AWS AmazonCloudWatch documentation change
Summary
Added entry for KMS permission updates to AWSServiceRoleForLogDelivery policy enabling SSE-CMK support.
Security assessment
Documents enhanced encryption capabilities for security-sensitive log delivery, but doesn't indicate vulnerability remediation.
Diff
diff --git a/AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md b/AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md index dd7961e3d..b2665bd77 100644 --- a//AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md +++ b//AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.md @@ -12,0 +13 @@ Change | Description | Date +[ AWSServiceRoleForLogDelivery service-linked role policy](./using-service-linked-roles-cwl.html#slr-permissions) – Update to an existing policy | CloudWatch Logs added `kms:GenerateDataKey` and `kms:Decrypt` permissions to the IAM policy associated with the **AWSServiceRoleForLogDelivery** service-linked role. These permissions are scoped with the `kms:ViaService` condition key to only allow use through Firehose. This change enables CloudWatch Logs to deliver logs to Firehose delivery streams that use server-side encryption with customer managed keys (SSE-CMK). | May 15, 2026