AWS devopsagent documentation change
Summary
Added new IAM permissions (DescribeServices, ListServiceQuotas) and expanded Cost Explorer permissions in DevOps Agent policies.
Security assessment
Expands IAM permissions for operational functionality without evidence of security vulnerability remediation. Documents security controls through updated permission boundaries.
Diff
diff --git a/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md b/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md index 13b98f17f..d2a1bace9 100644 --- a//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md +++ b//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md @@ -416,0 +417 @@ Provides full access to Amazon DevOps Agent via the AWS Management Console + "aidevops:DescribeServices", @@ -490 +491,2 @@ Provides access to use the AWS DevOps operator web app for an Agent Space. - "aidevops:SendMessage" + "aidevops:SendMessage", + "aidevops:DescribeServices" @@ -516,0 +519 @@ Provides access to use the AWS DevOps operator web app for an Agent Space. + "support:DescribeServices", @@ -632,2 +635 @@ Provides permissions required by the AWS DevOps Agent to conduct investigations - "ce:GetAnomalyMonitors", - "ce:GetAnomalySubscriptions", + "ce:Get*", @@ -1249,0 +1252 @@ Provides permissions required by the AWS DevOps Agent to conduct investigations + "servicequotas:ListServiceQuotas",