AWS AmazonCloudWatch documentation change
Summary
Replaced inline IAM policy JSON examples with references to AWS-managed policies (CloudWatchApplicationSignalsFullAccess and CloudWatchApplicationSignalsReadOnlyAccess)
Security assessment
The change removes detailed IAM policy examples and directs users to official AWS-managed policies. While this promotes security best practices by encouraging use of maintained policies, there's no evidence of addressing a specific security vulnerability. The change appears to be documentation simplification rather than a direct security fix.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md b/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md index 9da406c15..11b6a3e77 100644 --- a//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md +++ b//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md @@ -13,131 +13 @@ This section explains the permissions necessary for you to enable, manage, and o -To manage Application Signals, you must be signed on with the following permissions: - -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Sid": "CloudWatchApplicationSignalsFullAccessPermissions", - "Effect": "Allow", - "Action": "application-signals:*", - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsAlarmsPermissions", - "Effect": "Allow", - "Action": [ - "cloudwatch:DescribeAlarms" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsMetricsPermissions", - "Effect": "Allow", - "Action": [ - "cloudwatch:GetMetricData", - "cloudwatch:ListMetrics" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", - "Effect": "Allow", - "Action": [ - "logs:StartQuery", - "logs:DescribeMetricFilters" - ], - "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" - }, - { - "Sid": "CloudWatchApplicationSignalsLogsPermissions", - "Effect": "Allow", - "Action": [ - "logs:GetQueryResults", - "logs:StopQuery" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsSyntheticsPermissions", - "Effect": "Allow", - "Action": [ - "synthetics:DescribeCanaries", - "synthetics:DescribeCanariesLastRun", - "synthetics:GetCanaryRuns" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsRumPermissions", - "Effect": "Allow", - "Action": [ - "rum:BatchCreateRumMetricDefinitions", - "rum:BatchDeleteRumMetricDefinitions", - "rum:BatchGetRumMetricDefinitions", - "rum:GetAppMonitor", - "rum:GetAppMonitorData", - "rum:ListAppMonitors", - "rum:PutRumMetricsDestination", - "rum:UpdateRumMetricDefinition" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsXrayPermissions", - "Effect": "Allow", - "Action": [ - "xray:GetTraceSummaries" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsPutMetricAlarmPermissions", - "Effect": "Allow", - "Action": "cloudwatch:PutMetricAlarm", - "Resource": [ - "arn:aws:cloudwatch:*:*:alarm:SLO-AttainmentGoalAlarm-*", - "arn:aws:cloudwatch:*:*:alarm:SLO-WarningAlarm-*", - "arn:aws:cloudwatch:*:*:alarm:SLI-HealthAlarm-*" - ] - }, - { - "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchApplicationSignalsGetRolePermissions", - "Effect": "Allow", - "Action": "iam:GetRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" - }, - { - "Sid": "CloudWatchApplicationSignalsSnsWritePermissions", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:Subscribe" - ], - "Resource": "arn:aws:sns:*:*:cloudwatch-application-signals-*" - }, - { - "Sid": "CloudWatchApplicationSignalsSnsReadPermissions", - "Effect": "Allow", - "Action": "sns:ListTopics", - "Resource": "*" - } - ] - } - +To manage Application Signals, you must be signed on with the required permissions. To view the contents of the **CloudWatchApplicationSignalsFullAccess** policy, see [CloudWatchApplicationSignalsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsFullAccess.html). @@ -225,95 +95 @@ JSON -Service operators who are using Application Signals to monitor services and SLOs must be signed on to an account with the following read only permissions: - -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Sid": "CloudWatchApplicationSignalsReadOnlyAccessPermissions", - "Effect": "Allow", - "Action": [ - "application-signals:BatchGet*", - "application-signals:Get*", - "application-signals:List*" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsGetRolePermissions", - "Effect": "Allow", - "Action": "iam:GetRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" - }, - { - "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", - "Effect": "Allow", - "Action": [ - "logs:StartQuery", - "logs:DescribeMetricFilters" - ], - "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" - }, - { - "Sid": "CloudWatchApplicationSignalsLogsPermissions", - "Effect": "Allow", - "Action": [ - "logs:GetQueryResults", - "logs:StopQuery" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsAlarmsReadPermissions", - "Effect": "Allow", - "Action": [ - "cloudwatch:DescribeAlarms" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchApplicationSignalsMetricsReadPermissions", - "Effect": "Allow", - "Action": [ - "cloudwatch:GetMetricData", - "cloudwatch:ListMetrics" - ], - "Resource": "*"