AWS AmazonCloudWatch medium security documentation change
Summary
Added IAM condition to restrict iam:PassedToService to specific AWS services
Security assessment
The IAM policy change introduces a security control to limit where permissions can be delegated (to EKS and Application Signals services), reducing the risk of privilege escalation. This is a security hardening measure.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md b/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md index 920eb9253..11b5fb7b2 100644 --- a//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md +++ b//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md @@ -178 +178,9 @@ JSON - "Resource": "*" + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "eks.amazonaws.com", + "application-signals.cloudwatch.amazonaws.com" + ] + } + }