AWS devopsagent documentation change
Summary
Added Amazon S3 as a built-in telemetry source, documenting required IAM permissions (s3:GetObject, s3:ListBucket) and emphasizing principle of least privilege for bucket access.
Security assessment
This change adds documentation for a new integration feature (Amazon S3) and includes security guidance about IAM permissions and least privilege. It does not address a specific security vulnerability but provides security-related documentation for configuring the integration securely.
Diff
diff --git a/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md b/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md index d372362dd..e279ed671 100644 --- a//devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md +++ b//devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-telemetry-sources-index.md @@ -37 +37 @@ To learn about 2-way integrations, see -Currently, AWS DevOps Agent supports AWS CloudWatch, Datadog, Grafana, New Relic, and Splunk users with built-in, 1 way integrations. +Currently, AWS DevOps Agent supports AWS CloudWatch, Amazon S3, Datadog, Grafana, New Relic, and Splunk users with built-in, 1 way integrations. @@ -50 +50,10 @@ The AWS CloudWatch built-in, 1-way integration requires no additional setup and -The Datadog, Grafana, New Relic, and Splunk built-in, 1 way integrations require setup and enable the following: +The Amazon S3 built-in, 1-way integration enables the following: + + * **Telemetry introspection** \- AWS DevOps Agent can read objects from Amazon S3 buckets as it investigates an issue. This is useful for accessing logs, configuration files, and other artifacts stored in S3. + + + + +To use the Amazon S3 integration, add the `s3:GetObject` and `s3:ListBucket` permissions to the DevOps Agent's IAM role. Following the principle of least privilege, scope these permissions to only the specific S3 buckets that the agent needs to access. For more information about configuring IAM permissions, see [DevOps Agent IAM permissions](./aws-devops-agent-security-devops-agent-iam-permissions.html). + +The Datadog, Grafana, New Relic, and Splunk built-in, 1-way integrations require setup and enable the following: