aws-logs: KMS Policy Not Updated When Using KMS CMK

[joel-aws]

Describe the bug

From reading the docs, using a KMS CMK with a Log Group should involve just passing the key to the Log Group. However, when doing that alone, KMS lacks the required permission to interact with Logs.

Expected Behavior

For the LogGroup Construct to automatically set the required permissions to interact with KMS when a KMS CMK key is passed to it.

Current Behavior

12:58:26 PM | CREATE_FAILED        | AWS::Logs::LogGroup | logs00112233
Resource handler returned message: "The specified KMS key does not exist or is not allowed to be used with Arn 'arn:aws:logs:us-east-1:112233445566:log-group:PythonStack-logs00112233-AABBCCDDEEFF' (Service: CloudWatchLogs, Status Code: 400, Request <...>. HandlerErrorCode: GeneralServiceException)

Reproduction Steps

from aws_cdk import (
    Stack,
    aws_kms as kms,
    aws_logs as logs,
)
from constructs import Construct


class PythonStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        key = kms.Key(self, "key")

        log_group = logs.LogGroup(self, "logs", encryption_key=key)

Possible Solution

When passing a KMS CMK to a LogGroup, automatically grant the necessary permissions to the logs.amazonaws.com Service Principal.

Additional Information/Context

No response

CDK CLI Version

2.114.1

Framework Version

No response

Node.js Version

18.16.0

OS

Mac

Language

Python

Language Version

No response

Other information

No response

[khushail]

Thanks @joel-aws for reporting this. I am able to reproduce this.

[ronkoaveone]

Me too. Wow only hit on the entire internet for this log message. Thanks very much for the suggestion to grant Service principal logs.amazonaws.com, but I agree, this was not intuitive at all.

[ashishdhingra]

It's missing kmsKey.grantEncryptDecrypt(new iam.ServicePrincipal(logs.amazonaws.com)) after KMS key creation.