AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-06-25 · Documentation low

File: AmazonCloudWatch/latest/monitoring/Investigations-Security.md

Summary

Rebranding from 'Amazon Q Developer operational investigations' to 'CloudWatch investigations' throughout documentation. Removed preview region list and updated cross-region inference table with new regions (Malaysia, Thailand). Updated IAM policy references and encryption details to reflect CloudWatch branding.

Security assessment

Changes primarily involve product name updates and documentation restructuring without introducing new security controls or addressing vulnerabilities. IAM policy and encryption content remains functionally equivalent but references CloudWatch instead of Amazon Q Developer. No evidence of security vulnerability fixes or net-new security features added.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-Security.md b/AmazonCloudWatch/latest/monitoring/Investigations-Security.md
index 888faf6b9..444a60cef 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-Security.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-Security.md
@@ -5 +5 @@
-User permissionsHow to control what data Amazon Q Developer has access to during investigationsEncryption of investigation dataCross-Region inference
+User permissionsHow to control what data CloudWatch investigations has access to during investigationsEncryption of investigation dataCross-Region inference
@@ -7 +7 @@ User permissionsHow to control what data Amazon Q Developer has access to during
-# Security in operational investigations
+# Security in CloudWatch investigations
@@ -9,32 +9 @@ User permissionsHow to control what data Amazon Q Developer has access to during
-###### Note
-
-The Amazon Q Developer operational investigations feature is in preview release and is subject to change. It is currently available in the following Regions:
-
-  * US East (N. Virginia)
-
-  * US East (Ohio)
-
-  * US West (Oregon)
-
-  * Asia Pacific (Hong Kong)
-
-  * Asia Pacific (Mumbai)
-
-  * Asia Pacific (Singapore)
-
-  * Asia Pacific (Sydney)
-
-  * Asia Pacific (Tokyo)
-
-  * Europe (Frankfurt)
-
-  * Europe (Ireland)
-
-  * Europe (Spain)
-
-  * Europe (Stockholm)
-
-
-
-
-This section includes topics about how Amazon Q Developer operational investigations integrate with AWS security and permissions features.
+This section includes topics about how CloudWatch investigations integrate with AWS security and permissions features.
@@ -46 +15 @@ This section includes topics about how Amazon Q Developer operational investigat
-  * How to control what data Amazon Q Developer has access to during investigations
+  * How to control what data CloudWatch investigations has access to during investigations
@@ -57 +26 @@ This section includes topics about how Amazon Q Developer operational investigat
-AWS has created three managed IAM policies that you can use for your users who will be working with Amazon Q Developer operational investigations.
+AWS has created three managed IAM policies that you can use for your users who will be working with CloudWatch investigations.
@@ -59 +28 @@ AWS has created three managed IAM policies that you can use for your users who w
-  * [AIOpsConsoleAdminPolicy](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsConsoleAdminPolicy)– grants an administrator the ability to set up Amazon Q Developer operational investigations in the account, access to Amazon Q Developer operational investigations actions, the management of trusted identity propagation, and the management of integration with IAM Identity Center and organizational access.
+  * [AIOpsConsoleAdminPolicy](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsConsoleAdminPolicy)– grants an administrator the ability to set up CloudWatch investigations in the account, access to CloudWatch investigations actions, the management of trusted identity propagation, and the management of integration with IAM Identity Center and organizational access.
@@ -63 +32 @@ AWS has created three managed IAM policies that you can use for your users who w
-  * [AIOpsReadOnlyAccess](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsReadOnlyAccess)– grants read-only permissions for Amazon Q Developer operational investigations and other related services.
+  * [AIOpsReadOnlyAccess](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsReadOnlyAccess)– grants read-only permissions for CloudWatch investigations and other related services.
@@ -68 +37 @@ AWS has created three managed IAM policies that you can use for your users who w
-We recommend that you use three IAM principals, granting one of them the **AIOpsConsoleAdminPolicy** IAM policy, granting another the **AIOpsOperatorAccess** policy, and granting the third the **AIOpsReadOnlyAccess** policy. These principals could be either IAM roles (recommended) or IAM users. Then your users who work with Amazon Q Developer operational investigations would sign on with one of these principals.
+We recommend that you use three IAM principals, granting one of them the **AIOpsConsoleAdminPolicy** IAM policy, granting another the **AIOpsOperatorAccess** policy, and granting the third the **AIOpsReadOnlyAccess** policy. These principals could be either IAM roles (recommended) or IAM users. Then your users who work with CloudWatch investigations would sign on with one of these principals.
@@ -70 +39 @@ We recommend that you use three IAM principals, granting one of them the **AIOps
-## How to control what data Amazon Q Developer has access to during investigations
+## How to control what data CloudWatch investigations has access to during investigations
@@ -72 +41 @@ We recommend that you use three IAM principals, granting one of them the **AIOps
-When you enable the Amazon Q Developer operational investigations feature, you specify what permissions that Amazon Q Developer has to access your resources during investigations. You do this by assigning an IAM role to the assistant.
+When you enable the CloudWatch investigations feature, you specify what permissions that CloudWatch investigations has to access your resources during investigations. You do this by assigning an IAM role to the assistant.
@@ -74 +43 @@ When you enable the Amazon Q Developer operational investigations feature, you s
-To enable Amazon Q Developer to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the **AIOpsAssistantPolicy** to the assistant's role. This grants the assistant permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see [IAM policy for Amazon Q Developer operational investigations (AIOpsAssistantPolicy)](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant).
+To enable CloudWatch investigations to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the **AIOpsAssistantPolicy** to the assistant's role. This grants the assistant permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see [IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant).
@@ -78 +47 @@ You can also choose to attach the general AWS [**ReadOnlyAccess**](https://docs.
-If you want to scope down the permissions granted to Amazon Q Developer, you can attach a custom IAM policy to the assistant's IAM role instead of attaching the **AIOpsAssistantPolicy** policy. To do this, start your custom policy with the contents of [AIOpsAssistantPolicy](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant) and then remove permissions that you don't want to grant to Amazon Q Developer. This will prevent the assistant from being able to make suggestions based on the AWS services or actions that you don't grant access to.
+If you want to scope down the permissions granted to CloudWatch investigations, you can attach a custom IAM policy to the assistant's IAM role instead of attaching the **AIOpsAssistantPolicy** policy. To do this, start your custom policy with the contents of [AIOpsAssistantPolicy](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant) and then remove permissions that you don't want to grant to CloudWatch investigations. This will prevent the assistant from being able to make suggestions based on the AWS services or actions that you don't grant access to.
@@ -82 +51 @@ If you want to scope down the permissions granted to Amazon Q Developer, you can
-Anything that Amazon Q Developer can access can be added to the investigation and seen by your investigation operators. We recommend that you align Amazon Q Developer operational investigations permissions with the permissions that your investigation group operators have.
+Anything that CloudWatch investigations can access can be added to the investigation and seen by your investigation operators. We recommend that you align CloudWatch investigations permissions with the permissions that your investigation group operators have.
@@ -84 +53 @@ Anything that Amazon Q Developer can access can be added to the investigation an
-### Allowing Amazon Q Developer to decrypt encrypted data during investigations
+### Allowing CloudWatch investigations to decrypt encrypted data during investigations
@@ -86 +55 @@ Anything that Amazon Q Developer can access can be added to the investigation an
-If you encrypt your data in any of the following services with a customer managed key in AWS KMS, and you want Amazon Q Developer to be able to decrypt the data from these services and include them in investigations, you'll need to attach one or more additional IAM policies to the assistant's IAM role. 
+If you encrypt your data in any of the following services with a customer managed key in AWS KMS, and you want CloudWatch investigations to be able to decrypt the data from these services and include them in investigations, you'll need to attach one or more additional IAM policies to the assistant's IAM role. 
@@ -93 +62 @@ If you encrypt your data in any of the following services with a customer manage
-The policy statement should include a context key for encryption context to help scope down the permissions. For example, the following policy would enable the Amazon Q Developer to decrypt data for a Step Functions state machine.
+The policy statement should include a context key for encryption context to help scope down the permissions. For example, the following policy would enable the CloudWatch investigations to decrypt data for a Step Functions state machine.
@@ -128 +97 @@ For the encryption of your investigation data, AWS offers two options:
-  * **AWS owned keys** – By default, Amazon Q Developer encrypts investigation data at rest with an AWS owned key. You can't view or manage AWS owned keys, and you can't use them for other purposes or audit their use. However, you don't have to take any action or change any settings to use these keys. For more information about AWS owned keys, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). 
+  * **AWS owned keys** – By default, CloudWatch investigations encrypts investigation data at rest with an AWS owned key. You can't view or manage AWS owned keys, and you can't use them for other purposes or audit their use. However, you don't have to take any action or change any settings to use these keys. For more information about AWS owned keys, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). 
@@ -137 +106 @@ For the encryption of your investigation data, AWS offers two options:
-Amazon Q Developer automatically enables encryption at rest using AWS owned keys at no charge. If you use a customer managed key, AWS KMS charges apply. For more information about pricing, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
+CloudWatch investigations automatically enables encryption at rest using AWS owned keys at no charge. If you use a customer managed key, AWS KMS charges apply. For more information about pricing, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
@@ -145 +114 @@ You can associate an investigation group with a customer managed key, and then a
-Amazon Q Developer operational investigations customer managed key usage has the following conditions:
+CloudWatch investigations customer managed key usage has the following conditions:
@@ -147 +116 @@ Amazon Q Developer operational investigations customer managed key usage has the
-  * Amazon Q Developer operational investigations supports only symmetric encryption AWS KMS keys with the default key spec, `SYMMETRIC_DEFAULT`, and that have usage defined as `ENCRYPT_DECRYPT`.
+  * CloudWatch investigations supports only symmetric encryption AWS KMS keys with the default key spec, `SYMMETRIC_DEFAULT`, and that have usage defined as `ENCRYPT_DECRYPT`.
@@ -211 +180 @@ This policy provides permissions for service principals for the following reason
-The following policy assumes that you follow the recommendation of using three IAM principals, and granting one of them the **AIOpsConsoleAdminPolicy** IAM policy, granting another the **AIOpsOperatorAccess** policy, and granting the third the **AIOpsReadOnlyAccess** policy. These principals could be either IAM roles (recommended) or IAM users. Then your users who work with Amazon Q Developer operational investigations would sign on with one of these principals.
+The following policy assumes that you follow the recommendation of using three IAM principals, and granting one of them the **AIOpsConsoleAdminPolicy** IAM policy, granting another the **AIOpsOperatorAccess** policy, and granting the third the **AIOpsReadOnlyAccess** policy. These principals could be either IAM roles (recommended) or IAM users. Then your users who work with CloudWatch investigations would sign on with one of these principals.
@@ -360 +329 @@ As long as a previously-used key is active and Amazon Q has access to it for inv
-Amazon Q Developer operational investigations uses _cross-Region inference_ to distribute traffic across different AWS Region. Although the data remains stored only in the primary Region, when using cross-Region inference, your investigation data might move outside of your primary Region. All data will be transmitted encrypted across Amazon’s secure network. For more information see [Cross-Region inference](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/cross-region-inference.html) in the Amazon Q Developer user guide.
+CloudWatch investigations uses _cross-Region inference_ to distribute traffic across different AWS Region. Although the data remains stored only in the primary Region, when using cross-Region inference, your investigation data might move outside of your primary Region. All data will be transmitted encrypted across Amazon’s secure network. For more information see [Cross-Region inference](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/cross-region-inference.html) in the CloudWatch investigations user guide.
@@ -364 +333 @@ For details about where cross-Region inference distribution occurs for each Regi
-Supported Amazon Q Developer operational investigations geography | Investigation Region | Possible inference Regions  
+Supported CloudWatch investigations geography | Investigation Region | Possible inference Regions  
@@ -377,0 +347,2 @@ Supported Amazon Q Developer operational investigations geography | Investigatio
+| Asia Pacific (Malaysia) | US East (N. Virginia), US East (Ohio), US West (Oregon)  
+| Asia Pacific (Thailand) | US East (N. Virginia), US East (Ohio), US West (Oregon)  
@@ -385 +356 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Manage your current investigations
+Cross-account investigations