CloudWatch Logs KMS Policies

Granting encrypt and decrypt permissions to CloudWatch Logs

{
    "Effect": "Allow",
    "Principal": {
        "Service": "logs.<region code>.amazonaws.com"
    },
    "Action": [
            "kms:Encrypt*",
            "kms:Decrypt*",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:Describe*"
    ],
    "Resource": "*",
    "Condition": {
        "ArnEquals": {
            "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:<region code>:<account id>:log-group:<log group name>"
        }
    }
}

You can use arn:aws:logs:<region code>:<account id>:log-group:* at Condition.

AWS Documentation