AWS Security ChangesHomeSearch

AWS AmazonCloudWatch high security documentation change

Service: AmazonCloudWatch · 2025-10-16 · Security-related high

File: AmazonCloudWatch/latest/monitoring/Investigations-Security.md

Summary

Added permissions required for incident report generation (including detailed IAM policy), introduced new managed policy, and clarified encryption consistency for reports

Security assessment

The addition of explicit IAM permissions for report generation addresses a potential security gap where missing permissions could prevent proper access controls. The documentation explicitly states that prior investigation groups lacked these permissions by default, creating a misconfiguration risk.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-Security.md b/AmazonCloudWatch/latest/monitoring/Investigations-Security.md
index 7d3d62b2b..3625bc9de 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-Security.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-Security.md
@@ -5 +5 @@
-Default CloudWatch investigations permissions, retention, and encryptionUser permissions for your CloudWatch investigations group How to control what data CloudWatch investigations has access to during investigationsEncryption of investigation dataCross-Region inference
+Default CloudWatch investigations permissions, retention, and encryptionUser permissions for your CloudWatch investigations group Additional permissions for Database InsightsHow to control what data CloudWatch investigations has access to during investigationsEncryption of investigation dataCross-Region inference
@@ -16,0 +17,2 @@ This section includes topics about how CloudWatch investigations integrate with
+  * Additional permissions for Database Insights
+
@@ -49 +51,37 @@ We recommend that you use three IAM principals, granting one of them the **AIOps
-### Additional permissions for Database Insights
+### Permissions for incident report generation
+
+Incident report generation requires additional permissions to allow the AI to collect events, facts, and then create reports.
+
+Users with **AIOpsConsoleAdminPolicy** can generate, edit, and copy incident reports. By default, your investigation group is assigned the **AIOpsAssistantPolicy** to give it access to resource. However, it does not have the permissions required to generate an investigation report. To give permissions to your investigation group to collate the investigation data into an incident report you must add a policy similar to the following example that includes additional permissions or add the additional actions as an inline policy to the group: 
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "IncidentReportOperations",
+                "Effect": "Allow",
+                "Action": [
+                    "aiops:GetInvestigation",
+                    "aiops:ListInvestigationEvents",
+                    "aiops:GetInvestigationEvent",
+    
+                    "aiops:CreateReport",
+                    "aiops:UpdateReport", 
+                    "aiops:GetReport",
+    
+                    "aiops:PutFact",
+                    "aiops:ListFacts",
+                    "aiops:GetFact",
+                    "aiops:GetFactVersions"
+                ],
+                "Resource": [
+                    "arn:aws:aiops:*:*:investigation-group/*"
+                ]
+            }
+        ]
+    }
+
+The new managed policy `AIOpsAssistantIncidentReportPolicy` provides the required permissions and is automatically added to investigation groups created after October 10, 2025. For more information, see [AIOpsAssistantIncidentReportPolicy](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsAssistantIncidentReportPolicy).
+
+## Additional permissions for Database Insights
@@ -59 +97 @@ When you configure an investigation group in your account, you specify what perm
-To enable CloudWatch investigations to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the **AIOpsAssistantPolicy** to the investigation group role. This grants the investigation group permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see [IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsAssistant).
+To enable CloudWatch investigations to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the **AIOpsAssistantPolicy** to the investigation group role. This grants the investigation group permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see [AIOpsAssistantPolicy](./managed-policies-cloudwatch.html#managed-policies-QInvestigations-AIOpsAssistant).
@@ -126,0 +165,2 @@ For the encryption of your investigation data, AWS offers two options:
+Incident reports generated from investigations use the same encryption settings as the parent investigation. This maintains a consistent security posture across your investigation data and documentation
+