AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-16 · Documentation low

File: AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md

Summary

Documented policy update granting kms:GenerateDataKey/kms:Decrypt to AWSServiceRoleForLogDelivery for SSE-CMK support.

Security assessment

Change describes expanded encryption permissions for secure log delivery, but lacks evidence of patching security flaws.

Diff

diff --git a/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md b/AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md
index b867b9db0..ae0c35b38 100644
--- a//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md
+++ b//AmazonCloudWatch/latest/logs/DocumentHistory_cwl.md
@@ -12,0 +13 @@ Change| Description| Date
+Updated AWSServiceRoleForLogDelivery service-linked role policy| CloudWatch Logs added `kms:GenerateDataKey` and `kms:Decrypt` permissions to the AWSServiceRoleForLogDelivery service-linked role policy. These permissions enable log delivery to Firehose delivery streams that use server-side encryption with customer managed keys (SSE-CMK). For more information, see [CloudWatch Logs updates to AWS service linked roles](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.html#cwl-slrpolicy-updates).| May 15, 2026