AWS AmazonCloudWatch documentation change
Summary
Added CloudTrail CreateServiceLinkedChannel permission to required IAM policy
Security assessment
Added documentation for required CloudTrail permissions to enable service integration. While CloudTrail is security-related, there is no evidence this addresses a specific vulnerability. The change enhances documentation about required security permissions for monitoring features.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search-getting-started.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search-getting-started.md index 6c5e716b3..dc2053ced 100644 --- a//AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search-getting-started.md +++ b//AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search-getting-started.md @@ -26,6 +25,0 @@ Before you can enable Transaction Search, you must create a role with the follow -JSON - - -**** - - @@ -94 +88,9 @@ JSON - "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" + "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", + } + { + "Sid": "CloudWatchApplicationSignalsCloudTrailPermissions", + "Effect": "Allow", + "Action": [ + "cloudtrail:CreateServiceLinkedChannel" + ], + "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/application-signals/*"