AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-06-25 · Documentation high

File: AmazonCloudWatch/latest/monitoring/Investigations-Troubleshooting.md

Summary

Updated documentation to replace Amazon Q Developer references with CloudWatch investigations. Added detailed IAM role configuration steps, including trust policies with sts:ExternalId conditions for secure cross-account access.

Security assessment

The changes add documentation about configuring IAM roles with necessary permissions and trust policies, including sts:AssumeRole and sts:ExternalId conditions. This guides users in securely setting up CloudWatch investigations, preventing unauthorized access. However, there's no explicit mention of addressing a specific security vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-Troubleshooting.md b/AmazonCloudWatch/latest/monitoring/Investigations-Troubleshooting.md
index a1d92ef58..2a4b388a2 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-Troubleshooting.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-Troubleshooting.md
@@ -5 +5 @@
-Amazon Q Developer cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configuredUnable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.Analysis complete. Submit additional findings to receive updated suggestions
+CloudWatch investigations cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configuredUnable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.Analysis complete. Submit additional findings to receive updated suggestionsSource account status shows "Pending link to monitoring account"
@@ -9,11 +9 @@ Amazon Q Developer cannot assume the necessary IAM roles or permissions. Please
-###### Note
-
-The Amazon Q Developer operational investigations feature is in preview release and is subject to change. It is currently available in the following Regions:
-
-  * US East (N. Virginia)
-
-  * US East (Ohio)
-
-  * US West (Oregon)
-
-  * Asia Pacific (Hong Kong)
+###### Topics
@@ -21 +11 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Asia Pacific (Mumbai)
+  * CloudWatch investigations cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured
@@ -23 +13 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Asia Pacific (Singapore)
+  * Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.
@@ -25 +15 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Asia Pacific (Sydney)
+  * Analysis complete. Submit additional findings to receive updated suggestions
@@ -27 +17 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Asia Pacific (Tokyo)
+  * Source account status shows "Pending link to monitoring account"
@@ -29 +18,0 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Europe (Frankfurt)
@@ -31 +19,0 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Europe (Ireland)
@@ -33 +20,0 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Europe (Spain)
@@ -35 +22 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Europe (Stockholm)
+## CloudWatch investigations cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured
@@ -36,0 +24 @@ The Amazon Q Developer operational investigations feature is in preview release
+CloudWatch investigations use an IAM role to be able to access information in your topology. This IAM role must be configured with adequate permissions. For more information about the necessary permissions, see [How to control what data CloudWatch investigations has access to during investigations](./Investigations-Security.html#Investigations-Security-Data).
@@ -37,0 +26 @@ The Amazon Q Developer operational investigations feature is in preview release
+## Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.
@@ -38,0 +28 @@ The Amazon Q Developer operational investigations feature is in preview release
+There are several AWS services and features that we recommend you to enable to provide additional valuable information to CloudWatch investigations. These services and features can help CloudWatch investigations identify event sources. For more information, see [(Recommended) Best practices to enhance investigations](./Investigations-RecommendedServices.html).
@@ -40 +30 @@ The Amazon Q Developer operational investigations feature is in preview release
-###### Topics
+## Analysis complete. Submit additional findings to receive updated suggestions
@@ -42 +32 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Amazon Q Developer cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured
+When you see this message, CloudWatch investigations has finished analyzing your topology and telemetry based on the findings that it has found so far. If you think that the root cause hasn't been found, you can manually add more telemetry to the investigation, and this might cause CloudWatch investigations to scan your system again based on the new information.
@@ -44 +34 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.
+To add new telemetry, navigate to that service's console and add the telemetry to the investigation. For example, to add a Lambda metric to the investigation, you can do the following:
@@ -46 +36 @@ The Amazon Q Developer operational investigations feature is in preview release
-  * Analysis complete. Submit additional findings to receive updated suggestions
+  1. Open the Lambda console.
@@ -47,0 +38 @@ The Amazon Q Developer operational investigations feature is in preview release
+  2. In the **Monitor** section, find the metric.
@@ -48,0 +40 @@ The Amazon Q Developer operational investigations feature is in preview release
+  3. Open the vertical ellipsis context menu  ![An example of a CloudWatch overview home page, showing alarms and their current state, and examples of other metrics graph widgets that might appear on the overview home page.](/images/AmazonCloudWatch/latest/monitoring/images/vmore.png) for the metric, choose **Investigate** , **Add to investigation** Then, in the **Investigate** pane, select the name of the investigation.
@@ -51 +42,0 @@ The Amazon Q Developer operational investigations feature is in preview release
-## Amazon Q Developer cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured
@@ -53 +43,0 @@ The Amazon Q Developer operational investigations feature is in preview release
-Amazon Q Developer operational investigations use an IAM role to be able to access information in your topology. This IAM role must be configured with adequate permissions. For more information about the necessary permissions, see [How to control what data Amazon Q Developer has access to during investigations](./Investigations-Security.html#Investigations-Security-Data).
@@ -55 +45 @@ Amazon Q Developer operational investigations use an IAM role to be able to acce
-## Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.
+## Source account status shows "Pending link to monitoring account"
@@ -57 +47 @@ Amazon Q Developer operational investigations use an IAM role to be able to acce
-There are several AWS services and features that we recommend you to enable to provide additional valuable information to Amazon Q Developer. These services and features can help Amazon Q Developer identify event sources. For more information, see [(Recommended) Best practices to enhance investigations](./Investigations-RecommendedServices.html).
+Check that both your monitoring account and source account are set up correctly.
@@ -59 +49 @@ There are several AWS services and features that we recommend you to enable to p
-## Analysis complete. Submit additional findings to receive updated suggestions
+  1. Check that the source account ID and the source account role name are correct.
@@ -61 +51 @@ There are several AWS services and features that we recommend you to enable to p
-When you see this message, Amazon Q Developer has finished analyzing your topology and telemetry based on the findings that it has found so far. If you think that the root cause hasn't been found, you can manually add more telemetry to the investigation, and this might cause Amazon Q Developer to scan your system again based on the new information.
+  2. The monitoring account role needs to have `sts:AssumeRole` permission to assume the source account role.
@@ -63 +53 @@ When you see this message, Amazon Q Developer has finished analyzing your topolo
-To add new telemetry, navigate to that service's console and add the telemetry to the investigation. For example, to add a Lambda metric to the investigation, you can do the following:
+  3. The source account role needs to have a trust policy for the monitoring account role to assume.
@@ -65 +55 @@ To add new telemetry, navigate to that service's console and add the telemetry t
-  1. Open the Lambda console.
+  4. The trust policy in the source account role must be properly scoped to have the Investigation Group arn in the `sts:ExternalId` context key:
@@ -67 +57,5 @@ To add new telemetry, navigate to that service's console and add the telemetry t
-  2. In the **Monitor** section, find the metric.
+                    "Condition": {
+                    "StringEquals": {
+                        "sts:ExternalId": "investigation-group-arn"
+                    }
+                }
@@ -69 +62,0 @@ To add new telemetry, navigate to that service's console and add the telemetry t
-  3. Open the vertical ellipsis context menu  ![An example of a CloudWatch overview home page, showing alarms and their current state, and examples of other metrics graph widgets that might appear on the overview home page.](/images/AmazonCloudWatch/latest/monitoring/images/vmore.png) for the metric, choose **Investigate** , **Add to investigation** Then, in the **Investigate** pane, select the name of the investigation.
@@ -80 +73 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Security in operational investigations
+Security in CloudWatch investigations