AWS AmazonCloudWatch documentation change
Summary
Updated documentation for multiple CloudWatch managed IAM policies to include new permissions for Resource Explorer, cross-account observability (OAM), and Amazon Q integration. Changes include policy updates for CloudWatchFullAccessV2, CloudWatchApplicationSignalsFullAccess, CloudWatchReadOnlyAccess, CloudWatchApplicationSignalsReadOnlyAccess, CloudWatchApplicationSignalsServiceRolePolicy, and AIOpsConsoleAdminPolicy.
Security assessment
The changes document updates to IAM policies (security features) by adding permissions like resource-explorer-2:Search and Amazon Q integration. However, there's no evidence of these changes addressing a specific security vulnerability or incident. The updates appear to enable new features (viewing un-instrumented services, change events, and conversational incident reporting) rather than patching security flaws.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md b/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md index ea158f0f6..cc52a347b 100644 --- a//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md +++ b//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md @@ -55,0 +56,6 @@ Change | Description | Date +CloudWatchFullAccessV2 – Updated policy | CloudWatch updated the **CloudWatchFullAccessV2** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals by enabling resource explorer. | November 20th, 2025 +CloudWatchApplicationSignalsFullAccess – Updated policy | CloudWatch updated the **CloudWatchApplicationSignalsFullAccess** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals by enabling resource explorer. | November 20th, 2025 +CloudWatchReadOnlyAccess – Updated policy | CloudWatch updated the **CloudWatchReadOnlyAccess** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals. | November 20th, 2025 +CloudWatchApplicationSignalsReadOnlyAccess – Updated policy | CloudWatch updated the **CloudWatchApplicationSignalsReadOnlyAccess** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals. | November 20th, 2025 +[CloudWatchApplicationSignalsServiceRolePolicy](./using-service-linked-roles.html#service-linked-role-signals) – Update to an existing policy | CloudWatch updated the policy named **CloudWatchApplicationSignalsServiceRolePolicy**. Updated the policy to include `resource-explorer-2:Search` and `cloudtrail:CreateServiceLinkedChannel` to enable new Application Signals features. | November 20, 2025 +[AIOpsConsoleAdminPolicy – Updated policy ](https://docs.aws.amazon.com/managed-policies-QInvestigations-AIOpsConsoleAdminPolicy) | CloudWatch updated the **AIOpsConsoleAdminPolicy** policy to include Amazon Q integration permissions, enabling users to interact with CloudWatch investigations incident reports through Amazon Q's conversational interface. | November 17, 2025 @@ -147 +153 @@ AWS recently added the **CloudWatchFullAccessV2** managed IAM policy. This polic -It includes `application-signals:` permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some `autoscaling:Describe` permissions so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes some `sns` permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. +It includes `application-signals:` permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some `autoscaling:Describe` permissions so that users with this policy can see the Amazon EC2 Auto Scaling actions that are associated with CloudWatch alarms. It includes some `sns` permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. @@ -149 +155 @@ It includes `application-signals:` permissions so that users can access all the -It includes Amazon OpenSearch Service permissions to support vended logs dashboards in CloudWatch Logs, which are created with Amazon OpenSearch Service analytics. +It includes Amazon OpenSearch Service permissions to support vended logs dashboards in CloudWatch Logs, which are created with Amazon OpenSearch Service analytics. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account. @@ -163 +169 @@ The **CloudWatchReadOnlyAccess** policy grants read-only access to CloudWatch an -The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. It includes observability administration permissions for viewing telemetry rules, centralization configurations, and resource telemetry data across AWS Organizations. It includes the `cloudwatch:GenerateQuery` permission, so that users with this policy can generate a [CloudWatch Metrics Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/query_with_cloudwatch-metrics-insights.html) query string from a natural language prompt. +The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Amazon EC2 Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. It includes observability administration permissions for viewing telemetry rules, centralization configurations, and resource telemetry data across AWS Organizations. It includes the `cloudwatch:GenerateQuery` permission, so that users with this policy can generate a [CloudWatch Metrics Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/query_with_cloudwatch-metrics-insights.html) query string from a natural language prompt. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account. @@ -260,0 +267,2 @@ These permissions allow users with this policy to pass any IAM role to the `aiop + * The `q` permissions enable integration with Amazon Q, allowing users to interact with and update CloudWatch investigations reports through Amazon Q's conversational interface. + @@ -329 +337 @@ The policies in this section grant permissions related to CloudWatch Application -AWS has added the **CloudWatchApplicationSignalsReadOnlyAccess** managed IAM policy. This policy grants read only access to actions and resources available to users in the CloudWatch console under Application Signals. It includes `application-signals:` policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It includes an `iam:GetRole` policy to allow users to retrieve information about an IAM role. It includes `logs:` policies to start and stop queries, retrieve the configuration for a metruc filter, and obtain query results. It includes `cloudwatch:` policies so that users can obtain information about a CloudWatch alarm or metrics. It includes `synthetics:` policies so that users can retrieve information about synthetics canary runs. It includes `rum:` policies to run batch operations, retrieve data, and update metrics definitions for RUM clients. It includes an `xray:` policy to retrieve trace summaries. +AWS has added the **CloudWatchApplicationSignalsReadOnlyAccess** managed IAM policy. This policy grants read only access to actions and resources available to users in the CloudWatch console under Application Signals. It includes `application-signals:` policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It includes an `iam:GetRole` policy to allow users to retrieve information about an IAM role. It includes `logs:` policies to start and stop queries, retrieve the configuration for a metruc filter, and obtain query results. It includes `cloudwatch:` policies so that users can obtain information about a CloudWatch alarm or metrics. It includes `synthetics:` policies so that users can retrieve information about synthetics canary runs. It includes `rum:` policies to run batch operations, retrieve data, and update metrics definitions for RUM clients. It includes an `xray:` policy to retrieve trace summaries. It includes `oam:` policies so that users can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account. @@ -335 +343 @@ To see the full contents of the policy, see [CloudWatchApplicationSignalsReadOnl -AWS has added the **CloudWatchApplicationSignalsFullAccess** managed IAM policy. This policy grants access to all actions and resources available to users in the CloudWatch console. It includes `application-signals:` policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It uses `cloudwatch:` policies to retrieve data from metrics and alarms. It uses `logs:` policies to manage queries and filters. It uses `synthetics:` policies so that users can retrieve information about synthetics canary runs. It includes `rum:` policies to run batch operations, retrieve data and update metrics definitions for RUM clients. It includes an `xray:` policy to retrieve trace summaries. It includes `arn:aws:cloudwatch:*:*:alarm:` policies so that users can retrieve information about a service level objective (SLO) alarm. It includes `iam:` policies to manage IAM roles. It uses `sns:` policies to create, list, and subscribe to an Amazon SNS topic. +AWS has added the **CloudWatchApplicationSignalsFullAccess** managed IAM policy. This policy grants access to all actions and resources available to users in the CloudWatch console. It includes `application-signals:` policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It uses `cloudwatch:` policies to retrieve data from metrics and alarms. It uses `logs:` policies to manage queries and filters. It uses `synthetics:` policies so that users can retrieve information about synthetics canary runs. It includes `rum:` policies to run batch operations, retrieve data and update metrics definitions for RUM clients. It includes an `xray:` policy to retrieve trace summaries. It includes `arn:aws:cloudwatch:*:*:alarm:` policies so that users can retrieve information about a service level objective (SLO) alarm. It includes `iam:` policies to manage IAM roles. It uses `sns:` policies to create, list, and subscribe to an Amazon SNS topic. It includes `oam:` policies so that users can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account