AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-09-28 · Documentation low

File: AmazonCloudWatch/latest/monitoring/Investigations-Security.md

Summary

Updated IAM policy documentation links and section headers (e.g., 'Cross-account investigations' to 'Integrations with other systems')

Security assessment

Corrects internal links to IAM policies and reorganizes sections. While IAM policies are security-related, the changes are routine documentation updates without evidence of addressing a specific security issue.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-Security.md b/AmazonCloudWatch/latest/monitoring/Investigations-Security.md
index 7a778e499..7d3d62b2b 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-Security.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-Security.md
@@ -38 +38 @@ AWS has created three managed IAM policies that you can use for your users who w
-  * [AIOpsConsoleAdminPolicy](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsConsoleAdminPolicy)– grants an administrator the ability to set up CloudWatch investigations in the account, access to CloudWatch investigations actions, the management of trusted identity propagation, and the management of integration with IAM Identity Center and organizational access.
+  * [AIOpsConsoleAdminPolicy](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsConsoleAdminPolicy)– grants an administrator the ability to set up CloudWatch investigations in the account, access to CloudWatch investigations actions, the management of trusted identity propagation, and the management of integration with IAM Identity Center and organizational access.
@@ -40 +40 @@ AWS has created three managed IAM policies that you can use for your users who w
-  * [AIOpsOperatorAccess](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsOperatorAccess)– grants a user access to investigation actions including starting an investigation. It also grants additional permissions that are necessary for accessing investigation events.
+  * [AIOpsOperatorAccess](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsOperatorAccess)– grants a user access to investigation actions including starting an investigation. It also grants additional permissions that are necessary for accessing investigation events.
@@ -42 +42 @@ AWS has created three managed IAM policies that you can use for your users who w
-  * [AIOpsReadOnlyAccess](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsReadOnlyAccess)– grants read-only permissions for CloudWatch investigations and other related services.
+  * [AIOpsReadOnlyAccess](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsReadOnlyAccess)– grants read-only permissions for CloudWatch investigations and other related services.
@@ -59 +59 @@ When you configure an investigation group in your account, you specify what perm
-To enable CloudWatch investigations to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the **AIOpsAssistantPolicy** to the investigation group role. This grants the investigation group permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see [IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant).
+To enable CloudWatch investigations to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the **AIOpsAssistantPolicy** to the investigation group role. This grants the investigation group permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see [IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsAssistant).
@@ -63 +63 @@ You can also choose to attach the general AWS [**ReadOnlyAccess**](https://docs.
-If you want to scope down the permissions granted to CloudWatch investigations, you can attach a custom IAM policy to the investigation group IAM role instead of attaching the **AIOpsAssistantPolicy** policy. To do this, start your custom policy with the contents of [AIOpsAssistantPolicy](./auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant) and then remove permissions that you don't want to grant to CloudWatch investigations. This will prevent CloudWatch investigations from making suggestions based on the AWS services or actions that you don't grant access to.
+If you want to scope down the permissions granted to CloudWatch investigations, you can attach a custom IAM policy to the investigation group IAM role instead of attaching the **AIOpsAssistantPolicy** policy. To do this, start your custom policy with the contents of [AIOpsAssistantPolicy](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsAssistant) and then remove permissions that you don't want to grant to CloudWatch investigations. This will prevent CloudWatch investigations from making suggestions based on the AWS services or actions that you don't grant access to.
@@ -379 +379 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Cross-account investigations
+Integrations with other systems
@@ -381 +381 @@ Cross-account investigations
-Troubleshooting
+CloudWatch investigations data retention