AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-10-13 · Documentation low

File: AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md

Summary

Updated policy descriptions to include new CloudTrail/Service Quotas permissions for Application Signals functionality

Security assessment

The change documents enhanced IAM policy permissions for monitoring capabilities but does not fix a security issue. It provides updated security documentation for managed policies supporting operational features.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md b/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
index 20b948b80..1db9074b5 100644
--- a//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
+++ b//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
@@ -55,0 +56,2 @@ Change | Description | Date
+CloudWatchFullAccessV2 – Updates to existing policies |  CloudWatch updated **CloudWatchFullAccessV2** to include CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.  | October 8, 2025  
+CloudWatchReadOnlyAccess  – Updates to existing policies |  CloudWatch updated **CloudWatchReadOnlyAccess** to include CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.  | October 8, 2025  
@@ -143 +145 @@ AWS recently added the **CloudWatchFullAccessV2** managed IAM policy. This polic
-It includes `application-signals:` permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some `autoscaling:Describe` permissions so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes some `sns` permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.
+It includes `application-signals:` permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some `autoscaling:Describe` permissions so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes some `sns` permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.
@@ -159 +161 @@ The **CloudWatchReadOnlyAccess** policy grants read-only access to CloudWatch an
-The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. 
+The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.