AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2025-07-16 · Security-related medium

File: AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md

Summary

Updated IAM policy conditions for KMS key usage to use StringEquals for account ID and StringLike/ArnLike for ARN patterns

Security assessment

The change strengthens IAM policy conditions by explicitly validating source account ID and narrowing ARN patterns. This prevents potential privilege escalation by ensuring KMS keys are only used by authorized CloudWatch Logs anomaly detector resources in specific accounts.

Diff

diff --git a/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md b/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md
index 15219c360..315c46aed 100644
--- a//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md
+++ b//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md
@@ -97 +97,4 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
-            "ArnLike": {
+            "StringEquals": {
+              "aws:SourceAccount": "Your_account_ID"
+            },
+            "StringLike": {
@@ -98,0 +102,3 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
+            },
+            "ArnLike": {
+              "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"
@@ -116 +122,4 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
-                "ArnLike": {
+            "StringEquals": {
+              "aws:SourceAccount": "Your_account_ID"
+            },
+            "StringLike": {
@@ -117,0 +127,3 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
+            },
+            "ArnLike": {
+              "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"