AWS AmazonCloudWatch documentation change
Summary
Updated the service-linked role policy description to include permissions for enabling logging configuration for Security Hub, Bedrock Agentcore Gateway, Bedrock Agentcore Memory, and CloudFront Distribution. Also added a changelog entry for the policy update.
Security assessment
The change updates IAM policy documentation to include permissions for security-related services (like Security Hub). This is a routine update to reflect new features and does not indicate a security issue fix.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md index 9c86e11d6..76f5964df 100644 --- a//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md +++ b//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md @@ -206 +206 @@ This policy grants permissions for: - * Basic telemetry operations including describing VPCs, flow logs, log groups. It also includes permissions to enable logging configuration for EKS cluster logging, WAF put logging configuration, enabling NLB logs, Route53 Resolver query logging, and Amazon EC2 detailed monitoring. + * Basic telemetry operations including describing VPCs, flow logs, log groups. It also includes permissions to enable logging configuration for EKS cluster logging, WAF put logging configuration, enabling NLB logs, Route53 Resolver query logging, Amazon EC2 detailed monitoring, Security Hub, Bedrock Agentcore Gateway, Bedrock Agentcore Memory, and CloudFront Distribution. @@ -632,0 +633 @@ Change | Description | Date +AWSObservabilityAdminTelemetryEnablementServiceRolePolicy – Update to service-linked role policy. | Updated information about the AWSObservabilityAdminTelemetryEnablementServiceRolePolicy that grants CloudWatch the permissions necessary to enable and manage telemetry configurations for the additional AWS resources based on telemetry rules. | March 31, 2026