AWS Security ChangesHomeSearch

AWS AmazonCloudWatch high security documentation change

Service: AmazonCloudWatch · 2025-08-28 · Security-related high

File: AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md

Summary

Removed a KMS key policy example for log delivery

Security assessment

The deleted KMS policy example controlled encryption for log delivery. Its removal likely prevents insecure configurations where the policy might have allowed excessive permissions (e.g., missing source account/ARN restrictions) for log delivery services.

Diff

diff --git a/AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md b/AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md
index 26ec4fdb3..c90bfa7fc 100644
--- a//AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md
+++ b//AmazonCloudWatch/latest/logs/vended-logs-crossaccount-example.md
@@ -135,37 +134,0 @@ If the bucket is encrypted with SSE-KMS, ensure the AWS KMS key policy has the a
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "AllowLogsGenerateDataKey",
-                "Effect": "Allow",
-                "Principal": {
-                    "Service": "delivery.logs.amazonaws.com"
-                },
-                "Action": [
-                    "kms:GenerateDataKey"
-                ],
-                "Resource": "arn:aws:kms:us-east-1:BBBBBBBBBBBB:key/X",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:SourceAccount": [
-                            "AAAAAAAAAAAA"
-                        ]
-                    },
-                    "ArnLike": {
-                        "aws:SourceArn": [
-                            "arn:aws:logs:us-east-1:AAAAAAAAAAAA:delivery-source:my-delivery-source"
-                        ]
-                    }
-                }
-            }
-        ]
-    }
-    
-