AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-07-07 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md

Summary

Updated documentation to replace 'Amazon Q Developer operational investigations' with 'CloudWatch investigations' throughout, clarified required resource policy for CloudWatch alarm integration, improved property descriptions, and rebranded service references

Security assessment

The change adds explicit requirement to use PutInvestigationGroupPolicy for CloudWatch alarm integration, which introduces security controls around resource policies. The KMS key property clarification emphasizes encryption configuration, which is security-related. The service role description maintains security context around IAM permissions.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md
index ed820ee02..a22dbfd9a 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md
@@ -24 +24 @@ Currently, you can have one investigation group in each Region in your account.
-To create an investigation group and set up Amazon Q Developer operational investigations, you must be signed in to an IAM principal that has the either the `AIOpsConsoleAdminPolicy` or the `AdministratorAccess`IAM policy attached, or to an account that has similar permissions.
+To create an investigation group and set up CloudWatch investigations, you must be signed in to an IAM principal that has the either the `AIOpsConsoleAdminPolicy` or the `AdministratorAccess` IAM policy attached, or to an account that has similar permissions.
@@ -26 +26 @@ To create an investigation group and set up Amazon Q Developer operational inves
-###### Note
+###### Important
@@ -28 +28 @@ To create an investigation group and set up Amazon Q Developer operational inves
-You can optionally configure CloudWatch alarms to start investigations and add events to investigations. The examples section on this page demonstrates creating an investigation group and an alarm at the same time. 
+You can configure CloudWatch alarms to start investigations and add events to investigations. If you create your investigation group with `CreateInvestigationGroup` and you want to enable alarms to do this, you must use `PutInvestigationGroupPolicy` to create a resource policy that grants this permission to CloudWatch alarms. 
@@ -30 +30 @@ You can optionally configure CloudWatch alarms to start investigations and add e
-For more information about configuring CloudWatch alarms to work with Amazon Q Developer operational investigations, see 
+For more information about configuring CloudWatch alarms to work with CloudWatch investigations, see 
@@ -83 +83 @@ To declare this entity in your AWS CloudFormation template, use the following sy
-Use this property to integrate Amazon Q Developer operational investigations with Amazon Q in chat applications. This property is an array. For the first string, specify the ARN of an Amazon SNS topic. For the array of strings, specify the ARNs of one or more Amazon Q in chat applications configurations that you want to associate with that topic. For more information about these configuration ARNs, see [Getting started with Amazon Q in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html) and [Resource type defined by AWS Chatbot](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies).
+Use this property to integrate CloudWatch investigations with chat applications. This property is an array. For the first string, specify the ARN of an Amazon SNS topic. For the array of strings, specify the ARNs of one or more chat applications configurations that you want to associate with that topic. For more information about these configuration ARNs, see [Getting started with Amazon Q in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html) and [Resource type defined by AWS Chatbot](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies).
@@ -94 +94 @@ _Required_ : No
-Property description not available.
+Number of `sourceAccountId` values that have been configured for cross-account access.
@@ -105 +105 @@ _Required_ : No
-Use this property to specify a customer managed AWS KMS key to encrypt your investigation data. If you omit this property, Amazon Q Developer operational investigations will use an AWS key to encrypt the data. For more information, see [Encryption of investigation data](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS).
+Specifies the customer managed AWS KMS key that the investigation group uses to encrypt data, if there is one. If not, the investigation group uses an AWS key to encrypt the data.
@@ -116 +116 @@ _Required_ : No
-Property description not available.
+Returns the IAM resource policy that is associated with the specified investigation group.
@@ -127 +127 @@ _Required_ : No
-Specify `true` to enable Amazon Q Developer operational investigations to have access to change events that are recorded by CloudTrail. The default is `true`.
+Specify `true` to enable CloudWatch investigations to have access to change events that are recorded by CloudTrail. The default is `true`.
@@ -138 +138 @@ _Required_ : No
-A name for the investigation group.
+Specify either the name or the ARN of the investigation group that you want to view.
@@ -153,3 +153 @@ _Required_ : Yes
-Specify how long that investigation data is kept. For more information, see [Operational investigation data retention](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Retention.html). 
-
-If you omit this parameter, the default of 90 days is used.
+Specifies how long that investigation data is kept.
@@ -166,3 +164 @@ _Required_ : No
-Specify the ARN of the IAM role that Amazon Q Developer operational investigations will use when it gathers investigation data. The permissions in this role determine which of your resources that Amazon Q Developer operational investigations will have access to during investigations.
-
-For more information, see [How to control what data Amazon Q has access to during investigations](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-Security-Data).
+The ARN of the IAM role that the investigation group uses for permissions to gather data.
@@ -183,3 +179 @@ _Required_ : No
-Enter the existing custom tag keys for custom applications in your system. Resource tags help Amazon Q narrow the search space when it is unable to discover definite relationships between resources. For example, to discover that an Amazon ECS service depends on an Amazon RDS database, Amazon Q can discover this relationship using data sources such as X-Ray and CloudWatch Application Signals. However, if you haven't deployed these features, Amazon Q will attempt to identify possible relationships. Tag boundaries can be used to narrow the resources that will be discovered by Amazon Q in these cases.
-
-You don't need to enter tags created by myApplications or AWS CloudFormation, because Amazon Q can automatically detect those tags.
+Displays the custom tag keys for custom applications in your system that you have specified in the investigation group. Resource tags help CloudWatch investigations narrow the search space when it is unable to discover definite relationships between resources. 
@@ -200,3 +194 @@ _Required_ : No
-A list of key-value pairs to associate with the investigation group. You can associate as many as 50 tags with an investigation group. 
-
-Tags can help you organize and categorize your resources. 
+The list of key-value pairs to associate with the resource.
@@ -229 +221 @@ For more information about using the `Fn::GetAtt` intrinsic function, see [`Fn::
-The Amazon Resource Name (ARN) of the investigation group. For example, `arn:aws:aiops:_Region_ :_account-id_ :investigation-group:_investigation-group-id_`
+The Amazon Resource Name (ARN) of the investigation group.
@@ -249 +241 @@ The date and time that the investigation group was most recently modified.
-The name of the user who most recently modified the investigation group.
+The name of the user who created the investigation group.
@@ -257 +249 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-AIOps
+CloudWatch Investigations