AWS AmazonCloudWatch documentation change
Summary
Updated IAM policy statements to replace EKS permissions with Resource Explorer permissions and service-linked role creation
Security assessment
Modifies required permissions for application monitoring features but doesn't address a known vulnerability. The addition of iam:CreateServiceLinkedRole is a security-sensitive action but appears to be part of normal service requirements.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md b/AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md index 11b6a3e77..42e1c8dfc 100644 --- a//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md +++ b//AmazonCloudWatch/latest/monitoring/Application_Signals_Permissions.md @@ -132 +132 @@ JSON - "Sid": "CloudWatchApplicationSignalsEksReadPermissions", + "Sid": "CloudWatchApplicationSignalsResourceExplorerReadPermissions", @@ -135,2 +135,2 @@ JSON - "eks:ListAddons", - "eks:ListClusters" + "resource-explorer-2:ListIndexes", + "resource-explorer-2:Search" @@ -141 +141 @@ JSON - "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions", + "Sid": "CloudWatchApplicationSignalsResourceExplorerSLRPermissions", @@ -144 +144 @@ JSON - "eks:DescribeAddon" + "iam:CreateServiceLinkedRole" @@ -146 +146,16 @@ JSON - "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" + "Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "resource-explorer-2.amazonaws.com" + ] + } + } + }, + { + "Sid": "CloudWatchApplicationSignalsResourceExplorerCreateIndexPermissions", + "Effect": "Allow", + "Action": [ + "resource-explorer-2:CreateIndex" + ], + "Resource": "arn:aws:resource-explorer-2:*:*:index/*"