AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-16 · Documentation low

File: AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md

Summary

Updated service-linked role policy details: added kms:GenerateDataKey/kms:Decrypt permissions with firehose constraints for SSE-CMK support.

Security assessment

Expands documentation for encryption-related permissions in security-sensitive log delivery workflows, without evidence of security vulnerability fixes.

Diff

diff --git a/AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md b/AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md
index 5783cdbea..6de95429f 100644
--- a//AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md
+++ b//AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md
@@ -28 +28 @@ The **AWSServiceRoleForLogDelivery** service-linked role trusts the following se
-The role permissions policy allows CloudWatch Logs to complete the following actions on the specified resources:
+The role permissions policy, **AWSServiceRoleForLogDeliveryPolicy** , allows CloudWatch Logs to complete the following actions on the specified resources. For the full JSON policy document, see [AWSServiceRoleForLogDeliveryPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForLogDeliveryPolicy.html) in the _AWS Managed Policy Reference Guide_.
@@ -30 +30,3 @@ The role permissions policy allows CloudWatch Logs to complete the following act
-  * Action: `firehose:PutRecord` and `firehose:PutRecordBatch` on all Firehose streams that have a tag with a `LogDeliveryEnabled` key with a value of `True`. This tag is automatically attached to an Firehose stream when you create a subscription to deliver the logs to Firehose.
+  * Action: `firehose:PutRecord`, `firehose:PutRecordBatch`, and `firehose:ListTagsForDeliveryStream` on all Firehose delivery streams that have a tag with a `LogDeliveryEnabled` key with a value of `true`. This tag is automatically attached to an Firehose delivery stream when you create a subscription to deliver the logs to Firehose.
+
+  * Action: `kms:GenerateDataKey` and `kms:Decrypt` on all AWS KMS keys, but only when the request is made through Firehose (enforced by the `kms:ViaService` condition key set to `firehose.*.amazonaws.com`). These permissions allow CloudWatch Logs to deliver logs to Firehose delivery streams that use server-side encryption with customer managed keys (SSE-CMK). The customer's AWS KMS key policy must also independently grant access to the service-linked role.