From e508849592fb9ab104514d5cf5e04284f9c678cd Mon Sep 17 00:00:00 2001
From: Grace Lin <glin@gitlab.com>
Date: Tue, 16 Dec 2025 15:19:13 -0500
Subject: [PATCH 1/5] feat: update docs to manage log access ARNs

---
 doc/administration/dedicated/monitor.md | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/doc/administration/dedicated/monitor.md b/doc/administration/dedicated/monitor.md
index 01d5e161af1883..3a4aa32be72684 100644
--- a/doc/administration/dedicated/monitor.md
+++ b/doc/administration/dedicated/monitor.md
@@ -23,14 +23,27 @@ Logs stored in the S3 bucket are retained indefinitely.
 GitLab team members can view more information about the proposed retention policy in
 this confidential issue: `https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/483`.
 
-## Request access to application logs
+## Manage access to application logs
 
-To gain read-only access to the S3 bucket with your application logs:
+To manage read-only access to the S3 bucket with your application logs:
 
-1. Open a [support ticket](https://support.gitlab.com/hc/en-us/requests/new?ticket_form_id=4414917877650)
-   with the title `Customer Log Access`.
-1. In the body of the ticket, include a list of IAM ARNs for the users or roles that require
-   access to the logs. Specify the full ARN path without wildcards (`*`). For example:
+1. Sign in to [Switchboard](https://console.gitlab-dedicated.com/).
+1. At the top of the page, select **Configuration**.
+1. Expand **Resource access**.
+1. Under **Application logs**, locate the **Log access ARNs** field.
+   - To add a new ARN:
+     1. Select **Add ARN**.
+     1. Enter the ARN.
+     1. Select **Save**.
+   - To edit an existing ARN:
+     1. Select the pencil ({{< icon name="pencil" >}}) next to the ARN.
+     1. Edit the ARN.
+     1. Select **Save**.
+   - To delete an ARN:
+     1. Select the trash can ({{< icon name="remove" >}}) next to the ARN.
+     1. On the confirmation dialog, select **Delete**.
+
+Specify the full ARN path without wildcards (`*`). For example:
 
    - User: `arn:aws:iam::123456789012:user/username`
    - Role: `arn:aws:iam::123456789012:role/rolename`
-- 
GitLab


From 3c7ba8d1077e14146ffadb70c453241ab4a81c48 Mon Sep 17 00:00:00 2001
From: Grace Lin <glin@gitlab.com>
Date: Tue, 16 Dec 2025 15:34:10 -0500
Subject: [PATCH 2/5] Fix indents on unordered list

---
 doc/administration/dedicated/monitor.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/administration/dedicated/monitor.md b/doc/administration/dedicated/monitor.md
index 3a4aa32be72684..593c37f22a99ae 100644
--- a/doc/administration/dedicated/monitor.md
+++ b/doc/administration/dedicated/monitor.md
@@ -45,8 +45,8 @@ To manage read-only access to the S3 bucket with your application logs:
 
 Specify the full ARN path without wildcards (`*`). For example:
 
-   - User: `arn:aws:iam::123456789012:user/username`
-   - Role: `arn:aws:iam::123456789012:role/rolename`
+- User: `arn:aws:iam::123456789012:user/username`
+- Role: `arn:aws:iam::123456789012:role/rolename`
 
 {{< alert type="note" >}}
 
-- 
GitLab


From e43c683d0b7a46bb69533f3767b1ccd1ba401c91 Mon Sep 17 00:00:00 2001
From: Grace Lin <glin@gitlab.com>
Date: Wed, 17 Dec 2025 11:01:54 -0500
Subject: [PATCH 3/5] Apply review suggestions

---
 doc/administration/dedicated/monitor.md | 78 +++++++++----------------
 1 file changed, 27 insertions(+), 51 deletions(-)

diff --git a/doc/administration/dedicated/monitor.md b/doc/administration/dedicated/monitor.md
index 593c37f22a99ae..bc8ebe7219ea4c 100644
--- a/doc/administration/dedicated/monitor.md
+++ b/doc/administration/dedicated/monitor.md
@@ -2,8 +2,8 @@
 stage: GitLab Dedicated
 group: Switchboard
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
-description: Access application logs and S3 bucket data to monitor your GitLab Dedicated instance.
-title: Monitor your GitLab Dedicated instance
+description: Manage access to application logs for your GitLab Dedicated instance.
+title: Access application logs for GitLab Dedicated
 ---
 
 {{< details >}}
@@ -13,73 +13,49 @@ title: Monitor your GitLab Dedicated instance
 
 {{< /details >}}
 
-GitLab delivers [application logs](../logs/_index.md) to an Amazon S3 bucket in the GitLab
-tenant account, which can be shared with you.
-To access these logs, you must provide AWS Identity and Access Management (IAM) Amazon Resource
-Names (ARNs) that uniquely identify your AWS users or roles.
+GitLab Dedicated automatically delivers your instance's application logs to a private Amazon S3 bucket.
+These logs contain both infrastructure and application data for monitoring, troubleshooting, and compliance purposes.
 
-Logs stored in the S3 bucket are retained indefinitely.
+The S3 bucket contains logs that are:
 
-GitLab team members can view more information about the proposed retention policy in
-this confidential issue: `https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/483`.
+- Stored indefinitely and encrypted using AWS KMS keys managed by GitLab.
+- Organized by date in `YYYY/MM/DD/HH` format.
+- Streamed in real-time using [Amazon Kinesis Data Firehose](https://aws.amazon.com/firehose/).
+
+If you use [BYOK](encryption.md#bring-your-own-key-byok), application logs use GitLab-managed keys, not your provided key.
 
 ## Manage access to application logs
 
-To manage read-only access to the S3 bucket with your application logs:
+You can add, edit, or remove AWS IAM users and roles that have read-only access to your application logs.
 
-1. Sign in to [Switchboard](https://console.gitlab-dedicated.com/).
-1. At the top of the page, select **Configuration**.
-1. Expand **Resource access**.
-1. Under **Application logs**, locate the **Log access ARNs** field.
-   - To add a new ARN:
-     1. Select **Add ARN**.
-     1. Enter the ARN.
-     1. Select **Save**.
-   - To edit an existing ARN:
-     1. Select the pencil ({{< icon name="pencil" >}}) next to the ARN.
-     1. Edit the ARN.
-     1. Select **Save**.
-   - To delete an ARN:
-     1. Select the trash can ({{< icon name="remove" >}}) next to the ARN.
-     1. On the confirmation dialog, select **Delete**.
-
-Specify the full ARN path without wildcards (`*`). For example:
-
-- User: `arn:aws:iam::123456789012:user/username`
-- Role: `arn:aws:iam::123456789012:role/rolename`
+Prerequisites:
+
+- You must have the full ARN path for each AWS user or role that needs access.
 
 {{< alert type="note" >}}
 
-Only IAM user and role ARNs are supported.
-Security Token Service (STS) ARNs (`arn:aws:sts::...`) cannot be used.
+You can only use IAM user and role ARNs.
+Security Token Service (STS) ARNs and wildcards are not supported.
 
 {{< /alert >}}
 
-GitLab provides the name of the S3 bucket. Your authorized users or roles can then access all objects in the bucket.
-To verify access, you can use the [AWS CLI](https://aws.amazon.com/cli/).
-
-GitLab team members can view more information about the proposed feature to add wildcard support in this
-confidential issue: `https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/7010`.
-
-## Find your S3 bucket name
-
-To find your S3 bucket name:
+To manage log access:
 
 1. Sign in to [Switchboard](https://console.gitlab-dedicated.com/).
 1. At the top of the page, select **Configuration**.
 1. Expand **Resource access**.
-1. Under **Application logs**, locate the **Logs S3 bucket name** field.
-
-For information about how to access S3 buckets after you have the name, see the [AWS documentation about accessing S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html).
-
-## S3 bucket contents and structure
+1. Under **Application logs**, in the **Log access ARNs** section:
 
-The Amazon S3 bucket contains a combination of infrastructure logs and application logs from the GitLab [log system](../logs/_index.md).
+   - To add access: Select **Add ARN**, enter the full ARN path (for example, `arn:aws:iam::123456789012:user/username` for a user or `arn:aws:iam::123456789012:role/rolename` for a role), then select **Save**.
+   - To edit access: Next to an ARN, select the pencil icon ({{< icon name="pencil" >}}), update the ARN, then select **Save**.
+   - To remove access: Next to an ARN, select the trash icon ({{< icon name="remove" >}}), then select **Delete**.
 
-The logs in the bucket are encrypted using an AWS KMS key managed by GitLab. If you choose to enable [BYOK](encryption.md#bring-your-own-key-byok), the application logs are not encrypted with the key you provide.
+1. Copy the **Logs S3 bucket name**. Your authorized users or roles use this bucket name to access the logs.
 
-<!-- vale gitlab_base.Spelling = NO -->
+After you configure ARN permissions and provide the bucket name to your users,
+they can access all objects in the S3 bucket.
+To verify access, use the [AWS CLI](https://aws.amazon.com/cli/).
 
-The logs in the S3 bucket are organized by date in `YYYY/MM/DD/HH` format. For example, a directory named `2023/10/12/13` contains logs from October 12, 2023 at 13:00 UTC. The logs are streamed into the bucket with [Amazon Kinesis Data Firehose](https://aws.amazon.com/firehose/).
+For information about how to access S3 buckets in AWS,
+see [Accessing an Amazon S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html).
 
-<!-- vale gitlab_base.Spelling = YES -->
-- 
GitLab


From 005a0118a1c4953b4c0a83600fb54275b1c78aea Mon Sep 17 00:00:00 2001
From: Grace Lin <glin@gitlab.com>
Date: Wed, 17 Dec 2025 12:04:37 -0500
Subject: [PATCH 4/5] update missed pages

---
 doc/administration/dedicated/_index.md          | 2 +-
 doc/administration/dedicated/tenant_overview.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/administration/dedicated/_index.md b/doc/administration/dedicated/_index.md
index 7b8eb2d4a80671..f09119ec89ee54 100644
--- a/doc/administration/dedicated/_index.md
+++ b/doc/administration/dedicated/_index.md
@@ -74,7 +74,7 @@ To learn more, see [GitLab Dedicated architecture](architecture.md).
 
 | Feature | Description | Set up with |
 |------------|-------------|-----------------|
-| [Application logs](monitor.md) | GitLab delivers logs to your AWS S3 bucket. You can request access to monitor instance activity through these logs. | Support ticket |
+| [Application logs](monitor.md) | Manage access to application logs stored in S3 bucket for monitoring and troubleshooting. | Switchboard |
 | [Email service](configure_instance/users_notifications.md#smtp-email-service) | GitLab provides AWS SES by default to send emails from your GitLab Dedicated instance. You can also configure your own SMTP email service. | Support ticket for <br/>custom service  |
 | [Switchboard access and <br>notifications](configure_instance/users_notifications.md) | You manage Switchboard permissions and notification settings. GitLab maintains the Switchboard infrastructure. | Switchboard |
 | [Switchboard SSO](configure_instance/authentication/_index.md#configure-switchboard-sso) | You configure your organization's identity provider and supply GitLab with the necessary details. GitLab configures single-sign-on (SSO) for Switchboard. | Support ticket |
diff --git a/doc/administration/dedicated/tenant_overview.md b/doc/administration/dedicated/tenant_overview.md
index 818bd91e6c9f4b..978de081545c46 100644
--- a/doc/administration/dedicated/tenant_overview.md
+++ b/doc/administration/dedicated/tenant_overview.md
@@ -95,7 +95,7 @@ Use this information to:
 - Set up tools that need the specific S3 bucket name to retrieve logs.
 - Meet compliance and auditing requirements.
 
-To request access and access application logs, see [monitor your GitLab Dedicated instance](monitor.md).
+To manage access to and view application logs, see [access application logs for GitLab Dedicated](monitor.md).
 
 ### NAT gateway IP addresses
 
-- 
GitLab


From 9bf32331b5638b064cfcda8387c634193f1016ae Mon Sep 17 00:00:00 2001
From: Grace Lin <glin@gitlab.com>
Date: Wed, 17 Dec 2025 12:16:26 -0500
Subject: [PATCH 5/5] fix lint

---
 doc/administration/dedicated/monitor.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/doc/administration/dedicated/monitor.md b/doc/administration/dedicated/monitor.md
index bc8ebe7219ea4c..160ef40e8f2cdf 100644
--- a/doc/administration/dedicated/monitor.md
+++ b/doc/administration/dedicated/monitor.md
@@ -58,4 +58,3 @@ To verify access, use the [AWS CLI](https://aws.amazon.com/cli/).
 
 For information about how to access S3 buckets in AWS,
 see [Accessing an Amazon S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html).
-
-- 
GitLab