AWS Security ChangesHomeSearch

AWS devopsagent documentation change

Service: devopsagent · 2026-03-13 · Documentation low

File: devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md

Summary

Restructured IAM policy documentation with updated policy examples, renamed sections, and clarified permissions. Added granular actions to operator/read-only policies and simplified administrator policy.

Security assessment

The changes improve documentation clarity around IAM permissions but don't address a specific security vulnerability. Enhanced policy examples help implement least-privilege access, which is security best practice but not a direct response to a disclosed issue.

Diff

diff --git a/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md b/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md
index 685b269d2..0d2ccc648 100644
--- a//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md
+++ b//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md
@@ -5 +5 @@
-Agent Space management actionsInvestigation and execution actionsChat management actions:Topology and discovery actionsPrevention and recommendation actionsBacklog task management actionsKnowledge management actionsAWS Support integration actionsUsage and monitoring actionsAWS Managed policies for AWS DevOps Agent
+Agent Space management actionsInvestigation and execution actionsChat management actionsTopology and discovery actionsPrevention and recommendation actionsBacklog task management actionsKnowledge management actionsAWS Support integration actionsUsage and monitoring actionsCommon IAM policy examplesAWS Managed policies for AWS DevOps Agent
@@ -9 +9,3 @@ Agent Space management actionsInvestigation and execution actionsChat management
-AWS DevOps Agent uses service-specific IAM actions to control access to its features and capabilities. These actions determine what users can do within the AWS DevOps Agent console and Operator Web App. This is separate from the AWS service API permissions that the agent itself uses to investigate your resources. See Limiting Agent Access in an AWS Account[link] to learn more about managing the services and resources the agent itself has access to.
+AWS DevOps Agent uses service-specific AWS Identity and Access Management (IAM) actions to control access to its features and capabilities. These actions determine what users can do within the AWS DevOps Agent console and Operator Web App. This is separate from the AWS service API permissions that the agent itself uses to investigate your resources.
+
+For more information about limiting agent access, see [Limiting Agent Access in an AWS Account.](https://docs.aws.amazon.com/devopsagent/latest/userguide/aws-devops-agent-security-limiting-agent-access-in-an-aws-account.html)
@@ -30 +32 @@ These actions control access to incident investigation features:
-  * **aidevops:ListJournalRecords** – Allows users to access detailed logs that show the agent's reasoning steps, actions taken, and data sources consulted during an investigation, mitigation, evaluation and chat conversations. This is useful for understanding how the agent reached its conclusions.
+  * **aidevops:ListJournalRecords** – Allows users to access detailed logs that show the agent's reasoning steps, actions taken, and data sources consulted during an investigation, mitigation, evaluation, and chat conversation. This is useful for understanding how the agent reached its conclusions.
@@ -35 +37 @@ These actions control access to incident investigation features:
-## Chat management actions:
+## Chat management actions
@@ -39 +41 @@ Chat requires the following IAM permissions to function:
-  * **aidevops:ListChats** – Required to list and access chat conversation history.
+  * **aidevops:ListChats** – Allows users to list and access chat conversation history.
@@ -41 +43 @@ Chat requires the following IAM permissions to function:
-  * **aidevops:CreateChat** – Required to create new chat conversations.
+  * **aidevops:CreateChat** – Allows users to create new chat conversations.
@@ -43 +45 @@ Chat requires the following IAM permissions to function:
-  * **aidevops:StreamMessage** – Required to submit queries and receive streaming responses.
+  * **aidevops:StreamMessage** – Allows users to submit queries and receive streaming responses.
@@ -124 +126 @@ These actions control access to usage information:
-## AWS Managed policies for AWS DevOps Agent
+## Common IAM policy examples
@@ -126 +128 @@ These actions control access to usage information:
-AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the IAM User Guide.
+### Administrator policy
@@ -128,5 +130 @@ AWS addresses many common use cases by providing standalone IAM policies that ar
-The following AWS managed policies, which you can attach to users in your account, are specific to AWS DevOps Agent.
-
-### AWSServiceRoleForAIDevOpsPolicy
-
-This Service Linked Role provides AWS DevOps Agent ability to provide usage information.
+This policy grants full access to all AWS DevOps Agent features:
@@ -139 +136,0 @@ This Service Linked Role provides AWS DevOps Agent ability to provide usage info
-          "Sid" : "sid1",
@@ -141,11 +138,2 @@ This Service Linked Role provides AWS DevOps Agent ability to provide usage info
-          "Action" : [
-            "cloudwatch:PutMetricData"
-          ],
-          "Resource" : "*",
-          "Condition" : {
-            "StringEquals" : {
-              "cloudwatch:namespace" : [
-                "AWS/AIDevOps"
-              ]
-            }
-          }
+          "Action": "aidevops:*",
+          "Resource": "*"
@@ -156 +144 @@ This Service Linked Role provides AWS DevOps Agent ability to provide usage info
-### AIDevOpsAgentReadOnlyAccess
+### Operator policy
@@ -158 +146 @@ This Service Linked Role provides AWS DevOps Agent ability to provide usage info
-Provides read only access to Amazon DevOps Agent via the AWS Management Console
+This policy grants access to investigation and prevention features without administrative capabilities:
@@ -165 +152,0 @@ Provides read only access to Amazon DevOps Agent via the AWS Management Console
-          "Sid": "AIDevOpsAgentReadOnlyAccess",
@@ -168,3 +155,23 @@ Provides read only access to Amazon DevOps Agent via the AWS Management Console
-            "aidevops:Get*",
-            "aidevops:List*",
-            "aidevops:SearchServiceAccessibleResource"
+            "aidevops:GetAgentSpace",
+            "aidevops:InvokeAgent",
+            "aidevops:ListExecutions",
+            "aidevops:ListJournalRecords",
+            "aidevops:ListAssociations",
+            "aidevops:GetAssociation",
+            "aidevops:DiscoverTopology",
+            "aidevops:ListRecommendations",
+            "aidevops:GetRecommendation",
+            "aidevops:CreateBacklogTask",
+            "aidevops:UpdateBacklogTask",
+            "aidevops:GetBacklogTask",
+            "aidevops:ListBacklogTasks",
+            "aidevops:ListKnowledgeItems",
+            "aidevops:GetKnowledgeItem",
+            "aidevops:InitiateChatForCase",
+            "aidevops:EndChatForCase",
+            "aidevops:SendChatMessage",
+            "aidevops:ListGoals",
+            "aidevops:CreateKnowledgeItem",
+            "aidevops:UpdateKnowledgeItem",
+            "aidevops:DescribeSupportLevel",
+            "aidevops:ListPendingMessages"
@@ -177 +184 @@ Provides read only access to Amazon DevOps Agent via the AWS Management Console
-### AIDevOpsAgentOperatorPolicy
+### Read-only policy
@@ -179 +186 @@ Provides read only access to Amazon DevOps Agent via the AWS Management Console
-Provides access to investigation and prevention features without administrative capabilities
+This policy grants view-only access to investigations and recommendations:
@@ -186 +192,0 @@ Provides access to investigation and prevention features without administrative
-          "Sid": "AIDevOpsAgentSpaceOperator",
@@ -190,18 +196 @@ Provides access to investigation and prevention features without administrative
-            "aidevops:ListAgentSpaces"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsServiceOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:GetService",
-            "aidevops:ListServices",
-            "aidevops:SearchServiceAccessibleResource"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsAssociationOperator",
-          "Effect": "Allow",
-          "Action": [
+            "aidevops:ListAssociations",
@@ -209,72 +197,0 @@ Provides access to investigation and prevention features without administrative
-            "aidevops:ListAssociations"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsWebhookOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:ListWebhooks"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsOperatorAppOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:GetOperatorAppTeams",
-            "aidevops:CreateOneTimeLoginSession"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsKnowledgeOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:CreateKnowledgeItem",
-            "aidevops:GetKnowledgeItem",
-            "aidevops:ListKnowledgeItems",
-            "aidevops:UpdateKnowledgeItem",
-            "aidevops:DeleteKnowledgeItem"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsBacklogOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:CreateBacklogTask",
-            "aidevops:GetBacklogTask",
-            "aidevops:ListBacklogTasks",
-            "aidevops:UpdateBacklogTask",
-            "aidevops:ListGoals",
-            "aidevops:UpdateGoal"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsRecommendationOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:GetRecommendation",
-            "aidevops:ListRecommendations",
-            "aidevops:UpdateRecommendation"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsAgentChatOperator",
-          "Effect": "Allow",
-          "Action": [
-            "aidevops:CreateChat",
-            "aidevops:ListChats",
-            "aidevops:ListPendingMessages",
-            "aidevops:SendChatMessage",
-            "aidevops:StreamMessage"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsJournalOperator",
-          "Effect": "Allow",
-          "Action": [
@@ -282,26 +199,7 @@ Provides access to investigation and prevention features without administrative
-            "aidevops:ListJournalRecords"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "AIDevOpsTopologyOperator",
-          "Effect": "Allow",