AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-02-25 · Documentation medium

File: AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.md

Summary

Expanded encryption documentation for log centralization, clarified KMS key management requirements, added details about data protection scenarios requiring KMS permissions, and restructured encryption options for centralized log groups.

Security assessment

The changes provide enhanced guidance on encryption during log centralization, KMS key tagging requirements (LogsManaged=true), and explicit permissions needed for customer-managed keys. While this improves security documentation, there is no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.md b/AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.md
index 26e1730c0..ae3099911 100644
--- a//AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.md
+++ b//AmazonCloudWatch/latest/logs/CloudWatchLogs_Centralization.md
@@ -11 +11 @@ Amazon CloudWatch Logs data centralization works with AWS Organizations to colle
-CloudWatch Logs data centralization offers configuration flexibility to meet operational and security requirements, such as the ability to configure a backup region during rule setup within the destination account to ensure increased resiliency. Additionally, you have full control over encryption behavior for log groups copied from source accounts to handle data originally encrypted with customer-managed KMS keys.
+CloudWatch Logs data centralization offers configuration flexibility to meet operational and security requirements, such as the ability to configure a backup region during rule setup within the destination account to ensure increased resiliency. Additionally, you have full control over encryption behavior for log groups copied from source accounts to handle data originally encrypted with customer managed KMS keys.
@@ -44 +44,18 @@ An optional secondary region within the destination account where log data can b
-Log group data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption with 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt log data at rest. As an alternative, you can use AWS Key Management Service for this encryption. If you do, the encryption is done using an either an AWS owned KMS key or a customer managed KMS key. KMS key Encryption using AWS KMS is enabled at the log group level, by associating a KMS key with a log group, either when you create the log group or after it exists. After you associate a KMS key with a log group, all newly ingested data for the log group is encrypted using this key. This data is stored in encrypted format throughout its retention period. CloudWatch Logs decrypts this data whenever it is requested. CloudWatch Logs must have permissions for the KMS key whenever encrypted data is requested, such as when a log centralization rule is run against a source account. If you are using customer managed KMS keys, update the KMS keys associated with the source and destination log groups with the tag `LogsManaged = true`. For more information, see [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the _AWS Key Management Service Developer Guide_
+Log group data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption with 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt log data at rest. As an alternative, you can use AWS Key Management Service for this encryption. For more information, see [CloudWatch Logs Encryption documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html). 
+
+  * **How encryption works during centralization** : CloudWatch Logs centralization actively copies log data at ingestion time from source accounts to destination accounts. During this process, your data remains encrypted in transit using an AWS owned service key. Data at rest in both source and destination log groups is encrypted using your chosen encryption method (customer managed or AWS owned KMS keys). If you are using customer managed KMS key in your destination log groups, add the tag `LogsManaged = true` to the kms key for Centralization service to access it.
+
+  * **When KMS permissions are required** : 
+
+    * If you are using customer managed KMS keys in your source accounts, CloudWatch Logs requires [KMS permissions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html#cmk-permissions-lg) in the following example scenarios: 
+
+      * **Throughput Management** : When centralization throughput limits are reached, log data is temporarily stored encrypted with your customer managed KMS key until bandwidth becomes available.
+
+      * **Data Protection and Redaction** : When source log groups have data protection policies enabled, CloudWatch Logs requires decrypt permissions to access raw log data to centralize it.
+
+
+
+
+###### Important
+
+Centralization rules are managed by the AWS Organizations management account or delegated administrator. To exclude customer managed KMS-encrypted log groups from centralization, configure the rule settings to "Do not centralize log groups encrypted with AWS KMS key."
@@ -135 +152 @@ Supported syntax for log group selection criteria:
-CloudWatch centralization rules will fail to deliver logs from the source account to the destination log groups if the KMS Key provided in the Centralization rule doesn't permit CloudWatch Logs to use it. For more information, see [Step 2: Set permissions on the KMS key](./CloudWatchLogs-Insights-Query-Encrypt.html#cmk-permissions).
+CloudWatch centralization rules will fail to deliver logs from the source account to the destination log groups if the KMS Key provided in the Centralization rule doesn't permit CloudWatch Logs to use it. If you are using customer managed KMS key in your destination log groups, add the tag LogsManaged = true to the kms key. For more information, see [Step 2: Set permissions on the KMS key](./CloudWatchLogs-Insights-Query-Encrypt.html#cmk-permissions).
@@ -139,3 +156 @@ Choose one of the following options:
-       * **Do not centralize log groups encrypted with Customer Managed KMS keys** : Skip centralization of log events from source log groups encrypted with Customer Managed KMS Keys.
-
-       * **Centralize log groups encrypted with Customer Managed KMS keys in destination account with an AWS Managed KMS key** : Centralize log events from source log groups encrypted with Customer Managed KMS Keys into destination log groups that are not associated with Customer Managed KMS Keys but instead use an AWS Managed KMS key. 
+       * **Centralize source log groups encrypted with customer managed KMS keys using a destination specific customer managed KMS key** : Centralize log events from source log groups encrypted with customer managed KMS keys into destination log groups encrypted with a customer managed KMS key in the destination account.
@@ -145 +160 @@ When this setting is selected, you must also set the following:
-         * **Destination encryption key ARN** : ARN of the KMS Key belonging to the destination account and the primary destination region, to be associated with newly created destination log groups.
+         * **Destination encryption key ARN** : ARN of the customer managed KMS key in the destination account and primary destination region, to be associated with newly created destination log groups. 
@@ -147 +162 @@ When this setting is selected, you must also set the following:
-         * **Backup destination encryption key ARN** (optional): ARN of the KMS Key belonging to the destination account and the backup destination region, to be associated with newly created destination log groups.
+         * **Backup destination encryption key ARN** (if backup region is selected): ARN of the customer managed KMS key in the destination account and backup destination region, to be associated with newly created destination log groups. 
@@ -149 +164,3 @@ When this setting is selected, you must also set the following:
-###### Note
+         * **Skip centralizing to unencrypted destination log groups** (optional): If a log group already exists without a customer managed KMS key, CloudWatch cannot update its encryption. Choose this option to skip centralization of log events from source log groups encrypted with customer managed KMS keys into destination log groups that are not associated with a customer managed KMS key.
+
+       * **Centralize log groups encrypted with customer managed KMS keys in destination account with AWS owned KMS key** : Centralize log events from source log groups encrypted with customer managed KMS keys into newly created destination log groups encrypted using an AWS owned KMS key.
@@ -151 +168 @@ When this setting is selected, you must also set the following:
-Note that this setting only applies when the source log group is encrypted using Customer Managed KMS Keys and only applies to newly created log groups in the destination account.
+       * **Do not centralize log groups encrypted with customer managed KMS keys** : Skip centralization of log events from source log groups encrypted with customer managed KMS keys.
@@ -309 +326 @@ Centralization rules will fail to deliver logs from the source account to the de
-**Customer Managed KMS keys configuration**
+**Customer Managed KMS key configuration**
@@ -312 +329 @@ Centralization rules will fail to deliver logs from the source account to the de
-If you selected **Do not centralize log groups encrypted with Customer Managed KMS keys** during rule creation, log events from source log groups encrypted with Customer Managed KMS keys will be skipped and not centralized.
+If you selected **Do not centralize log groups encrypted with Customer Managed KMS key** during rule creation, log events from source log groups encrypted with Customer Managed KMS key will be skipped and not centralized.