AWS AmazonCloudWatch documentation change
Summary
Documented new CloudWatchLogsAPIKeyAccess policy details for encrypted logs and API key auth
Security assessment
Describes security capabilities (encryption/auth) but no evidence of addressing a disclosed vulnerability. Enhances security posture without fixing existing issues.
Diff
diff --git a/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md b/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md index c643bb1fb..9a468bf17 100644 --- a//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md +++ b//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md @@ -235,0 +236,15 @@ To see the full contents of the policy, see [CloudWatchLogsCrossAccountSharingCo +#### CloudWatchLogsAPIKeyAccess + +The **CloudWatchLogsAPIKeyAccess** policy enables CloudWatch Logs API key authentication and encrypted log ingestion. This policy grants permissions to authenticate using bearer tokens and write log events to CloudWatch Logs, with additional AWS KMS permissions for decrypting and generating data keys when logs are encrypted. + +This policy grants the following permissions: + + * `logs` – Allows principals to authenticate via API key bearer tokens and write log events to CloudWatch Logs streams. + + * `kms` – Allows principals to read AWS KMS key metadata, generate data keys for encryption, and decrypt data. These permissions support encrypted CloudWatch Logs by allowing the service to encrypt log data using customer-managed AWS KMS keys. Access is restricted to operations called through the CloudWatch Logs service. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) in the _AWS Managed Policy Reference Guide_. + @@ -241,0 +257 @@ Change | Description | Date +CloudWatchLogsAPIKeyAccess – New policy. | CloudWatch Logs added a new managed policy **CloudWatchLogsAPIKeyAccess**. This policy enables CloudWatch Logs API key authentication and encrypted log ingestion, granting permissions to authenticate using bearer tokens and write log events to CloudWatch Logs. | February 17, 2026