AWS Security ChangesHomeSearch

AWS devopsagent documentation change

Service: devopsagent · 2026-02-28 · Documentation medium

File: devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md

Summary

Added security best practice for read-only credentials in integrations

Security assessment

Proactive security guidance about credential scoping but no fix for existing vulnerability

Diff

diff --git a/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md b/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md
index 7f6e0b6d4..71b5bdde6 100644
--- a//devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md
+++ b//devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md
@@ -36,0 +37,2 @@ Currently, AWS DevOps Agent supports AWS CloudWatch, Datadog, New Relic, and Spl
+**Security best practice:** When configuring credentials for built-in 1-way integrations, we recommend scoping API keys and tokens to read-only access. AWS DevOps Agent uses these credentials for telemetry introspection only and does not require write access to your telemetry provider.
+