AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-10-16 · Documentation low

File: AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md

Summary

Updated section header for AIOpsAssistantPolicy.

Security assessment

Formatting change with no security implications.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md b/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
index 1db9074b5..4b92bfdf4 100644
--- a//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
+++ b//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
@@ -55,0 +56,3 @@ Change | Description | Date
+[AIOpsAssistantIncidentReportPolicy – New policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsAssistantIncidentReportPolicy.html) |  CloudWatch added the **AIOpsAssistantIncidentReportPolicy** policy to enable CloudWatch investigations to generate incident reports from investigation data, including permissions to access investigations, create reports, and manage AI-derived facts. | October 10, 2025  
+[AIOpsOperatorAccess – Updated policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsOperatorAccess.html) |  CloudWatch updated the **AIOpsOperatorAccess** policy to include incident report generation permissions, allowing users to create and manage incident reports and work with AI-derived facts in CloudWatch investigations. | October 10, 2025  
+CloudWatchReadOnlyAccess – Update to an existing policy.  |  CloudWatch added permissions to **CloudWatchReadOnlyAccess**.  Permissions for observability administration actions were added to allow read-only access to telemetry rules, centralization configurations, and resource telemetry data across AWS Organizations.  |  October 10, 2025  
@@ -161 +164 @@ The **CloudWatchReadOnlyAccess** policy grants read-only access to CloudWatch an
-The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. 
+The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. It includes observability administration permissions for viewing telemetry rules, centralization configurations, and resource telemetry data across AWS Organizations. It includes the `cloudwatch:GenerateQuery` permission, so that users with this policy can generate a [CloudWatch Metrics Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/query_with_cloudwatch-metrics-insights.html) query string from a natural language prompt. 
@@ -264 +267 @@ This policy only provides access to investigations. You should be sure that IAM
-  * The `sso`, `identitystore`, and `sts` permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. 
+  * The `sso-directory`, `sso`, `identitystore`, and `sts` permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. 
@@ -288 +291 @@ To see the full contents of the policy, see [AIOpsReadOnlyAccess](https://docs.a
-### IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)
+### AIOpsAssistantPolicy
@@ -290 +293,3 @@ To see the full contents of the policy, see [AIOpsReadOnlyAccess](https://docs.a
-The **AIOpsAssistantPolicy** policy is not to be assigned to users or administrators. Instead, it is assigned **AIOpsAssistantPolicy** to Amazon AI Operations to enable it to analyze your AWS resources during investigations of operational events. This policy is scoped based on the resources that CloudWatch investigations supports during investigations, and will be updated as more resources are supported.
+The **AIOpsAssistantPolicy** policy is the default policy recommended by AWS to assign to the Amazon AI Operations (AIOps) role used by your investigation group to enable it to analyze your AWS resources during investigations of operational events. This policy is not intended for use by human users.
+
+You can choose to have the policy assigned automatically when you create an investigation, or you can assign the policy manually to the role being used by the investigation. This policy is scoped based on the resources that CloudWatch investigations analyzes when performing investigations, and will be updated as more resources are supported. For a complete list of services that work with CloudWatch investigations see, [AWS services where investigations are supported](./Investigations-Services.html).
@@ -295,0 +301,13 @@ To see the full contents of the policy, see [AIOpsAssistantPolicy](https://docs.
+### AIOpsAssistantIncidentReportPolicy
+
+The **AIOpsAssistantIncidentReportPolicy** policy grants permissions required by CloudWatch investigations to generate incident reports from investigation data.
+
+This policy is intended for use by CloudWatch investigations to enable automated incident report generation from investigation findings.
+
+  * The `aiops` permissions allow access to CloudWatch investigations APIs to read investigation data and events, create and update incident reports, and manage AI-derived facts that form the foundation of report generation.
+
+
+
+
+To see the full contents of the policy, see [AIOpsAssistantIncidentReportPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsAssistantIncidentReportPolicy.html) in the _AWS Managed Policy Reference Guide_.
+