AWS AmazonCloudWatch documentation change
Summary
Updated IAM policy documentation for CloudWatch investigations, including rebranding from Amazon Q Developer references, added iam:CreatePolicy permission, new validation actions, and expanded resource access permissions
Security assessment
Changes include expanded IAM permissions (CreatePolicy, ValidateInvestigationGroup) and cross-account capabilities, but no concrete evidence of addressing a specific vulnerability. The CreatePolicy addition is scoped to specific resources, and validation changes appear to enhance operational controls rather than patch security flaws. Updates document security features without resolving known vulnerabilities.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md b/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md index 55992d5a0..7b1c101f0 100644 --- a//AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md +++ b//AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md @@ -192 +192 @@ The following AWS managed policies, which you can attach to users in your accoun - * AWS managed (predefined) policies for Amazon Q Developer operational investigations + * AWS managed (predefined) policies for CloudWatch investigations @@ -1164 +1164 @@ The **OAMReadOnlyAccess** policy grants read-only access to Observability Access -### AWS managed (predefined) policies for Amazon Q Developer operational investigations +### AWS managed (predefined) policies for CloudWatch investigations @@ -1166 +1166 @@ The **OAMReadOnlyAccess** policy grants read-only access to Observability Access -The policies in this section grant permissions related to Amazon Q Developer operational investigations. For more information, see [Amazon Q Developer operational investigations (Preview)](./Investigations.html). +The policies in this section grant permissions related to CloudWatch investigations. For more information, see [CloudWatch investigations](./Investigations.html). @@ -1170 +1170 @@ The policies in this section grant permissions related to Amazon Q Developer ope -The **AIOpsConsoleAdminPolicy** policy grants full access to all Amazon Q Developer operational investigations actions and their required permissions via the AWS console. This policy also grants limited access to other service's APIs required for Amazon Q Developer operational investigations functionality. +The **AIOpsConsoleAdminPolicy** policy grants full access to all CloudWatch investigations actions and their required permissions via the AWS console. This policy also grants limited access to other service's APIs required for CloudWatch investigations functionality. @@ -1172 +1172 @@ The **AIOpsConsoleAdminPolicy** policy grants full access to all Amazon Q Develo - * The `aiops` permissions grant access to all Amazon Q Developer operational investigations actions. + * The `aiops` permissions grant access to all CloudWatch investigations actions. @@ -1184 +1184 @@ These permissions allow users with this policy to pass any IAM role to the `aiop - * It allows APIs from services outside Amazon Q Developer operational investigations, which are required for investigation feature functionality. These include actions to configure Amazon Q Developer in chat applications, AWS KMS, CloudTrail trails, and SSM third-party issue management. + * It allows APIs from services outside CloudWatch investigations, which are required for investigation feature functionality. These include actions to configure Amazon Q Developer in chat applications, AWS KMS, CloudTrail trails, and SSM third-party issue management. @@ -1424,0 +1425,8 @@ The following are the contents of the **AIOpsConsoleAdminPolicy** policy. + }, + { + "Sid": "CreateAIOpsCrossAccountAssistantPolicy", + "Effect": "Allow", + "Action": [ + "iam:CreatePolicy" + ], + "Resource": "arn:aws:iam::*:policy/AIOpsCrossAccountAssistantPolicy*" @@ -1431 +1439 @@ The following are the contents of the **AIOpsConsoleAdminPolicy** policy. -The **AIOpsOperatorAccess** policy grants access to a limited set of Amazon Q Developer operational investigations APIs which include creating, updating, and deleting investigations, investigation events, and investigation resources. +The **AIOpsOperatorAccess** policy grants access to a limited set of CloudWatch investigations APIs which include creating, updating, and deleting investigations, investigation events, and investigation resources. @@ -1435 +1443 @@ This policy only provides access to investigations. You should be sure that IAM - * The `aiops` permissions allow access to Amazon Q Developer operational investigations APIs to create, update, and delete investigations. + * The `aiops` permissions allow access to CloudWatch investigations APIs to create, update, and delete investigations. @@ -1437 +1445 @@ This policy only provides access to investigations. You should be sure that IAM - * The `sso`, `identitystore`, and `sts` permssions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. + * The `sso`, `identitystore`, and `sts` permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. @@ -1461 +1469,2 @@ The following are the contents of the **AIOpsOperatorAccess** policy. - "aiops:UpdateInvestigationEvent" + "aiops:UpdateInvestigationEvent", + "aiops:ValidateInvestigationGroup" @@ -1557 +1566 @@ The following are the contents of the **AIOpsOperatorAccess** policy. -The **AIOpsReadOnlyAccess** policy grants read-only permissions for Amazon Q investigations and other related services. +The **AIOpsReadOnlyAccess** policy grants read-only permissions for CloudWatch investigations and other related services. @@ -1587 +1596 @@ The following are the contents of the **AIOpsReadOnlyAccess** policy. -#### IAM policy for Amazon Q Developer operational investigations (AIOpsAssistantPolicy) +#### IAM policy for CloudWatch investigations (AIOpsAssistantPolicy) @@ -1642,0 +1652 @@ The following are the contents of the **AIOpsAssistantPolicy** policy. + "appsync:GetDataSource", @@ -1644,0 +1655 @@ The following are the contents of the **AIOpsAssistantPolicy** policy. + "appsync:GetGraphqlApi", @@ -1860 +1870,0 @@ The following are the contents of the **AIOpsAssistantPolicy** policy. - "elastic-inference:Describe*", @@ -1958,0 +1969 @@ The following are the contents of the **AIOpsAssistantPolicy** policy. + "iam:ListAttachedRolePolicies", @@ -1959,0 +1971,2 @@ The following are the contents of the **AIOpsAssistantPolicy** policy. + "iam:ListRolePolicies", + "iam:ListRoles", @@ -3637,0 +3651,3 @@ Change | Description | Date +AIOpsConsoleAdminPolicy – Updated policy | CloudWatch updated the **AIOpsConsoleAdminPolicy** policy to permit validation of investigation groups across accounts. This policy grants users access to CloudWatch investigations actions, and to additional AWS actions that are necessary for accessing investigation events. | June 13, 2025 +AIOpsOperatorAccess – Updated policy | CloudWatch updated the **AIOpsOperatorAccess** policy to permit validation of investigation groups across accounts. This policy grants users access to CloudWatch investigations actions, and to additional AWS actions that are necessary for accessing investigation events. | June 13, 2025 +AIOpsAssistantPolicy – Updates to existing policy | CloudWatch updated the **AIOpsAssistantPolicy** IAM policy. It added permissions to enable CloudWatch Application Insights operational investigations to find information in your resources during investigations. The following permissions were added: `appsync:GetGraphqlApi`, `appsync:GetDataSource`, `iam:ListAttachedRolePolicies`, `iam:ListRolePolicies`, and `iam:ListRoles` Additionally, the `elastic-inference:Describe*` permission was removed from the policy. | June 13, 2025 @@ -3640,2 +3656,2 @@ AmazonCloudWatchRUMReadOnlyAccess – Updated policy | CloudWatch added a permi -AIOpsConsoleAdminPolicy – New policy | CloudWatch created a new policy named **AIOpsConsoleAdminPolicy**. This policy grants users full administrative access for managing Amazon Q Developer operational investigations, including the management of trusted identity propagation, and the management of IAM Identity Center and organizational access. | December 3, 2024 -AIOpOperatorAccess – New policy | CloudWatch created a new policy named **AIOpsOperatorAccess**. This policy grants users access to Amazon Q Developer operational investigations actions, and to additional AWS actions that are necessary for accessing investigation events. | December 3, 2024 +AIOpsConsoleAdminPolicy – New policy | CloudWatch created a new policy named **AIOpsConsoleAdminPolicy**. This policy grants users full administrative access for managing CloudWatch investigations, including the management of trusted identity propagation, and the management of IAM Identity Center and organizational access. | December 3, 2024 +AIOpsOperatorAccess – New policy | CloudWatch created a new policy named **AIOpsOperatorAccess**. This policy grants users access to CloudWatch investigations actions, and to additional AWS actions that are necessary for accessing investigation events. | December 3, 2024 @@ -3643 +3659 @@ AIOpsReadOnlyAccess – New policy | CloudWatch created a new policy named **AI -AIOpsAssistantPolicy – New policy | CloudWatch created a new policy named **AIOpsAssistantPolicy**. You don't assign this policy to a user. You assign this policy to the Amazon AI Operations assistant to enable Amazon Q operational investigations to analyze your AWS resources during the investigation of operational events. | December 3, 2024 +AIOpsAssistantPolicy – New policy | CloudWatch created a new policy named **AIOpsAssistantPolicy**. You don't assign this policy to a user. You assign this policy to the Amazon AI Operations assistant to enable CloudWatch investigations to analyze your AWS resources during the investigation of operational events. | December 3, 2024