AWS AmazonCloudWatch documentation change
Summary
Added JSON policy examples and formatting for multiple IAM policies related to CloudWatch access
Security assessment
The changes document IAM policy structures but do not indicate any security vulnerability being addressed. They improve clarity of security configurations without evidence of patching a specific security issue.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md b/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md index 73e2832da..4bf0eaacf 100644 --- a//AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md +++ b//AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md @@ -218,0 +219,6 @@ The contents of **CloudWatchFullAccessV2** are as follows: +JSON + + +**** + + @@ -531,0 +539,6 @@ The contents of **CloudWatchFullAccess** are as follows: +JSON + + +**** + + @@ -824,0 +839,6 @@ The following is the content of the **CloudWatchReadOnlyAccess** policy. +JSON + + +**** + + @@ -891,0 +913,6 @@ The following is the content of the **CloudWatchActionsEC2Access** policy. +JSON + + +**** + + @@ -915,0 +944,6 @@ The following is the content of **CloudWatch-CrossAccountAccess** : +JSON + + +**** + + @@ -937,0 +973,6 @@ The following is the content of **CloudWatchAutomaticDashboardsAccess** : +JSON + + +**** + + @@ -997,0 +1040,6 @@ The **CloudWatchAgentServerPolicy** policy can be used in IAM roles that are att +JSON + + +**** + + @@ -1033,0 +1082,36 @@ The **CloudWatchAgentServerPolicy** policy can be used in IAM roles that are att + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData", + "ec2:DescribeVolumes", + "ec2:DescribeTags", + "logs:PutLogEvents", + "logs:DescribeLogStreams", + "logs:DescribeLogGroups", + "logs:CreateLogStream", + "logs:CreateLogGroup" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter" + ], + "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" + } + ] + } + + @@ -1037,0 +1122,6 @@ The **CloudWatchAgentAdminPolicy** policy can be used in IAM roles that are atta +JSON + + +**** + + @@ -1073,0 +1164,36 @@ The **CloudWatchAgentAdminPolicy** policy can be used in IAM roles that are atta + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData", + "ec2:DescribeTags", + "logs:PutLogEvents", + "logs:DescribeLogStreams", + "logs:DescribeLogGroups", + "logs:CreateLogStream", + "logs:CreateLogGroup" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter", + "ssm:PutParameter" + ], + "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" + } + ] + } + + @@ -1087,0 +1214,6 @@ The **CloudWatchCrossAccountSharingConfiguration** policy grants access to creat +JSON + + +**** + + @@ -1130,0 +1264,6 @@ For more information, see [CloudWatch cross-account observability](./CloudWatch- +JSON + + +**** + + @@ -1148,0 +1289,6 @@ The **OAMReadOnlyAccess** policy grants read-only access to Observability Access +JSON + + +**** + + @@ -1190,0 +1338,6 @@ The following are the contents of the **AIOpsConsoleAdminPolicy** policy. +JSON + + +**** + + @@ -1453,0 +1608,6 @@ The following are the contents of the **AIOpsOperatorAccess** policy. +JSON + + +**** + + @@ -1569,0 +1731,6 @@ The following are the contents of the **AIOpsReadOnlyAccess** policy. +JSON + + +**** + + @@ -1604,0 +1773,6 @@ The following are the contents of the **AIOpsAssistantPolicy** policy. +JSON + + +**** + + @@ -2500,0 +2676,6 @@ The following are the contents of the **CloudWatchApplicationSignalsReadOnlyAcce +JSON + + +**** + + @@ -2598,0 +2781,6 @@ The following are the contents of the **CloudWatchApplicationSignalsFullAccess** +JSON + + +**** + + @@ -2722,0 +2912,6 @@ The following are the contents of the **CloudWatchLambdaApplicationSignalsExecut +JSON +