AWS AmazonCloudWatch documentation change
Summary
Removed detailed AWS managed policy documentation sections and replaced with links to dedicated policy pages. Removed redundant policy content while maintaining navigation structure.
Security assessment
The changes restructure documentation navigation and remove redundant policy details by linking to external pages. There is no evidence of addressing security vulnerabilities or weaknesses. This is a documentation reorganization rather than a security-related update.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md b/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md index 5dedc90c9..ce3e73911 100644 --- a//AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md +++ b//AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.md @@ -5 +5 @@ -AudienceAuthenticating with identitiesManaging access using policiesAWS managed (predefined) policies for CloudWatchCustomer managed policy examplesPolicy updates +AudienceAuthenticating with identitiesManaging access using policies @@ -27 +27 @@ AWS Identity and Access Management (IAM) is an AWS service that helps an adminis - * AWS managed (predefined) policies for CloudWatch + * [AWS managed (predefined) policies for CloudWatch](./managed-policies-cloudwatch.html) @@ -29,3 +29 @@ AWS Identity and Access Management (IAM) is an AWS service that helps an adminis - * Customer managed policy examples - - * CloudWatch updates to AWS managed policies + * [Customer managed policy examples](./customer-managed-policies-cw.html) @@ -162,3841 +159,0 @@ When multiple types of policies apply to a request, the resulting permissions ar -## AWS managed (predefined) policies for CloudWatch - -AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the _IAM User Guide_. - -The following AWS managed policies, which you can attach to users in your account, are specific to CloudWatch. - -###### Topics - - * CloudWatchFullAccessV2 - - * CloudWatchFullAccess - - * CloudWatchReadOnlyAccess - - * CloudWatchActionsEC2Access - - * CloudWatch-CrossAccountAccess - - * CloudWatchAutomaticDashboardsAccess - - * CloudWatchAgentServerPolicy - - * CloudWatchAgentAdminPolicy - - * AWS managed (predefined) policies for CloudWatch cross-account observability - - * AWS managed (predefined) policies for CloudWatch investigations - - * AWS managed (predefined) policies for CloudWatch Application Signals - - * AWS managed (predefined) policies for CloudWatch Synthetics - - * AWS managed (predefined) policies for Amazon CloudWatch RUM - - * AWS managed (predefined) policies for CloudWatch Evidently - - * AWS managed policy for AWS Systems Manager Incident Manager - - - - -### CloudWatchFullAccessV2 - -AWS recently added the **CloudWatchFullAccessV2** managed IAM policy. This policy grants full access to CloudWatch actions and resources and also more properly scopes the permissions granted for other services such as Amazon SNS and Amazon EC2 Auto Scaling. We recommend that you begin using this policy instead of using **CloudWatchFullAccess**. AWS plans to deprecate **CloudWatchFullAccess** in the near future. - -It includes `application-signals:` permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some `autoscaling:Describe` permissions so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes some `sns` permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. - -It includes Amazon OpenSearch Service permissions to support vended logs dashboards in CloudWatch Logs, which are created with Amazon OpenSearch Service analytics. - -It includes `rum`, `synthetics`, and `xray` permissions so that users can have full access to CloudWatch Synthetics, AWS X-Ray, and CloudWatch RUM, all of which are under the CloudWatch service. - -The contents of **CloudWatchFullAccessV2** are as follows: - -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Sid": "CloudWatchFullAccessPermissions", - "Effect": "Allow", - "Action": [ - "application-autoscaling:DescribeScalingPolicies", - "application-signals:*", - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribePolicies", - "cloudwatch:*", - "logs:*", - "sns:CreateTopic", - "sns:ListSubscriptions", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "sns:Subscribe", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "oam:ListSinks", - "rum:*", - "synthetics:*", - "xray:*", - "opensearch:ApplicationAccessAll", - "iam:ListRoles", - "iam:ListUsers", - "aoss:BatchGetCollection", - "aoss:BatchGetLifecyclePolicy", - "es:ListApplications" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsServiceLinkedRolePermissions", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" - } - } - }, - { - "Sid": "EventsServicePermissions", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "events.amazonaws.com" - } - } - }, - { - "Sid": "OAMReadPermissions", - "Effect": "Allow", - "Action": [ - "oam:ListAttachedLinks" - ], - "Resource": "arn:aws:oam:*:*:sink/*" - }, - { - "Sid": "CloudWatchLogsOpenSearchCreateServiceLinkedAccess", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "opensearchservice.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/*/AWSServiceRoleForAmazonOpenSearchServerless", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "observability.aoss.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchLogsCollectionRequestAccess", - "Effect": "Allow", - "Action": [ - "aoss:CreateCollection" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/CloudWatchOpenSearchIntegration": [ - "Dashboards" - ] - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": "CloudWatchOpenSearchIntegration" - } - } - }, - { - "Sid": "CloudWatchLogsApplicationRequestAccess", - "Effect": "Allow", - "Action": [ - "es:CreateApplication" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/OpenSearchIntegration": [ - "Dashboards" - ] - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": "OpenSearchIntegration" - }