AWS Security ChangesHomeSearch

AWS AmazonCloudWatch high security documentation change

Service: AmazonCloudWatch · 2025-08-16 · Security-related high

File: AmazonCloudWatch/latest/monitoring/Investigations-cross-account.md

Summary

Updated cross-account investigation documentation with clarified IAM role configuration steps, added AWS CLI examples for role creation/policy attachment, and emphasized sts:ExternalId usage in trust policies

Security assessment

The change introduces sts:ExternalId in trust policy examples and emphasizes its requirement. ExternalId is a security mechanism to prevent confused deputy attacks in cross-account access scenarios. The addition of explicit CLI commands for IAM role creation with proper conditions helps enforce secure configurations.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-cross-account.md b/AmazonCloudWatch/latest/monitoring/Investigations-cross-account.md
index 1ea7752f0..ac0e04c04 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-cross-account.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-cross-account.md
@@ -49 +49 @@ Cross-account CloudWatch investigations enables you to investigate application i
-       * If you choose **Automatically update the assistant role**(recommended), this creates a customer managed policy named `AIOpsAssistantCrossAccountPolicy-${guid}` with the `sts:AssumeRole` statements to assume the provided source account roles. Choosing the automatic update option defaults the IAM role name to `AIOps-CrossAccountInvestigationRole` in the source accounts .
+       * If you choose **Automatically update the assistant role (recommended)** , this creates a customer managed policy named `AIOpsAssistantCrossAccountPolicy-${guid}` that includes the `sts:AssumeRole` statements needed to assume the assistant role in the specified source accounts. Choosing the automatic update option defaults the IAM role name to `AIOps-CrossAccountInvestigationRole` in the source accounts .
@@ -73 +73 @@ JSON
-       * You may reach the limit of managed policies per role if the permissions are not manually updated when a source account is removed. You must delete any unused managed policies attached to your investigation role.
+       * You might reach the limit of managed policies per role if the permissions are not manually updated when a source account is removed. You must delete any unused managed policies attached to your investigation role.
@@ -77 +77 @@ JSON
-       * Below is an example of what the trust policy of the assistant role should look like. For more information, see [Getting started](./Investigations-GetStarted.html).
+       * The following example shows the trust policy required for the assistant role: 
@@ -97,4 +97 @@ JSON
-                                "aws:SourceAccount": "123456789012"
-                            },
-                            "ArnLike": {
-                                "aws:SourceArn": "arn:aws:aiops:us-east-1:123456789012:investigation-group/*"
+                                "sts:ExternalId": "arn:aws:aiops:us-east-1:123456789012:investigation-group/AaBbcCDde1EfFG2g"
@@ -109 +106,23 @@ JSON
-To grant cross-account access, the permission policy of the investigation role in the monitoring account must contain the following. If you are configuring the monitoring account manually, the role name can be whatever you choose. It does not default to `AIOps-CrossAccountInvestigationRole`
+You can use the AWS CLI to create the custom source account role and then attach the `AIOpsAssistantPolicy` to the role using the following commands, replacing the placeholder values with the appropriate values for your environment: 
+            
+                        **aws iam create-role**
+             --role-name custom-role-name
+             --assume-role-policy-document 
+                '{ 
+                   "Version": "2012-10-17", 
+                   "Statement": [ 
+                             { 
+                                  "Effect": "Allow",
+                                  "Principal": { "AWS": "investigation-group-role-arn"
+                                      }, 
+                                  "Action": "sts:AssumeRole", 
+                                  "Condition": {
+                                             "StringEquals": { 
+                                                      "sts:ExternalId": "investigation-group-arn"
+                                                        } } } ] }' 
+            
+            **aws iam attach-role-policy** 
+             --role-name custom-role-name
+             --policy-arn arn:aws:iam::aws:policy/AIOpsAssistantPolicy
+
+       * To grant cross-account access, the permission policy of the assistant role in the monitoring account must contain the following. If you are configuring the monitoring account manually, the role name can be whatever you choose. It does not default to `AIOps-CrossAccountInvestigationRole`, make sure to specify the name of the assistant role for each of the source accounts. 
@@ -123,3 +142,3 @@ JSON
-                        "arn:aws:iam::777777777777:role/source_role_name_1",
-                        "arn:aws:iam::555555555555:role/source_role_name_2",
-                        "arn:aws:iam::666666666666:role/source_role_name_3"
+                        "arn:aws:iam::777777777777:role/custom_source_account_role_name",
+                        "arn:aws:iam::555555555555:role/custom_source_account_role_name",
+                        "arn:aws:iam::666666666666:role/custom_source_account_role_name"
@@ -130,0 +150,8 @@ JSON
+       * Use the AWS CLI to update the monitoring account investigation group with the custom source account role ARN using the following command, replacing the placeholder values with the appropriate values for your environment: 
+            
+                        **aws aiops update-investigation-group** 
+             --identifier investigation-group-id
+             --cross-account-configurations sourceRoleArn=sourceRoleArn1  sourceRoleArn=sourceRoleArn2
+
+For more details on this command, see the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/aiops/update-investigation-group.html).
+
@@ -140 +167 @@ JSON
-    2. The trust policy of the role on the source account looks like this. `ExternalID` must be specified on the policy. Use the monitoring account investigation group arn.
+    2. The trust policy of the role on the source account looks like this. `ExternalID` must be specified on the policy. Use the monitoring account investigation group ARN.
@@ -180 +207 @@ Make sure the source account shows up in the cross-account configuration, and th
-After you set up OAM or cross-account dashboard, you can view and investigate from a cross-account telemetry in your monitoring account. You must add a cross-account telemetry from the source account in order to run an investigation into that source account. 
+After you set up CloudWatch cross-account observability dashboard, you can view and investigate from a cross-account telemetry in your monitoring account. You must add a cross-account telemetry from the source account in order to run an investigation into that source account.