AWS AmazonCloudWatch documentation change
Summary
Updated IAM role and user creation steps for CloudWatch agent, consolidated instructions, improved clarity, and fixed minor wording issues
Security assessment
The changes are primarily editorial improvements and step consolidation without introducing new security content or addressing vulnerabilities. No evidence of security fixes (CVEs, incident response) or new security features. The IAM policy remains CloudWatchAgentServerPolicy.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/prerequisites.md b/AmazonCloudWatch/latest/monitoring/prerequisites.md index 45c0eb561..fa2832be0 100644 --- a//AmazonCloudWatch/latest/monitoring/prerequisites.md +++ b//AmazonCloudWatch/latest/monitoring/prerequisites.md @@ -23 +23 @@ If you're going to run the CloudWatch agent on Amazon EC2 instances, create an I - 2. In the navigation pane, choose **Roles** and then **Create role**. + 2. In the navigation pane, choose **Roles**. @@ -25 +25 @@ If you're going to run the CloudWatch agent on Amazon EC2 instances, create an I - 3. Make sure that **AWS service** is selected under **Trusted entity type**. + 3. Choose **Create role**. @@ -27 +27 @@ If you're going to run the CloudWatch agent on Amazon EC2 instances, create an I - 4. For **Use case** , choose **EC2** under **Common use cases**. + 4. Under **Trusted entity type** , verify that **AWS service** is selected. For **Use case** , choose **EC2**. Choose **Next**. @@ -29 +29 @@ If you're going to run the CloudWatch agent on Amazon EC2 instances, create an I - 5. Choose **Next**. + 5. In the list of policies, select the check box next to **CloudWatchAgentServerPolicy**. If necessary, use the search box to find the policy. @@ -31 +31 @@ If you're going to run the CloudWatch agent on Amazon EC2 instances, create an I - 6. In the list of policies, select the check box next to **CloudWatchAgentServerPolicy**. If necessary, use the search box to find the policy. + 6. Choose **Next**. @@ -33,3 +33 @@ If you're going to run the CloudWatch agent on Amazon EC2 instances, create an I - 7. Choose **Next**. - - 8. In **Role name** , enter a name for the role, such as `CloudWatchAgentServerRole`. Optionally give it a description. Then choose **Create role**. + 7. For **Role name** , enter a name for the role, such as `CloudWatchAgentServerRole`. Choose **Create role**. @@ -54,7 +52 @@ This scenario requires IAM users with programmatic access and long-term credenti - 3. Enter the user name for the new user. - - 4. Select **Access key - Programmatic access** and choose **Next: Permissions**. - - 5. Choose **Attach existing policies directly**. - - 6. In the list of policies, select the check box next to **CloudWatchAgentServerPolicy**. If necessary, use the search box to find the policy. + 3. Enter the user name for the new user. Select **Access key - Programmatic access** and choose **Next: Permissions**. @@ -62 +54 @@ This scenario requires IAM users with programmatic access and long-term credenti - 7. Choose **Next: Tags**. + 4. Choose **Attach existing policies directly**. @@ -64 +56 @@ This scenario requires IAM users with programmatic access and long-term credenti - 8. Optionally create tags for the new IAM, and then choose **Next: Review**. + 5. In the list of policies, select the check box next to **CloudWatchAgentServerPolicy**. If necessary, use the search box to find the policy. Choose **Next: Tags**. @@ -66 +58 @@ This scenario requires IAM users with programmatic access and long-term credenti - 9. Confirm that the correct policy is listed, and choose **Create user**. + 6. (Optional) Create tags for the new IAM user. Choose **Next: Review**. Confirm that the correct policy is listed and choose **Create user**. @@ -68 +60 @@ This scenario requires IAM users with programmatic access and long-term credenti - 10. Next to the name of the new user, choose **Show**. Copy the access key and secret key to a file so that you can use them when installing the agent. Choose **Close**. + 7. Next to the name of the new user, choose **Show**. Copy the access key and secret key to a file so that you can use them when installing the agent. Choose **Close**. @@ -73 +65 @@ This scenario requires IAM users with programmatic access and long-term credenti -### Attaching an IAM role to an Amazon EC2 instance +### Attach an IAM role to an Amazon EC2 instance @@ -77 +69 @@ To enable the CloudWatch agent to send data from an Amazon EC2 instance, you mus -For more information on attaching an IAM role to an instance, see [Attaching an IAM Role to an Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/iam-roles-for-amazon-ec2.html#attach-iam-role) in the Amazon Elastic Compute Cloud User Guide. +For more information about attaching an IAM role to an instance, see [Attaching an IAM Role to an Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/iam-roles-for-amazon-ec2.html#attach-iam-role) in the Amazon Elastic Compute Cloud User Guide. @@ -83 +75 @@ You can configure the CloudWatch agent to set the retention policy for log group -###### To grant the CloudWatch agent's IAM role permission to set log retention policies +###### To grant log retention permissions to the agent's IAM role @@ -89 +81 @@ You can configure the CloudWatch agent to set the retention policy for log group - 3. In the search box, Type the beginning of the name of the CloudWatch agent's IAM role. You chose this name when you created the role. It might be named `CloudWatchAgentServerRole`. + 3. In the search box, enter the beginning of the name of the CloudWatch agent's IAM role. You chose this name when you created the role. It might be named `CloudWatchAgentServerRole`. @@ -122 +114 @@ JSON -###### To grant the CloudWatch agent's IAM user permission to set log retention policies +###### To grant log retention permissions to the agent's IAM user @@ -128 +120 @@ JSON - 3. In the search box, Type the beginning of the name of the CloudWatch agent's IAM user. You chose this name when you created the user. + 3. In the search box, enter the beginning of the name of the CloudWatch agent's IAM user. You chose this name when you created the user. @@ -165 +157 @@ JSON -When the server is in a public subnet make sure there is access to an internet gateway. When the server is in a private subnet, access is through the NAT gateways or VPC Endpoint. For more information on NAT gateways, see <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html>. +When the server is in a public subnet make sure there is access to an internet gateway. When the server is in a private subnet, access is through the NAT gateways or VPC Endpoint. For more information about NAT gateways, see <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html>.