AWS AmazonCloudWatch documentation change
Summary
Updated service-linked role policy details: added kms:GenerateDataKey/kms:Decrypt permissions with firehose constraints for SSE-CMK support.
Security assessment
Expands documentation for encryption-related permissions in security-sensitive log delivery workflows, without evidence of security vulnerability fixes.
Diff
diff --git a/AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md b/AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md index 5783cdbea..6de95429f 100644 --- a//AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md +++ b//AmazonCloudWatch/latest/logs/using-service-linked-roles-cwl.md @@ -28 +28 @@ The **AWSServiceRoleForLogDelivery** service-linked role trusts the following se -The role permissions policy allows CloudWatch Logs to complete the following actions on the specified resources: +The role permissions policy, **AWSServiceRoleForLogDeliveryPolicy** , allows CloudWatch Logs to complete the following actions on the specified resources. For the full JSON policy document, see [AWSServiceRoleForLogDeliveryPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForLogDeliveryPolicy.html) in the _AWS Managed Policy Reference Guide_. @@ -30 +30,3 @@ The role permissions policy allows CloudWatch Logs to complete the following act - * Action: `firehose:PutRecord` and `firehose:PutRecordBatch` on all Firehose streams that have a tag with a `LogDeliveryEnabled` key with a value of `True`. This tag is automatically attached to an Firehose stream when you create a subscription to deliver the logs to Firehose. + * Action: `firehose:PutRecord`, `firehose:PutRecordBatch`, and `firehose:ListTagsForDeliveryStream` on all Firehose delivery streams that have a tag with a `LogDeliveryEnabled` key with a value of `true`. This tag is automatically attached to an Firehose delivery stream when you create a subscription to deliver the logs to Firehose. + + * Action: `kms:GenerateDataKey` and `kms:Decrypt` on all AWS KMS keys, but only when the request is made through Firehose (enforced by the `kms:ViaService` condition key set to `firehose.*.amazonaws.com`). These permissions allow CloudWatch Logs to deliver logs to Firehose delivery streams that use server-side encryption with customer managed keys (SSE-CMK). The customer's AWS KMS key policy must also independently grant access to the service-linked role.