AWS AmazonCloudWatch high security documentation change
Summary
Modified KMS policy conditions by removing aws:SourceAccount/aws:SourceArn and adjusting kms:EncryptionContext conditions
Security assessment
Changes to IAM policy conditions for KMS key usage directly impact security controls. The removal of aws:SourceAccount and restructuring of encryption context conditions could affect the least-privilege scope of KMS key permissions.
Diff
diff --git a/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md b/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md index 315c46aed..15219c360 100644 --- a//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md +++ b//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md @@ -97,6 +96,0 @@ The `Condition` section in this example limits the use of the AWS KMS key to the - "StringEquals": { - "aws:SourceAccount": "Your_account_ID" - }, - "StringLike": { - "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" - }, @@ -104 +98 @@ The `Condition` section in this example limits the use of the AWS KMS key to the - "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" + "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" @@ -122,6 +115,0 @@ The `Condition` section in this example limits the use of the AWS KMS key to the - "StringEquals": { - "aws:SourceAccount": "Your_account_ID" - }, - "StringLike": { - "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" - }, @@ -129 +117 @@ The `Condition` section in this example limits the use of the AWS KMS key to the - "aws:SourceArn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" + "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*"