AWS AmazonCloudWatch medium security documentation change
Summary
Added documentation for two new service-linked role policies (AWSObservabilityAdminTelemetryEnablementServiceRolePolicy and AWSObservabilityAdminLogsCentralizationServiceRolePolicy) detailing permissions for telemetry enablement and logs centralization. Updated existing role descriptions and changelog.
Security assessment
The changes introduce new IAM policies with security-focused conditions like resource account restrictions, mandatory tagging requirements, and encryption operations. These enforce security boundaries and least-privilege access for telemetry/log management. While not fixing a specific vulnerability, they document security controls for centralized logging and telemetry configuration management.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md index ad150947d..419338564 100644 --- a//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md +++ b//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md @@ -5 +5 @@ -Service-linked role permissions for CloudWatch alarms EC2 actionsService-linked role permissions for CloudWatch telemetry configService-linked role permissions for CloudWatch Application SignalsService-linked role permissions for CloudWatch alarms Systems Manager OpsCenter actionsService-linked role permissions for CloudWatch alarms Systems Manager Incident Manager actionsService-linked role permissions for CloudWatch cross-account cross-RegionService-linked role permissions for CloudWatch database Performance InsightsCreating a service-linked role for CloudWatchEditing a service-linked role for CloudWatch Deleting a service-linked role for CloudWatchRole updates +Service-linked role permissions for CloudWatch alarms EC2 actionsService-linked role permissions for CloudWatch telemetry configService-linked role permissions for CloudWatch telemetry enablementService-linked role permissions for CloudWatch Application SignalsService-linked role permissions for CloudWatch alarms Systems Manager OpsCenter actionsService-linked role permissions for CloudWatch alarms Systems Manager Incident Manager actionsService-linked role permissions for CloudWatch cross-account cross-RegionService-linked role permissions for CloudWatch database Performance InsightsService-linked role permissions for CloudWatch Logs centralizationCreating a service-linked role for CloudWatchEditing a service-linked role for CloudWatch Deleting a service-linked role for CloudWatchRole updates @@ -199,0 +200,138 @@ JSON +## Service-linked role permissions for CloudWatch telemetry enablement + +The `AWSObservabilityAdminTelemetryEnablementServiceRolePolicy` grants permissions necessary to enable and manage telemetry configurations for AWS resources based on telemetry rules. + +This policy grants permissions for: + + * Basic telemetry operations including describing VPCs, flow logs, log groups, and managing EC2 instance monitoring + + * Resource tagging operations with the `CloudWatchTelemetryRuleManaged` tag for tracking managed resources + + * Log delivery configuration for services like AWS Bedrock and VPC Flow Logs + + * Configuration recorder management for telemetry enablement tracking + + + + +The policy enforces security boundaries through conditions that: + + * Restrict operations to resources within the same account using `aws:ResourceAccount` + + * Require the `CloudWatchTelemetryRuleManaged` tag for resource modifications + + * Limit configuration recorder access to those associated with telemetry enablement + + + + +The complete contents of the AWSObservabilityAdminTelemetryEnablementServiceRolePolicy are as follows: + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "organizations:ListAccounts", + "organizations:ListAccountsForParent", + "organizations:ListChildren", + "organizations:ListParents", + "organizations:DescribeOrganization", + "organizations:DescribeOrganizationalUnit" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "config:PutServiceLinkedConfigurationRecorder", + "config:DeleteServiceLinkedConfigurationRecorder" + ], + "Resource": [ + "arn:aws:config:*:*:configuration-recorder/AWSConfigurationRecorderForObservabilityAdmin/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "config:PutConfigurationAggregator", + "config:DeleteConfigurationAggregator", + "config:SelectAggregateResourceConfig" + ], + "Resource": [ + "arn:aws:config:*:*:config-aggregator/aws-service-config-aggregator/observabilityadmin.amazonaws.com/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": [ + "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" + ], + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "config.amazonaws.com" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "config.amazonaws.com" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "organizations:EnableAWSServiceAccess" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "organizations:ServicePrincipal": [ + "config.amazonaws.com" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "organizations:ListDelegatedAdministrators" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "organizations:ServicePrincipal": [ + "observabilityadmin.amazonaws.com", + "config.amazonaws.com" + ] + } + } + } + ] + } + + @@ -383 +521 @@ The **AWSServiceRoleForCloudWatchCrossAccount** service-linked role trusts the C -CloudWatch uses the service-linked role named **AWSServiceRoleForCloudWatchMetrics_DbPerfInsights**. – CloudWatch uses this role to retrieve Performance Insights metrics for creating alarms and snapshotting. +CloudWatch uses the service-linked role named **AWSServiceRoleForCloudWatchMetrics_DbPerfInsights** – CloudWatch uses this role to retrieve Performance Insights metrics for creating alarms and snapshotting. @@ -414,0 +553,25 @@ The **AWSServiceRoleForCloudWatchMetrics_DbPerfInsights** service-linked role tr +## Service-linked role permissions for CloudWatch Logs centralization + +CloudWatch uses the service-linked role named **AWSObservabilityAdminLogsCentralizationServiceRolePolicy** – CloudWatch Observability Admin uses this role to use telemetry data from other AWS accounts that you specify to create CloudWatch log groups, log streams, and log events in your organization's monitoring account. The SLR only provides the assume role permission to allow the CloudWatch service to assume the role in the monitoring account. + +The **AWSObservabilityAdminLogsCentralizationServiceRolePolicy** guilabel> service-linked role permissions policy allows CloudWatch to complete the following actions: + + * `sts:AssumeRole` + +`logs:CreateLogGroup` + +`logs:CreateLogStream` + +`logs:PutLogEvents` + +`kms:Encrypt` + +`kms:Decrypt` + +`kms:GenerateDataKey` + + + + +The **AWSObservabilityAdminLogsCentralizationServiceRolePolicy** service-linked role trusts the `logs-centralization.observabilityadmin.amazonaws.com` service to assume the role. + @@ -573,0 +737,2 @@ Change | Description | Date +AWSObservabilityAdminLogsCentralizationServiceRolePolicy – New service-linked role policy. | Added information about the AWSObservabilityAdminLogsCentralizationServiceRolePolicy that grants CloudWatch the permissions necessary to enable and manage telemetry configurations for AWS resources based on telemetry rules. | September 5, 2025 +AWSObservabilityAdminTelemetryEnablementServiceRolePolicy – New service-linked role policy. | Added information about the AWSObservabilityAdminTelemetryEnablementServiceRolePolicy that grants CloudWatch the permissions necessary to enable and manage telemetry configurations for AWS resources based on telemetry rules. | July 17, 2025