AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-16 · Documentation low

File: AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md

Summary

Added entry for KMS permission updates to AWSServiceRoleForLogDelivery policy enabling SSE-CMK support.

Security assessment

Documents enhanced encryption capabilities for security-sensitive log delivery, but doesn't indicate vulnerability remediation.

Diff

diff --git a/AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md b/AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md
index dd7961e3d..b2665bd77 100644
--- a//AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md
+++ b//AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md
@@ -12,0 +13 @@ Change | Description | Date
+[ AWSServiceRoleForLogDelivery service-linked role policy](./using-service-linked-roles-cwl.html#slr-permissions) – Update to an existing policy |  CloudWatch Logs added `kms:GenerateDataKey` and `kms:Decrypt` permissions to the IAM policy associated with the **AWSServiceRoleForLogDelivery** service-linked role. These permissions are scoped with the `kms:ViaService` condition key to only allow use through Firehose. This change enables CloudWatch Logs to deliver logs to Firehose delivery streams that use server-side encryption with customer managed keys (SSE-CMK). | May 15, 2026