": 200` as an output. You may check CloudWatch logs (resource `LambdaLogGroup`) for detailed logs.
+
+:::{note}
+With AWS CLI, you can use `--timeout` option to increase currently configured Lambda timeout for custom invocations.
+However, if a timeout occur, you will need to run the custom event multiple times to fully process all error events from the bucket.
+:::
+
 ## **Delete a CloudFormation stack**
 
 If you no longer need a deployed stack and want to clean up all associated resources, you can delete it using the following command: