AWS AmazonCloudWatch documentation change
Summary
Documented policy update granting kms:GenerateDataKey/kms:Decrypt to AWSServiceRoleForLogDelivery for SSE-CMK support.
Security assessment
Change describes expanded encryption permissions for secure log delivery, but lacks evidence of patching security flaws.
Diff
diff --git a/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md b/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md index b867b9db0..ae0c35b38 100644 --- a//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md +++ b//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md @@ -12,0 +13 @@ Change| Description| Date +Updated AWSServiceRoleForLogDelivery service-linked role policy| CloudWatch Logs added `kms:GenerateDataKey` and `kms:Decrypt` permissions to the AWSServiceRoleForLogDelivery service-linked role policy. These permissions enable log delivery to Firehose delivery streams that use server-side encryption with customer managed keys (SSE-CMK). For more information, see [CloudWatch Logs updates to AWS service linked roles](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.html#cwl-slrpolicy-updates).| May 15, 2026