AWS AmazonCloudWatch documentation change
Summary
Refined IAM policy actions for CloudWatchApplicationSignals role to specific API operations
Security assessment
Changed broad service-level permissions (e.g., 'xray') to specific actions (e.g., 'xray:GetServiceGraph'), demonstrating least-privilege security practices. While security-related, no evidence this addresses a specific vulnerability.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md index ce0fcfcea..394cf2cab 100644 --- a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md +++ b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md @@ -202 +202 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached - * `xray` – Retrieve X-Ray traces. + * `xray:GetServiceGraph` @@ -204 +204 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached - * `logs` – Retrieve the current CloudWatch logs information. + * `logs:StartQuery` @@ -206 +206 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached - * `cloudwatch` – Retrieve the current CloudWatch metric information. + * `logs:GetQueryResults` @@ -208 +208 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached - * `tags` – Retrieve the current tags. + * `cloudwatch:GetMetricData` @@ -210 +210 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached - * `application-signals` – Retrieve information on SLOs and their associated time exclusion windows. + * `cloudwatch:ListMetrics` @@ -212 +212 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached - * `autoscaling` – Retrieve application tags from Amazon EC2 Autoscaling group. + * `tag:GetResources` @@ -294,31 +293,0 @@ The complete contents of **CloudWatchApplicationSignalsServiceRolePolicy** are a - }, - { - "Sid": "ApplicationSignalsPermission", - "Effect": "Allow", - "Action": [ - "application-signals:ListServiceLevelObjectiveExclusionWindows", - "application-signals:GetServiceLevelObjective" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "EC2AutoScalingPermission", - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } @@ -554 +522,0 @@ Change | Description | Date -AWSServiceRoleForCloudWatchApplicationSignals – Update to permissions of service-linked role policy | Updated the [CloudWatchApplicationSignalsServiceRolePolicy](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.html#service-linked-role-signals) to exclude time windows from impacting the SLO attainment rate, error budget, and burn rate metrics. CloudWatch can retrieve exclusion windows on behalf of you. | March 13, 2025