AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-11-10 · Documentation medium

File: AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md

Summary

Added documentation for the new CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy managed policy, including permissions for EC2 prefix list operations and service-linked role details.

Security assessment

The change introduces a new service-linked role policy for network flow monitoring, enhancing network configuration visibility. While it improves monitoring capabilities, there's no evidence it addresses a specific security vulnerability. The added permissions (ec2:DescribeManagedPrefixLists, ec2:GetManagedPrefixListEntries) support monitoring but don't indicate a security fix.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md b/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
index 51749ad93..48badb134 100644
--- a//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
+++ b//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
@@ -5 +5 @@
-Policy updatesCloudWatchFullAccessV2CloudWatchFullAccessCloudWatchReadOnlyAccessCloudWatchActionsEC2AccessCloudWatch-CrossAccountAccessCloudWatchAutomaticDashboardsAccessCloudWatchAgentServerPolicyCloudWatchAgentAdminPolicyAWS managed (predefined) policies for CloudWatch cross-account observabilityAWS managed (predefined) policies for CloudWatch investigationsAWS managed (predefined) policies for CloudWatch Application SignalsAWS managed (predefined) policies for CloudWatch SyntheticsAWS managed (predefined) policies for Amazon CloudWatch RUMAWS managed policy for AWS Systems Manager Incident Manager
+Policy updatesCloudWatchFullAccessV2CloudWatchFullAccessCloudWatchReadOnlyAccessCloudWatchActionsEC2AccessCloudWatch-CrossAccountAccessCloudWatchAutomaticDashboardsAccessCloudWatchAgentServerPolicyCloudWatchAgentAdminPolicy CloudWatchNetworkFlowMonitorTopologyServiceRolePolicyAWS managed (predefined) policies for CloudWatch cross-account observabilityAWS managed (predefined) policies for CloudWatch investigationsAWS managed (predefined) policies for CloudWatch Application SignalsAWS managed (predefined) policies for CloudWatch SyntheticsAWS managed (predefined) policies for Amazon CloudWatch RUMAWS managed policy for AWS Systems Manager Incident Manager
@@ -32,0 +33,2 @@ The following AWS managed policies, which you can attach to users in your accoun
+  * CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy
+
@@ -53,0 +56 @@ Change | Description | Date
+CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy – Updated policy |  CloudWatch added the `ec2:DescribeManagedPrefixLists` and `ec2:GetManagedPrefixListEntries` permissions to the **CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy** managed policy to grant permissions for Network Flow Monitor to generate topology snapshots of managed prefix lists. | November 06, 2025  
@@ -194,0 +198,8 @@ To see the full contents of the policy, see [CloudWatchAgentAdminPolicy](https:/
+##  CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy
+
+You can't attach ` CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role named **AWSServiceRoleForNetworkFlowMonitor_Topology**. Using these permissions, as well as internal meta data information gathering (for performance efficiencies), this service-linked role gathers meta data about resource network configurations, such as describing route tables and gateways, for resources that this service monitors network traffic for. This meta data enables Network Flow Monitor to generate topology snapshots of the resources. When there is network degradation, Network Flow Monitor uses the topologies to provide insights into the location of issues in the network and to help determine attribution for issues. 
+
+To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy.html) in the _AWS Managed Policy Reference_.
+
+For more information, see [Service-linked roles for Network Flow Monitor](./using-service-linked-roles-network-flow-monitor.html).
+