logs:DisassociateKmsKey

Write

logs:DisassociateKmsKey is a Write access-level action in the logs service. Grants permission to disassociate the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group

Resource types

ARNs that logs:DisassociateKmsKey can be scoped to in an IAM policy.

arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}
log-group

Condition keys

Keys you can use in the Condition block of a policy that grants logs:DisassociateKmsKey.

aws:ResourceTag/${TagKey} String

Filters access by the tags associated with the resource

Example IAM policy

A minimal policy that allows logs:DisassociateKmsKey. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLogsDisassociateKmsKey",
      "Effect": "Allow",
      "Action": "logs:DisassociateKmsKey",
      "Resource": "*"
    }
  ]
}

Related actions in logs

View all logs actions →