AWS AmazonCloudWatch documentation change
Summary
Updated KMS key policy examples with concrete account IDs, region specifications, and added separate policy statements for DescribeKey actions
Security assessment
Changes refine IAM policy examples by adding granular permissions and concrete values, improving security documentation but not addressing a specific vulnerability
Diff
diff --git a/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md b/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md index aa3702926..7e002320e 100644 --- a//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md +++ b//AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.md @@ -90,0 +91 @@ JSON + "Sid": "AllowCloudWatchLogsEncryption", @@ -93 +94 @@ JSON - "Service": "logs.REGION.amazonaws.com" + "Service": "logs.us-east-1.amazonaws.com" @@ -98,2 +99 @@ JSON - "kms:GenerateDataKey*", - "kms:DescribeKey" + "kms:GenerateDataKey*" @@ -104 +104 @@ JSON - "aws:SourceAccount": "Your_account_ID" + "aws:SourceAccount": "123456789012" @@ -107 +107 @@ JSON - "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" + "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:anomaly-detector:*" @@ -110 +110 @@ JSON - "aws:SourceArn": "arn:aws:logs:us-east-1:Your_account_ID:anomaly-detector:*" + "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:anomaly-detector:*" @@ -114,0 +115 @@ JSON + "Sid": "AllowCloudWatchLogsDescribeKey", @@ -117 +118,15 @@ JSON - "Service": "logs.REGION.amazonaws.com" + "Service": "logs.us-east-1.amazonaws.com" + }, + "Action": "kms:DescribeKey", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + } + } + }, + { + "Sid": "AllowCloudWatchLogsReEncryption", + "Effect": "Allow", + "Principal": { + "Service": "logs.us-east-1.amazonaws.com" @@ -123,2 +138 @@ JSON - "kms:GenerateDataKey*", - "kms:DescribeKey" + "kms:GenerateDataKey*" @@ -129 +143 @@ JSON - "aws:SourceAccount": "Your_account_ID" + "aws:SourceAccount": "123456789012" @@ -132 +146 @@ JSON - "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:REGION:Your_account_ID:anomaly-detector:*" + "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:anomaly-detector:*" @@ -135 +149,15 @@ JSON - "aws:SourceArn": "arn:aws:logs:us-east-1:Your_account_ID:anomaly-detector:*" + "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:anomaly-detector:*" + } + } + }, + { + "Sid": "AllowCloudWatchLogsDescribeKeyForReEncryption", + "Effect": "Allow", + "Principal": { + "Service": "logs.us-east-1.amazonaws.com" + }, + "Action": "kms:DescribeKey", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012"