AWS Security ChangesHomeSearch

AWS amazon-mq medium security documentation change

Service: amazon-mq · 2025-07-16 · Security-related medium

File: amazon-mq/latest/developer-guide/data-protection.md

Summary

Updated KMS key management documentation and added CloudWatch logs encryption details

Security assessment

Clarifies encryption key management timelines and default CloudWatch encryption, directly addressing data protection mechanisms. Explains security controls for encrypted resources.

Diff

diff --git a/amazon-mq/latest/developer-guide/data-protection.md b/amazon-mq/latest/developer-guide/data-protection.md
index 6bb852858..83272bd4c 100644
--- a//amazon-mq/latest/developer-guide/data-protection.md
+++ b//amazon-mq/latest/developer-guide/data-protection.md
@@ -63 +63 @@ When creating a broker, you can configure what Amazon MQ uses for your encryptio
-  * Revoking a grant cannot be undone. Instead, we suggest deleting the broker if you need to revoke access rights.
+  * Revoking a grant cannot be undone. Delete the broker to revoke access rights.
@@ -65 +65 @@ When creating a broker, you can configure what Amazon MQ uses for your encryptio
-  * For **Amazon MQ for ActiveMQ** brokers that use Amazon Elastic File System (EFS) to store message data, if you revoke the grant that gives Amazon EFS permission to use the KMS keys in your account, it will not take place immediately. 
+  * For **Amazon MQ for ActiveMQ** brokers that use Amazon Elastic File System (EFS) to store message data, it may take several hours for permissions to use the KMS keys in your account to be revoked after taking the required actions.
@@ -71 +71,3 @@ When creating a broker, you can configure what Amazon MQ uses for your encryptio
-  * Deactivating a key or revoking a grant will not take place immediately.
+  * It may take serveral hours to deactivate a key or revoke a grant after taking the required actions.
+
+  * For encrypting or decrypting CloudWatch logs, you cannot configure what Amazon MQ uses for your encryption key. CloudWatch logs protects data at rest using encryption, and log groups are encrypted. The CloudWatch logs service manages the server-side encryption by defauly. For more information on how log groups are encrypted, see the _[Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/data-protection.html#encryption-rest)_.