AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-11-10 · Documentation low

File: AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md

Summary

Clarified the attachment and usage of the AWSObservabilityAdminLogsCentralizationServiceRolePolicy for log centralization setup.

Security assessment

The update provides clearer instructions for configuring service-linked roles involved in centralized logging, which is a security best practice. However, it doesn't address a specific security issue but enhances documentation on secure setup procedures.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
index b0678f08e..ba6a9c3b8 100644
--- a//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
+++ b//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
@@ -555 +555 @@ The **AWSServiceRoleForCloudWatchMetrics_DbPerfInsights** service-linked role tr
-CloudWatch uses the service-linked role named **AWSObservabilityAdminLogsCentralizationServiceRolePolicy** – CloudWatch Observability Admin uses this role to use telemetry data from other AWS accounts that you specify to create CloudWatch log groups, log streams, and log events in your organization's monitoring account. The SLR only provides the assume role permission to allow the CloudWatch service to assume the role in the monitoring account.
+The **AWSObservabilityAdminLogsCentralizationServiceRolePolicy** attaches to appropriate IAM entity in your central management account, such as the CloudWatch service role –, to grant necessary permissions for setting up and managing centralized log collection. CloudWatch uses this role to access telemetry data from other AWS accounts that you specify to create CloudWatch log groups, log streams, and log events in your organization's monitoring account. The SLR only provides the assume role permission to allow the CloudWatch service to assume the role in the monitoring account. This policy is attached automatically if you set up centralized log collection using the AWS Management Console. If you use the AWS CLI or API to configure log centralization you must attach this policy manually to the IAM role that will be used for observability administration tasks.