AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-07-18 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md

Summary

Updated IAM policy requirements, added CloudWatch alarm documentation link, changed cross-account access from sourceAccountId to sourceRoleArn, added IAM resource policy JSON example, clarified investigation group name/ARN usage.

Security assessment

The change from sourceAccountId to sourceRoleArn enforces role-based cross-account access control (security best practice). The explicit IAM policy JSON example helps users configure secure resource policies. These changes directly relate to access control and IAM policy configuration, which are security-critical.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md
index 55b9f1c9f..0a43c66d5 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-aiops-investigationgroup.md
@@ -24 +24 @@ Currently, you can have one investigation group in each Region in your account.
-To create an investigation group and set up CloudWatch investigations, you must be signed in to an IAM principal that has the either the `AIOpsConsoleAdminPolicy` or the `AdministratorAccess` IAM policy attached, or to an account that has similar permissions.
+To create an investigation group and set up CloudWatch investigations, you must be signed in to an IAM principal that has either the `AIOpsConsoleAdminPolicy` or the `AdministratorAccess` IAM policy attached, or to an account that has similar permissions.
@@ -30 +30 @@ You can configure CloudWatch alarms to start investigations and add events to in
-For more information about configuring CloudWatch alarms to work with CloudWatch investigations, see 
+For more information about configuring CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html)
@@ -94 +94 @@ _Required_ : No
-Number of `sourceAccountId` values that have been configured for cross-account access.
+List of `sourceRoleArn` values that have been configured for cross-account access.
@@ -116 +116 @@ _Required_ : No
-Returns the IAM resource policy that is associated with the specified investigation group.
+Returns the JSON of the IAM resource policy associated with the specified investigation group in a string. For example, `{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"aiops.alarms.cloudwatch.amazonaws.com\"},\"Action\":[\"aiops:CreateInvestigation\",\"aiops:CreateInvestigationEvent\"],\"Resource\":\"*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"111122223333\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:cloudwatch:us-east-1:111122223333:alarm:*\"}}}]}`.
@@ -138 +138 @@ _Required_ : No
-Specify either the name or the ARN of the investigation group that you want to view.
+Specify either the name or the ARN of the investigation group that you want to view. This is used to set the name of the investigation group.