AWS AmazonCloudWatch high security documentation change
Summary
Updated KMS example policy for CloudWatch Logs anomaly detection to include stricter conditions
Security assessment
Explicitly reduces policy scope by adding 'aws:SourceAccount' and 'aws:SourceArn' conditions, directly addressing least-privilege security best practices to prevent unintended access.
Diff
diff --git a/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md b/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md index a7a2da3cb..b397c5d53 100644 --- a//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md +++ b//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md @@ -10,0 +11 @@ Change| Description| Date +CloudWatch Logs anomaly detection updated example policy| CloudWatch Logs updated the KMS example policy to reduce its scope and improve security to by adding conditions for `aws:SourceAccount` and `aws:SourceArn`. For more information, see [Encrypt an anomaly detector and its results with AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/LogsAnomalyDetection-KMS.html)| July 14, 2025