AWS Security ChangesHomeSearch

AWS devopsagent high security documentation change

Service: devopsagent · 2026-03-07 · Security-related high

File: devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md

Summary

Updated IAM permissions documentation to restructure policy examples, add Chat management actions, and introduce AWS Managed Policies with detailed permissions.

Security assessment

The changes enforce least privilege by replacing wildcard permissions (e.g., 'aidevops:*') with granular actions in policies like AIDevOpsAgentReadOnlyAccess. This reduces excessive permissions, a critical security best practice. The addition of AWS Managed Policies like AIDevOpsAgentAccessPolicy with service-specific read-only permissions improves security documentation.

Diff

diff --git a/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md b/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md
index ef98168aa..685b269d2 100644
--- a//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md
+++ b//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md
@@ -5 +5 @@
-Agent Space management actionsInvestigation and execution actionsTopology and discovery actionsPrevention and recommendation actionsBacklog task management actionsKnowledge management actionsAWS Support integration actionsUsage and monitoring actionsCommon IAM policy examplesAWS Managed policies for AWS DevOps Agent
+Agent Space management actionsInvestigation and execution actionsChat management actions:Topology and discovery actionsPrevention and recommendation actionsBacklog task management actionsKnowledge management actionsAWS Support integration actionsUsage and monitoring actionsAWS Managed policies for AWS DevOps Agent
@@ -28,2 +27,0 @@ These actions control access to incident investigation features:
-  * **aidevops:SendChatMessage** – Allows users to ask questions about investigation or mitigation activities and provide instructions.
-
@@ -36,0 +35,13 @@ These actions control access to incident investigation features:
+## Chat management actions:
+
+Chat requires the following IAM permissions to function:
+
+  * **aidevops:ListChats** – Required to list and access chat conversation history.
+
+  * **aidevops:CreateChat** – Required to create new chat conversations.
+
+  * **aidevops:StreamMessage** – Required to submit queries and receive streaming responses.
+
+
+
+
@@ -113 +124,31 @@ These actions control access to usage information:
-## Common IAM policy examples
+## AWS Managed policies for AWS DevOps Agent
+
+AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the IAM User Guide.
+
+The following AWS managed policies, which you can attach to users in your account, are specific to AWS DevOps Agent.
+
+### AWSServiceRoleForAIDevOpsPolicy
+
+This Service Linked Role provides AWS DevOps Agent ability to provide usage information.
+    
+    
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "sid1",
+          "Effect" : "Allow",
+          "Action" : [
+            "cloudwatch:PutMetricData"
+          ],
+          "Resource" : "*",
+          "Condition" : {
+            "StringEquals" : {
+              "cloudwatch:namespace" : [
+                "AWS/AIDevOps"
+              ]
+            }
+          }
+        }
+      ]
+    }
@@ -115 +156 @@ These actions control access to usage information:
-### Administrator policy
+### AIDevOpsAgentReadOnlyAccess
@@ -117 +158 @@ These actions control access to usage information:
-This policy grants full access to all AWS DevOps Agent features:
+Provides read only access to Amazon DevOps Agent via the AWS Management Console
@@ -123,0 +165 @@ This policy grants full access to all AWS DevOps Agent features:
+          "Sid": "AIDevOpsAgentReadOnlyAccess",
@@ -125 +167,5 @@ This policy grants full access to all AWS DevOps Agent features:
-          "Action": "aidevops:*",
+          "Action": [
+            "aidevops:Get*",
+            "aidevops:List*",
+            "aidevops:SearchServiceAccessibleResource"
+          ],
@@ -131 +177 @@ This policy grants full access to all AWS DevOps Agent features:
-### Operator policy
+### AIDevOpsAgentOperatorPolicy
@@ -133 +179 @@ This policy grants full access to all AWS DevOps Agent features:
-This policy grants access to investigation and prevention features without administrative capabilities:
+Provides access to investigation and prevention features without administrative capabilities
@@ -139,0 +186 @@ This policy grants access to investigation and prevention features without admin
+          "Sid": "AIDevOpsAgentSpaceOperator",
@@ -143,4 +190,18 @@ This policy grants access to investigation and prevention features without admin
-            "aidevops:InvokeAgent",
-            "aidevops:ListExecutions",
-            "aidevops:ListJournalRecords",
-            "aidevops:ListAssociations",
+            "aidevops:ListAgentSpaces"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsServiceOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:GetService",
+            "aidevops:ListServices",
+            "aidevops:SearchServiceAccessibleResource"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsAssociationOperator",
+          "Effect": "Allow",
+          "Action": [
@@ -148,3 +209,37 @@ This policy grants access to investigation and prevention features without admin
-            "aidevops:DiscoverTopology",
-            "aidevops:ListRecommendations",
-            "aidevops:GetRecommendation",
+            "aidevops:ListAssociations"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsWebhookOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:ListWebhooks"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsOperatorAppOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:GetOperatorAppTeams",
+            "aidevops:CreateOneTimeLoginSession"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsKnowledgeOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:CreateKnowledgeItem",
+            "aidevops:GetKnowledgeItem",
+            "aidevops:ListKnowledgeItems",
+            "aidevops:UpdateKnowledgeItem",
+            "aidevops:DeleteKnowledgeItem"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsBacklogOperator",
+          "Effect": "Allow",
+          "Action": [
@@ -152 +246,0 @@ This policy grants access to investigation and prevention features without admin
-            "aidevops:UpdateBacklogTask",
@@ -155,5 +249 @@ This policy grants access to investigation and prevention features without admin
-            "aidevops:ListKnowledgeItems",
-            "aidevops:GetKnowledgeItem",
-            "aidevops:InitiateChatForCase",
-            "aidevops:EndChatForCase",
-            "aidevops:SendChatMessage",
+            "aidevops:UpdateBacklogTask",
@@ -161,2 +251,47 @@ This policy grants access to investigation and prevention features without admin
-            "aidevops:CreteKnowledgeItem",
-            "aidevops:UpdateKnowledgelItem",
+            "aidevops:UpdateGoal"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsRecommendationOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:GetRecommendation",
+            "aidevops:ListRecommendations",
+            "aidevops:UpdateRecommendation"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsAgentChatOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:CreateChat",
+            "aidevops:ListChats",
+            "aidevops:ListPendingMessages",
+            "aidevops:SendChatMessage",
+            "aidevops:StreamMessage"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsJournalOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:ListExecutions",
+            "aidevops:ListJournalRecords"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AIDevOpsTopologyOperator",
+          "Effect": "Allow",
+          "Action": [
+            "aidevops:DiscoverTopology"
+          ],
+          "Resource": "*"
+        },
+        {