AWS Security ChangesHomeSearch

AWS AmazonCloudWatch high security documentation change

Service: AmazonCloudWatch · 2025-07-18 · Security-related high

File: AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md

Summary

Modified KMS policy conditions by removing aws:SourceAccount/aws:SourceArn and adjusting kms:EncryptionContext conditions

Security assessment

Changes to IAM policy conditions for KMS key usage directly impact security controls. The removal of aws:SourceAccount and restructuring of encryption context conditions could affect the least-privilege scope of KMS key permissions.

Diff

diff --git a/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md b/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md
index 315c46aed..15219c360 100644
--- a//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md
+++ b//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md
@@ -97,6 +96,0 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
-            "StringEquals": {
-              "aws:SourceAccount": "Your_account_ID"
-            },
-            "StringLike": {
-              "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"
-            },
@@ -104 +98 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
-              "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"
+              "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"
@@ -122,6 +115,0 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
-            "StringEquals": {
-              "aws:SourceAccount": "Your_account_ID"
-            },
-            "StringLike": {
-              "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"
-            },
@@ -129 +117 @@ The `Condition` section in this example limits the use of the AWS KMS key to the
-              "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"
+                    "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"