AWS Security ChangesHomeSearch

AWS AmazonCloudWatch high security documentation change

Service: AmazonCloudWatch · 2025-07-16 · Security-related high

File: AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md

Summary

Updated KMS example policy for CloudWatch Logs anomaly detection to include stricter conditions

Security assessment

Explicitly reduces policy scope by adding 'aws:SourceAccount' and 'aws:SourceArn' conditions, directly addressing least-privilege security best practices to prevent unintended access.

Diff

diff --git a/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md b/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md
index a7a2da3cb..b397c5d53 100644
--- a//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md
+++ b//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md
@@ -10,0 +11 @@ Change| Description| Date
+CloudWatch Logs anomaly detection updated example policy|  CloudWatch Logs updated the KMS example policy to reduce its scope and improve security to by adding conditions for `aws:SourceAccount` and `aws:SourceArn`. For more information, see [Encrypt an anomaly detector and its results with AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/LogsAnomalyDetection-KMS.html)| July 14, 2025