AWS AmazonCloudWatch high security documentation change
Summary
Removed a KMS key policy example for log delivery
Security assessment
The deleted KMS policy example controlled encryption for log delivery. Its removal likely prevents insecure configurations where the policy might have allowed excessive permissions (e.g., missing source account/ARN restrictions) for log delivery services.
Diff
diff --git a/AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md b/AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md index 26ec4fdb3..c90bfa7fc 100644 --- a//AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md +++ b//AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md @@ -135,37 +134,0 @@ If the bucket is encrypted with SSE-KMS, ensure the AWS KMS key policy has the a -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowLogsGenerateDataKey", - "Effect": "Allow", - "Principal": { - "Service": "delivery.logs.amazonaws.com" - }, - "Action": [ - "kms:GenerateDataKey" - ], - "Resource": "arn:aws:kms:us-east-1:BBBBBBBBBBBB:key/X", - "Condition": { - "StringEquals": { - "aws:SourceAccount": [ - "AAAAAAAAAAAA" - ] - }, - "ArnLike": { - "aws:SourceArn": [ - "arn:aws:logs:us-east-1:AAAAAAAAAAAA:delivery-source:my-delivery-source" - ] - } - } - } - ] - } - -