AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-03-19 · Documentation medium

File: AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md

Summary

Refined IAM policy actions for CloudWatchApplicationSignals role to specific API operations

Security assessment

Changed broad service-level permissions (e.g., 'xray') to specific actions (e.g., 'xray:GetServiceGraph'), demonstrating least-privilege security practices. While security-related, no evidence this addresses a specific vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
index ce0fcfcea..394cf2cab 100644
--- a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
+++ b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
@@ -202 +202 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached
-  * `xray` – Retrieve X-Ray traces.
+  * `xray:GetServiceGraph`
@@ -204 +204 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached
-  * `logs` – Retrieve the current CloudWatch logs information.
+  * `logs:StartQuery`
@@ -206 +206 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached
-  * `cloudwatch` – Retrieve the current CloudWatch metric information.
+  * `logs:GetQueryResults`
@@ -208 +208 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached
-  * `tags` – Retrieve the current tags.
+  * `cloudwatch:GetMetricData`
@@ -210 +210 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached
-  * `application-signals` – Retrieve information on SLOs and their associated time exclusion windows.
+  * `cloudwatch:ListMetrics`
@@ -212 +212 @@ The **AWSServiceRoleForCloudWatchApplicationSignals** has an IAM policy attached
-  * `autoscaling` – Retrieve application tags from Amazon EC2 Autoscaling group.
+  * `tag:GetResources`
@@ -294,31 +293,0 @@ The complete contents of **CloudWatchApplicationSignalsServiceRolePolicy** are a
-    		},
-    		{
-    			"Sid": "ApplicationSignalsPermission",
-    			"Effect": "Allow",
-    			"Action": [
-    				"application-signals:ListServiceLevelObjectiveExclusionWindows",
-    			    "application-signals:GetServiceLevelObjective"
-    			],
-    			"Resource": [
-    				"*"
-    			],
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "EC2AutoScalingPermission",
-    			"Effect": "Allow",
-    			"Action": [
-    				"autoscaling:DescribeAutoScalingGroups"
-    			],
-    			"Resource": [
-    				"*"
-    			],
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
@@ -554 +522,0 @@ Change | Description | Date
-AWSServiceRoleForCloudWatchApplicationSignals – Update to permissions of service-linked role policy |  Updated the [CloudWatchApplicationSignalsServiceRolePolicy](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.html#service-linked-role-signals) to exclude time windows from impacting the SLO attainment rate, error budget, and burn rate metrics. CloudWatch can retrieve exclusion windows on behalf of you. | March 13, 2025