AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-07 · Documentation low

File: AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Credentials-Preference.md

Summary

Clarified credential lookup behavior including user context and environment variable resolution

Security assessment

The update documents credential resolution mechanisms which relates to access security, but only explains existing behavior without indicating a vulnerability fix. Added details about service account contexts help prevent misconfigurations.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Credentials-Preference.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Credentials-Preference.md
index de66fc3ca..3a21a4a80 100644
--- a//AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Credentials-Preference.md
+++ b//AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Credentials-Preference.md
@@ -27 +27,3 @@ On Linux, if you run the CloudWatch agent using the `amazon-cloudwatch-agent-ctl
-The CloudWatch agent looks for `.aws/credentials` in `$HOME` for Linux and MacOS and looks in `%USERPROFILE%` for Windows. Unlike the AWS SDK, the CloudWatch agent does not have fallback methods to determine the home directory if the environment variables are inaccessible. This difference in behavior is to maintain backwards compatibility with earlier implementations of the AWS SDK.
+The CloudWatch agent looks for `.aws/credentials` in `$HOME` on Linux and macOS and in `%USERPROFILE%` on Windows. These environment variables resolve to the home directory of the user the agent runs as: `root` on Linux and macOS (or the `run_as_user` if configured), and `LocalSystem` on Windows.
+
+Unlike the AWS SDK, the CloudWatch agent does not have fallback methods to determine the home directory if the environment variables are inaccessible. This difference in behavior is to maintain backwards compatibility with earlier implementations of the AWS SDK.