AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-06-25 · Documentation low

File: AmazonCloudWatch/latest/monitoring/Investigations-GetStarted.md

Summary

Rebranded 'Amazon Q Developer operational investigations' to 'CloudWatch investigations', removed preview region list, simplified setup steps, removed third-party ticketing integration details, and updated IAM policy references.

Security assessment

The changes primarily involve rebranding and procedural simplifications. While encryption and IAM permissions are mentioned, these are existing security features with updated naming rather than new security documentation. Removal of third-party ticketing integration steps (which involved Secrets Manager) could reduce attack surface but lacks explicit evidence of addressing a specific vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-GetStarted.md b/AmazonCloudWatch/latest/monitoring/Investigations-GetStarted.md
index 1a6a57746..d70f45aa7 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-GetStarted.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-GetStarted.md
@@ -9,32 +9 @@ See a sample investigationSet up operational investigations
-###### Note
-
-The Amazon Q Developer operational investigations feature is in preview release and is subject to change. It is currently available in the following Regions:
-
-  * US East (N. Virginia)
-
-  * US East (Ohio)
-
-  * US West (Oregon)
-
-  * Asia Pacific (Hong Kong)
-
-  * Asia Pacific (Mumbai)
-
-  * Asia Pacific (Singapore)
-
-  * Asia Pacific (Sydney)
-
-  * Asia Pacific (Tokyo)
-
-  * Europe (Frankfurt)
-
-  * Europe (Ireland)
-
-  * Europe (Spain)
-
-  * Europe (Stockholm)
-
-
-
-
-To set up Amazon Q Developer operational investigations, you create an investigation group. You can also see a sample investigation to get an overall idea of how they work.
+To set up CloudWatch investigations, you create an investigation group. You can also see a sample investigation to get an overall idea of how they work.
@@ -53 +22 @@ To set up Amazon Q Developer operational investigations, you create an investiga
-If you'd like to see the Amazon Q Developer operational investigations feature in action before you configure it for your account, you can walk through a sample investigation. The sample investigation doesn't use your data and doesn't make data calls or start API operations in your account.
+If you'd like to see the CloudWatch investigations feature in action before you configure it for your account, you can walk through a sample investigation. The sample investigation doesn't use your data and doesn't make data calls or start API operations in your account.
@@ -70 +39 @@ The console displays the sample investigation, with suggestions and findings in
-To set up Amazon Q Developer operational investigations in your account, you create an _investigation group_. Creating an investigation group is a one-time setup task. Settings in the investigation group help you centrally manage the common properties of your investigations, such as the following:
+To set up CloudWatch investigations in your account, you create an _investigation group_. Creating an investigation group is a one-time setup task. Settings in the investigation group help you centrally manage the common properties of your investigations, such as the following:
@@ -83 +52 @@ Currently, you can have one investigation group per account. Each investigation
-To create an investigation group and set up Amazon Q Developer operational investigations, you must be signed in to an IAM principal that has the either the **AIOpsConsoleAdminPolicy** or the **AdministratorAccess** IAM policy attached, or to an account that has similar permissions.
+To create an investigation group and set up CloudWatch investigations, you must be signed in to an IAM principal that has the either the **AIOpsConsoleAdminPolicy** or the **AdministratorAccess** IAM policy attached, or to an account that has similar permissions.
@@ -87 +56 @@ To create an investigation group and set up Amazon Q Developer operational inves
-To be able to choose the recommended option of creating a new IAM role for Amazon Q Developer operational investigations, you must be signed in to an IAM principal that has the `iam:CreateRole`, `iam:AttachRolePolicy`, and `iam:PutRolePolicy` permissions.
+To be able to choose the recommended option of creating a new IAM role for CloudWatch investigations operational investigations, you must be signed in to an IAM principal that has the `iam:CreateRole`, `iam:AttachRolePolicy`, and `iam:PutRolePolicy` permissions.
@@ -91 +60 @@ To be able to choose the recommended option of creating a new IAM role for Amazo
-Amazon Q Developer operational investigations uses _cross-Region inference_ to distribute traffic across different AWS Regions. For more information, see [Cross-Region inference](./Investigations-Security.html#cross-region-inference).
+CloudWatch investigations uses _cross-Region inference_ to distribute traffic across different AWS Regions. For more information, see [Cross-Region inference](./Investigations-Security.html#cross-region-inference).
@@ -93 +62 @@ Amazon Q Developer operational investigations uses _cross-Region inference_ to d
-###### To create an investigation group and enable Amazon Q Developer operational investigations in your account
+###### To create an investigation group and enable CloudWatch investigations in your account
@@ -97 +66 @@ Amazon Q Developer operational investigations uses _cross-Region inference_ to d
-  2. In the left navigation pane, choose **AI Operations** , **Investigations**.
+  2. In the left navigation pane, choose **AI Operations** , **Configuration**.
@@ -101,3 +70 @@ Amazon Q Developer operational investigations uses _cross-Region inference_ to d
-  4. Enter a name for the investigation group.
-
-  5. Optionally change the retention period for investigations. For more information about what the retention period governs, see [Operational investigation data retention](./Investigations-Retention.html).
+  4. Optionally change the retention period for investigations. For more information about what the retention period governs, see [CloudWatch investigations data retention](./Investigations-Retention.html).
@@ -105 +72 @@ Amazon Q Developer operational investigations uses _cross-Region inference_ to d
-  6. (Optional) To encrypt your investigation data with a customer managed AWS KMS key, choose **Customize encryption settings** and follow the steps to create or specify a key to use. If you don't specify a customer managed key, Amazon Q Developer operational investigations uses an AWS owned key for encryption. For more information, see [Encryption of investigation data](./Investigations-Security.html#Investigations-KMS). 
+  5. (Optional) To encrypt your investigation data with a customer managed AWS KMS key, choose **Customize encryption settings** and follow the steps to create or specify a key to use. If you don't specify a customer managed key, CloudWatch investigations uses an AWS owned key for encryption. For more information, see [Encryption of investigation data](./Investigations-Security.html#Investigations-KMS). 
@@ -107 +74 @@ Amazon Q Developer operational investigations uses _cross-Region inference_ to d
-  7. If you haven't already done so, use the IAM console to provision access for your users to be able to see and manage investigations. We provide IAM roles for administrators, operators, and viewers. For more information, see [User permissions](./Investigations-Security.html#Investigations-Security-IAM).
+  6. If you haven't already done so, use the IAM console to provision access for your users to be able to see and manage investigations. We provide IAM roles for administrators, operators, and viewers. For more information, see [User permissions](./Investigations-Security.html#Investigations-Security-IAM).
@@ -109,3 +76 @@ Amazon Q Developer operational investigations uses _cross-Region inference_ to d
-  8. (Optional) In the US East (N. Virginia) Region, you can have investigations attribute investigation actions such as adding a suggestion to the **Feed** to individual users. You do this by integrating Amazon Q Developer operational investigations with IAM Identity Center. To do so, validate that you meet the pre-requisites and then choose to allow the creation of a managed IAM Identity Center application for Amazon Q Developer operational investigations. For more information about the pre-requisites, see [AWS IAM Identity Center](./Investigations-Integrations.html#Investigations-Integrations-IDC).
-
-  9. For **Amazon Q Developer permissions** , choose one of the following. For more information about these options, see [How to control what data Amazon Q Developer has access to during investigations](./Investigations-Security.html#Investigations-Security-Data).
+  7. For **Amazon AI Operations Developer permissions** , choose one of the following. For more information about these options, see [How to control what data CloudWatch investigations has access to during investigations](./Investigations-Security.html#Investigations-Security-Data).
@@ -115 +80 @@ To be able to choose either of the first two options, you must be signed in to a
-     * The recommended option is to choose **Auto-create a new role with default investigation permissions**. If you choose this option, the assistant is granted the **AIOpsAssistantPolicy** IAM policy. For more information about the contents of this policy, see [IAM policy for Amazon Q Developer operational investigations (AIOpsAssistantPolicy)](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant).
+     * The recommended option is to choose **Auto-create a new role with default investigation permissions**. If you choose this option, the assistant is granted the **AIOpsAssistantPolicy** IAM policy. For more information about the contents of this policy, see [IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant).
@@ -117 +82 @@ To be able to choose either of the first two options, you must be signed in to a
-     * Choose **Create a new role from AWS policy templates** to customize the permissions that Amazon Q Developer will have during investigations. If you choose this option, you must be sure to scope down the policy to only the permissions that you want Amazon Q Developer to have during investigations.
+     * Choose **Create a new role from AWS policy templates** to customize the permissions that CloudWatch investigations will have during investigations. If you choose this option, you must be sure to scope down the policy to only the permissions that you want CloudWatch investigations to have during investigations.
@@ -146,5 +111 @@ We also recommend that you include a `Condition` section with the account number
-  10. (Optional) For **Enhanced integrations** , choose to allow Amazon Q Developer access to additional services in your system, to enable it to gather more data and be more useful.
-
-    1. In the **Tags for application boundary detection** section, enter the existing custom tag keys for custom applications in your system. Resource tags help Amazon Q Developer narrow the search space when it is unable to discover definite relationships between resources. For example, to discover that an Amazon ECS service depends on an Amazon RDS database, Amazon Q Developer can discover this relationship using data sources such as X-Ray and CloudWatch Application Signals. However, if you haven't deployed these features, Amazon Q Developer will attempt to identify possible relationships. Tag boundaries can be used to narrow the resources that will be discovered by Amazon Q Developer in these cases.
-
-You don't need to enter tags created by myApplications or AWS CloudFormation, because Amazon Q Developer can automatically detect those tags.
+  8. Choose **Create Investigation group** , you can now create an investigation from an Alarm, metric, or log insight.
@@ -152 +113 @@ You don't need to enter tags created by myApplications or AWS CloudFormation, be
-    2. CloudTrail records events about changes in your system including deployment events. These events can often be useful to Amazon Q Developer to create hypotheses about root causes of issues in your system. In the **CloudTrail for change event detection** section, you can do one or both of the following.
+  9. Choose **Complete setup**.
@@ -154 +114,0 @@ You don't need to enter tags created by myApplications or AWS CloudFormation, be
-       * Give Amazon Q Developer some access to the events logged by AWS CloudTrail by enabling **Allow the assistant access to CloudTrail change events through the CloudTrail Event history**. For more information, see [Working with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
@@ -156 +115,0 @@ You don't need to enter tags created by myApplications or AWS CloudFormation, be
-       * Give Amazon Q Developer access to additional CloudTrail data by entering one or more CloudTrail trails, which are records of activities within your AWS account. This is supported only for trails that are sent to log groups in CloudWatch Logs. For more information about trails see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html).
@@ -158 +116,0 @@ You don't need to enter tags created by myApplications or AWS CloudFormation, be
-    3. The **X-Ray for topology mapping** and **Application Signals for health assessment** sections point out other AWS services that can help Amazon Q Developer find information. If you have deployed them and you have granted the **AIOpsAssistantPolicy** IAM policy to Amazon Q Developer, it will be able to access X-Ray and Application Signals telemetry.
@@ -160 +118 @@ You don't need to enter tags created by myApplications or AWS CloudFormation, be
-For more information about how these services help Amazon Q Developer, see [X-Ray](./Investigations-RecommendedServices.html#Investigations-Xray) and [CloudWatch Application Signals](./Investigations-RecommendedServices.html#Investigations-ApplicationSignals)
+Optionally, you can setup additional recommended configurations to enhance your experience.
@@ -162 +120 @@ For more information about how these services help Amazon Q Developer, see [X-Ra
-  11. (Optional) If you are in the US East (N. Virginia) Region, you can integrate Amazon Q Developer operational investigations with a third-party ticketing system. Integrating with a ticketing tool enables Amazon Q Developer to send information about an investigation to that ticketing tool. This feature is available only in US East (N. Virginia).
+  1. In the left navigation pane, choose **AI Operations, Configuration**.
@@ -164,3 +122 @@ For more information about how these services help Amazon Q Developer, see [X-Ra
-###### Important
-
-When you create an integration with a third-party ticketing system, the system creates a secret in AWS Secrets Manager. This secret contains your basic authentication credentials for the third-party tool and is used to connect your AWS account to that tool. If you delete the integration, the secret that contains your authentication credentials is also deleted.
+  2. For **Enhanced integrations** , choose to allow CloudWatch investigations access to additional services in your system, to enable it to gather more data and be more useful.
@@ -168 +124 @@ When you create an integration with a third-party ticketing system, the system c
-To integrate Amazon Q Developer operational investigations with a third-party ticketing tool, do the following in the **Third-party integrations** area:
+    1. In the **Tags for application boundary detection** section, enter the existing custom tag keys for custom applications in your system. Resource tags help CloudWatch investigations narrow the search space when it is unable to discover definite relationships between resources. For example, to discover that an Amazon ECS service depends on an Amazon RDS database, CloudWatch investigations can discover this relationship using data sources such as X-Ray and CloudWatch Application Signals. However, if you haven't deployed these features, CloudWatch investigations will attempt to identify possible relationships. Tag boundaries can be used to narrow the resources that will be discovered by CloudWatch investigations in these cases.
@@ -170 +126 @@ To integrate Amazon Q Developer operational investigations with a third-party ti
-    1. Choose **Add integration**.
+You don't need to enter tags created by myApplications or AWS CloudFormation, because CloudWatch investigations can automatically detect those tags.
@@ -172 +128 @@ To integrate Amazon Q Developer operational investigations with a third-party ti
-    2. In the **Add integration** dialog box, do the following:
+    2. CloudTrail records events about changes in your system including deployment events. These events can often be useful to CloudWatch investigations to create hypotheses about root causes of issues in your system. In the **CloudTrail for change event detection** section, you can give CloudWatch investigations some access to the events logged by AWS CloudTrail by enabling **Allow the assistant access to CloudTrail change events through the CloudTrail Event history**. For more information, see [Working with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
@@ -174 +130 @@ To integrate Amazon Q Developer operational investigations with a third-party ti
-      1. For **Name** , enter a name to identify this integration in your investigations.
+    3. The **X-Ray for topology mapping** and **Application Signals for health assessment** sections point out other AWS services that can help CloudWatch investigations find information. If you have deployed them and you have granted the **AIOpsAssistantPolicy** IAM policy to CloudWatch investigations, it will be able to access X-Ray and Application Signals telemetry.
@@ -176 +132 @@ To integrate Amazon Q Developer operational investigations with a third-party ti
-      2. For **Instance type** , choose from the available third-party tools, such as Jira or ServiceNow.
+For more information about how these services help CloudWatch investigations, see [X-Ray](./Investigations-RecommendedServices.html#Investigations-Xray) and [CloudWatch Application Signals](./Investigations-RecommendedServices.html#Investigations-ApplicationSignals)
@@ -178,41 +134 @@ To integrate Amazon Q Developer operational investigations with a third-party ti
-###### Note
-
-Integration with Jira is supported only for Jira Cloud.
-
-      3. Provide the additional information required to integrate with your selected tool:
-
-Jira
-    
-
-         * **Username** – A valid email address with access to the project being onboarded.
-
-         * **Password** – Your API token value from Atlassian. For more information, see [Manage API tokens for your Atlassian account](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) on the Atlassian website.
-
-         * **Jira site name** – The application name for your Jira project. This is typically the first component of the URL for your project in Atlassian. For example, in the URL `https://AnyCompany.atlassian.net`, the application name is `AnyCompany`. If you are uncertain, contact your Jira project manager to verify this information.
-
-         * **Project key** – The project key for your Jira project.
-
-To retrieve this project key, sign in to your Jira project, choose **Administration, Project, View all projects** , and then copy the **Key** value from the appropriate project.
-
-###### Important
-
-Ensure that your Jira account and email address both have access to the project. If you are uncertain, contact your Jira project manager to verify this information.
-
-ServiceNow
-    
-
-         * **Username** – Your ServiceNow username.
-
-         * **Password** – Your ServiceNow instance password.
-
-         * **Instance ID** – Your ServiceNow instance ID.
-
-You can view this information by signing in to your ServiceNow account. If you are uncertain, contact your ServiceNow administrator to verify this information.
-
-    3. Choose **Connect**.
-
-###### Important
-
-After you have completed this configuration procedure, we recommend that you create a test investigation and try out the integration before using it in an active investigation.
-
-  12. (Optional) You can integrate Amazon Q Developer operational investigations with a _chat channel_ using Amazon Q Developer in chat applications. This makes it possible to receive notifications about an investigation through the chat channel. Amazon Q Developer operational investigations and Amazon Q Developer in chat applications support chat channels in the following applications:
+  3. You can integrate CloudWatch investigations with a chat channel using AWS Chatbot in chat applications. This makes it possible to receive notifications about an investigation through the chat channel. CloudWatch investigations and AWS Chatbot support chat channels in the following applications:
@@ -224,3 +140 @@ After you have completed this configuration procedure, we recommend that you cre
-If you want to integrate with a chat channel, we recommend that you complete some other steps before performing this step in the create an investigation group process. For more information, see [Integration with third-party chat systems](./Investigations-Integrations.html#Investigations-Integrations-Chat).
-
-To then perform the steps here to integrate with a chat channel in [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/), do the following:
+If you want to integrate with a chat channel, we recommend that you complete some additional steps before you proceed. For more information, see [Integration with third-party chat systems](./Investigations-Integrations.html#Investigations-Integrations-Chat).
@@ -228 +142 @@ To then perform the steps here to integrate with a chat channel in [Amazon Q Dev
-    1. In the **Chat client integration** section, choose **Select SNS topic**.
+Then, perform the following steps to integrate with a chat channel in chat applications:
@@ -230 +144 @@ To then perform the steps here to integrate with a chat channel in [Amazon Q Dev
-    2. Select the SNS topic to use for sending notifications about your investigations.
+     * In the **Chat client integration** section, choose **Select SNS topic**.
@@ -232 +146 @@ To then perform the steps here to integrate with a chat channel in [Amazon Q Dev
-  13. Choose **Complete setup**.
+     * Select the SNS topic to use for sending notifications about your investigations.