Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

KmsKeyId not valid property for AWS::Logs::LogGroup

See original GitHub issue

cfn-lint version: (cfn-lint --version) 0.39.0 Description of issue.

  CloudWatchKMS:
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: '*'
          - Sid: Allow Cloudwatch Access
            Effect: Allow
            Principal:
              Service: logs.region.amazonaws.com
            Action:
              - kms:Encrypt*
              - kms:Decrypt*
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:Describe*
            Resource: '*'
  MessagesLogCWGroup:
    Type: AWS::Logs::LogGroup
    Properties: 
      KmsKeyId: !GetAtt CloudWatchKMS.Arn
      LogGroupName: messages
      RetentionInDays: 30

E3002 Invalid Property Resources/MessagesLogCWGroup/Properties/KmsKeyId template.yaml:627:7

Issue Analytics

State:
Created 3 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

kddejongcommented, Nov 3, 2020

Just run cfn-lint --update-specs and then run cfn-lint --template template.yaml --regions us-gov-west-1

0reactions

vennempcommented, Nov 4, 2020

Thank you. I appreciate you following up.

Top Results From Across the Web

AWS::KMS::Key - AWS CloudFormation - AWS Documentation

This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. For symmetric encryption...