added physicalName in key policy

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json

@@ -37,7 +37,7 @@
         "kms:ReEncrypt*"
        ],
        "Condition": {
-        "ArnLike": {
+        "ArnEquals": {
          "kms:EncryptionContext:aws:logs:arn": {
           "Fn::Join": [
            "",
@@ -54,7 +54,7 @@
             {
              "Ref": "AWS::AccountId"
             },
-            ":*"
+            ":log-group:aws-cdk-log-group-encrypted-integLogGroupDECB5FC9"
            ]
           ]
          }
@@ -87,6 +87,7 @@
   "LogGroupF5B46931": {
    "Type": "AWS::Logs::LogGroup",
    "Properties": {
+    "LogGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9",
     "KmsKeyId": {
      "Fn::GetAtt": [
       "Key961B73FD",

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json

@@ -3,6 +3,7 @@
   "LogGroupLambdaAuditF8F47F46": {
    "Type": "AWS::Logs::LogGroup",
    "Properties": {
+    "LogGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176",
     "RetentionInDays": 731
    },
    "UpdateReplacePolicy": "Retain",
@@ -16,6 +17,7 @@
   "LogGroupLambdaAC756C5B": {
    "Type": "AWS::Logs::LogGroup",
    "Properties": {
+    "LogGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D",
     "DataProtectionPolicy": {
      "name": "policy-name",
      "description": "policy description",

packages/aws-cdk-lib/aws-logs/lib/log-group.ts

@@ -9,7 +9,7 @@ import { ILogSubscriptionDestination, SubscriptionFilter } from './subscription-
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
-import { Annotations, Arn, ArnFormat, RemovalPolicy, Resource, Stack, Token } from '../../core';
+import { Annotations, Arn, ArnFormat, Lazy, Names, RemovalPolicy, Resource, Stack, Token } from '../../core';
 
 export interface ILogGroup extends iam.IResourceWithPolicy {
   /**
@@ -491,7 +491,9 @@ export class LogGroup extends LogGroupBase {
 
   constructor(scope: Construct, id: string, props: LogGroupProps = {}) {
     super(scope, id, {
-      physicalName: props.logGroupName,
+      physicalName: props.logGroupName ?? Lazy.string({
+        produce: () => Names.uniqueResourceName(this, { maxLength: 512, allowedSpecialCharacters: '-_' }),
+      }),
     });
 
     let retentionInDays = props.retention;
@@ -547,8 +549,8 @@ export class LogGroup extends LogGroupBase {
         ],
         resources: ['*'],
         conditions: {
-          ArnLike: {
-            'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*`,
+          ArnEquals: {
+            'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${this.physicalName}`,
           },
         },
       }));

packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts

@@ -71,7 +71,7 @@ describe('log group', () => {
             },
           },
           Condition: {
-            ArnLike: {
+            ArnEquals: {
               'kms:EncryptionContext:aws:logs:arn': {
                 'Fn::Join': [
                   '',
@@ -88,7 +88,7 @@ describe('log group', () => {
                     {
                       Ref: 'AWS::AccountId',
                     },
-                    ':*',
+                    ':log-group:LogGroup',
                   ],
                 ],
               },