AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2025-08-01 · Security-related medium

File: AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md

Summary

Added IAM condition to restrict iam:PassedToService to specific AWS services

Security assessment

The IAM policy change introduces a security control to limit where permissions can be delegated (to EKS and Application Signals services), reducing the risk of privilege escalation. This is a security hardening measure.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md b/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md
index 920eb9253..11b5fb7b2 100644
--- a//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md
+++ b//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md
@@ -178 +178,9 @@ JSON
-                "Resource": "*"
+        "Resource": "*",
+        "Condition": {
+        "StringEquals": {
+        "iam:PassedToService": [
+        "eks.amazonaws.com",
+        "application-signals.cloudwatch.amazonaws.com"
+        ]
+        }
+        }