AWS AmazonCloudWatch documentation change
Summary
Updated service-linked role policy permissions to include new telemetry sources and added policy change log entry
Security assessment
Expands IAM permissions for new monitoring features but doesn't address security vulnerabilities or document security-specific capabilities.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md index ddd202730..151eca672 100644 --- a//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md +++ b//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md @@ -208 +208 @@ This policy grants permissions for: - * Basic telemetry operations including describing VPCs, flow logs, log groups. It also includes permissions to enable logging configuration for EKS cluster logging, WAF put logging configuration, enabling NLB logs, Route53 Resolver query logging, Amazon EC2 detailed monitoring, Security Hub, Bedrock Agentcore Gateway, Bedrock Agentcore Memory, and CloudFront Distribution. + * Basic telemetry operations including describing VPCs, flow logs, log groups. It also includes permissions to enable logging configuration for EKS cluster logging, WAF put logging configuration, enabling NLB logs, Route53 Resolver query logging, Amazon EC2 detailed monitoring, Security Hub, Bedrock Agentcore Gateway, Bedrock Agentcore Memory, CloudFront Distribution, MSK Cluster, OpenTelemetry Enrichment, and Bedrock Agentcore Workload Identity. @@ -634,0 +635 @@ Change | Description | Date +AWSObservabilityAdminTelemetryEnablementServiceRolePolicy – Update to service-linked role policy. | Updated information about the AWSObservabilityAdminTelemetryEnablementServiceRolePolicy that grants CloudWatch the permissions necessary to enable and manage telemetry configurations for the additional AWS resources based on telemetry rules. | April 30, 2026