AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-07 · Documentation low

File: AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-JMX-metrics.md

Summary

Updated JMX metrics documentation with clarified instructions for EKS add-on usage, restructured configuration fields (common vs EC2-only), corrected Kafka metric types, added Apache Tomcat reference, and clarified security requirements for non-localhost endpoints.

Security assessment

The change clarifies that non-localhost endpoints require both password authentication and SSL, which is a security best practice but doesn't address a specific vulnerability. The 'insecure' flag documentation was updated but this is a configuration option rather than a vulnerability fix. No evidence of a specific security incident being addressed.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-JMX-metrics.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-JMX-metrics.md
index 127b14b88..b2cbe116e 100644
--- a//AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-JMX-metrics.md
+++ b//AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-JMX-metrics.md
@@ -41 +41 @@ Amazon EKS
-When using the CloudWatch Observability EKS add-on, you can manage how JMX metrics are enabled with annotations. For more information, see [Install the CloudWatch agent with the Amazon CloudWatch Observability EKS add-on or the Helm chart](./install-CloudWatch-Observability-EKS-addon.html). To enable JMX metrics collection from a workload, add the following annotations to the workload manifest file under the `PodTemplate` section:
+When using the CloudWatch Observability EKS add-on, add the following annotations to the workload manifest file under the `PodTemplate` section to enable JMX metrics collection:
@@ -60 +60,5 @@ When using the CloudWatch Observability EKS add-on, you can manage how JMX metri
-To start collecting JMX metrics, add a `jmx` section inside the `metrics_collected` section of the CloudWatch agent configuration file. The `jmx` section can contain the following fields.
+You must also configure a `jmx` section in the CloudWatch agent configuration as described below. For more information about providing a custom agent configuration with the EKS add-on, see [Use a custom CloudWatch agent configuration](./install-CloudWatch-Observability-EKS-addon.html#CloudWatch-Observability-EKS-addon-CustomAgentConfig).
+
+###### Fields common to Amazon EC2 and Amazon EKS
+
+To start collecting JMX metrics, add a `jmx` section inside the `metrics_collected` section of the CloudWatch agent configuration file. The `jmx` section must include at least one of the following target subsections.
@@ -90 +94 @@ This section can include the following fields:
-    * `measurement` – Specifies the array of Kafka broker metrics to be collected. For a list of the possible values to use here, see the **Metric** column in the second metrics table in Collect Kafka metrics.
+    * `measurement` – Specifies the array of Kafka consumer metrics to be collected. For a list of the possible values to use here, see the **Metric** column in the second metrics table in Collect Kafka metrics.
@@ -102 +106 @@ This section can include the following fields:
-    * `measurement` – Specifies the array of Kafka broker metrics to be collected. For a list of the possible values to use here, see the **Metric** column in the third metrics table in Collect Kafka metrics.
+    * `measurement` – Specifies the array of Kafka producer metrics to be collected. For a list of the possible values to use here, see the **Metric** column in the third metrics table in Collect Kafka metrics.
@@ -110 +114 @@ Within the entry for each individual metric, you can optionally specify one or b
-  * `tomcat` – Optional. Specifies that you want to retrieve Tomcat metrics from the instance. For more information, see Collect Tomcat metrics. 
+  * `tomcat` – Optional. Specifies that you want to retrieve Apache Tomcat metrics from the instance. For more information, see Collect Tomcat metrics. 
@@ -132 +136,3 @@ The `jmx` section can also include the optional `append_dimensions` field:
-###### The following fields are for Amazon EC2 only.
+###### Fields only on Amazon EC2
+
+The following fields apply only when running the CloudWatch agent on Amazon EC2 instances.
@@ -134 +140 @@ The `jmx` section can also include the optional `append_dimensions` field:
-  * `endpoint` – The address for the JMX client to connect to. The format is `ip:port`. If the endpoint is not the localhost, and password authentication and SSL must be enabled.
+  * `endpoint` – The address for the JMX client to connect to. The format is `ip:port`. If the endpoint is not localhost, both password authentication and SSL must be enabled.
@@ -165 +171 @@ If JMX was enabled with password authentication or SSL for remote access, you ca
-  * `insecure` Set to `true` to opt out of the validation required if the agent is configured for a non-localhost endpoint.
+  * `insecure` – Optional. Set to `true` to opt out of the validation required if the agent is configured for a non-localhost endpoint.
@@ -349 +355 @@ Dimension | Description
-You can use the CloudWatch agent to collect Apache Tomcat metrics. To set this up, add a `tomcat` section inside the `metrics_collected` section of the CloudWatch agent configuration file.
+You can use the CloudWatch agent to collect Apache Tomcat metrics. To set this up, add a `tomcat` section inside the `jmx` section of the CloudWatch agent configuration file.