AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2025-05-03 · Security-related medium

File: AmazonCloudWatch/latest/logs/encrypt-log-data-kms.md

Summary

Fixed syntax in KMS key policy and IAM policy examples by adding a missing comma after 'kms:GenerateDataKey*'

Security assessment

The missing comma could cause policy syntax errors, potentially preventing proper encryption of log data. Correcting this ensures KMS encryption works as intended, addressing a security risk of unencrypted logs.

Diff

diff --git a/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.md b/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.md
index ff90ea26c..cb67809a3 100644
--- a//AmazonCloudWatch/latest/logs/encrypt-log-data-kms.md
+++ b//AmazonCloudWatch/latest/logs/encrypt-log-data-kms.md
@@ -172 +172 @@ To add permissions in the AWS KMS Key Policy, add the following additional state
-        "kms:GenerateDataKey*"
+        "kms:GenerateDataKey*",
@@ -199,2 +199 @@ Alternatively if you would like to manage role permissions in IAM, you can add e
-                "kms:GenerateDataKey*
-                ",
+                "kms:GenerateDataKey*",