cloud: update logpush docs (#1267)

<!-- Explain the changes introduced in your PR -->

## Pull Request approval

You will need to get your PR approved by at least one member of the
Sourcegraph team. For reviews of docs formatting, styles, and component
usage, please tag the docs team via the #docs Slack channel.

Author: michaellzc

docs/cloud/index.mdx

@@ -154,8 +154,7 @@ To learn more about how the Sourcegraph team operates managed SMTP internally, r
 
 ### Audit Logs
 
-Our Cloud instances provide [audit logs](/admin/audit_log#cloud) to help you monitor and investigate actions taken by users and the system. These logs are available to download by request and are also sent to a [centralized logging service](https://about.sourcegraph.com/security#logging) for 30 day retention. Should you wish to
-extend this period, please be aware that additional charges will apply.
+Our Cloud instances provide [audit logs](/admin/audit_log#cloud) to help you monitor and investigate actions taken by users and the system. These logs are available to download by request and are also sent to a [centralized logging service](https://about.sourcegraph.com/security#logging) for 30 day retention. Should you wish to extend this period, please be aware that additional charges will apply.
 To request an extension, please contact your assigned Customer Engineer (CE) or send an email to Sourcegraph Support at [email protected].
 
 #### Download audit logs
@@ -164,12 +163,12 @@ For requesting audit logs, please contact your our support team.
 
 #### Deliver audit logs to customer-managed destination (LogPush)
 
-Sourcegraph LogPush is an optional add-on to deliver audit logs to a customer provided destination. To enable this feature, please contact your assigned Customer Engineer (CE) or support team.
+Sourcegraph LogPush is an optional add-on to deliver audit logs to a customer provided destination. To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the setup instructions for your destination.
 
 Supported destinations:
 
-- Google Cloud Storage (GCS)
-- Amazon S3 (AWS)
+- [Google Cloud Storage (GCS)](./logpush_gcs)
+- [Amazon Web Services S3 (AWS)](./logpush_s3)
 
 ## Requirements
 

docs/cloud/logpush_gcs.mdx

@@ -0,0 +1,20 @@
+# LogPush for Google Cloud Storage (GCS)
+
+## Overview
+
+Our services will periodically push audit logs to customer-managed GCS bucket. Authentication and authorization are securely handled by GCP IAM service.
+
+## Steps
+
+To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps.
+
+- Sourcegraph provides below information to customer:
+  - email of a Sourcegraph-owned GCP Service Account (GSA)
+  - a unique file to prove bucket ownership
+- Customer to perform the following:
+  - creates a GCS bucket
+  - grants the Sourcegraph-owned GSA sufficient IAM roles to access the bucket
+  - uploads the ownership file to prove bucket ownership
+- Customer to inform Sourcegraph of the bucket name
+
+Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed GCS bucket.

docs/cloud/logpush_s3.mdx

@@ -0,0 +1,31 @@
+# LogPush for Amazon S3 (AWS)
+
+## Overview
+
+Our services will periodically push audit logs to customer-managed AWS S3 bucket. Authentication and authorization are securely handled by AWS Security Token Service with an explicit trust relationship between Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket.
+
+## Steps
+
+To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps.
+
+- Sourcegraph provides below information to customer:
+  - GCP identity (GCP Service Account)
+  - a unique file to prove bucket ownership
+- Customer to perform the following:
+  - creates a S3 bucket
+  - configures the trust relationship with AWS IAM
+  - uploads the ownership file to prove bucket ownership
+- Customer to inform Sourcegraph of the S3 bucket ARN and the AWS IAM role ARN
+
+Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed S3 bucket.
+
+## FAQ
+
+### How does the authentication work?
+
+Sourcegraph will provide instructions on how to configure the trust relationship between the Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket. We will also provide the example configuration in Terraform. At a high level:
+
+- Customer creates a AWS IAM role:
+  - with a policy to permit such role to access the S3 bucket
+  - with a policy to permit the Sourcegraph-owned GSA to assume such role
+- Sourcegraph assumes the provisioned AWS IAM role to access the bucket