AWS AmazonCloudWatch medium security documentation change
Summary
Updated IAM policy conditions for KMS key usage to use StringEquals for account ID and StringLike/ArnLike for ARN patterns
Security assessment
The change strengthens IAM policy conditions by explicitly validating source account ID and narrowing ARN patterns. This prevents potential privilege escalation by ensuring KMS keys are only used by authorized CloudWatch Logs anomaly detector resources in specific accounts.
Diff
diff --git a/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md b/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md index 15219c360..315c46aed 100644 --- a//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md +++ b//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md @@ -97 +97,4 @@ The `Condition` section in this example limits the use of the AWS KMS key to the - "ArnLike": { + "StringEquals": { + "aws:SourceAccount": "Your_account_ID" + }, + "StringLike": { @@ -98,0 +102,3 @@ The `Condition` section in this example limits the use of the AWS KMS key to the + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" @@ -116 +122,4 @@ The `Condition` section in this example limits the use of the AWS KMS key to the - "ArnLike": { + "StringEquals": { + "aws:SourceAccount": "Your_account_ID" + }, + "StringLike": { @@ -117,0 +127,3 @@ The `Condition` section in this example limits the use of the AWS KMS key to the + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"