AWS Security ChangesHomeSearch

AWS grafana documentation change

Service: grafana · 2026-05-16 · Documentation low

File: grafana/latest/userguide/AMG-create-workspace.md

Summary

Added configuration options for dual-stack (IPv4+IPv6) addressing mode during workspace creation, including prerequisites and considerations. Updated step numbering throughout.

Security assessment

The change introduces new network security considerations including firewall configurations, IPv6 traffic allowances, CORS validation requirements, and VPC subnet requirements for dual-stack mode. While not fixing a specific vulnerability, it adds security documentation for proper IPv6 implementation.

Diff

diff --git a/grafana/latest/userguide/AMG-create-workspace.md b/grafana/latest/userguide/AMG-create-workspace.md
index af15ccf05..553c1830f 100644
--- a//grafana/latest/userguide/AMG-create-workspace.md
+++ b//grafana/latest/userguide/AMG-create-workspace.md
@@ -11 +11 @@ Creating a workspace
-A _workspace_ is a logical Grafana server. You can have as many as five workspaces in each Region in your account.
+A _workspace_ is a logical Grafana server. You can have as many as five workspaces in each AWS Region in your account.
@@ -74 +74 @@ If you are creating a workspace in a member account of an organization, to be ab
-  8. (Optional) You can choose to connect to an Amazon virtual private cloud (VPC) on this page, or you can connect to a VPC later. To learn more, see [Connect to data sources or notification channels in Amazon VPC from Amazon Managed Grafana](./AMG-configure-vpc.html).
+  8. (Optional) You can choose to connect to an Amazon Virtual Private Cloud (VPC) on this page, or you can connect to a VPC later. To learn more, see [Connect to data sources or notification channels in Amazon VPC from Amazon Managed Grafana](./AMG-configure-vpc.html).
@@ -90 +90 @@ For more information about network access control, see [Configure network access
-  11. (Optional) By default, Amazon Managed Grafana automatically provides you with encryption at rest and does this using AWS-owned encryption keys. But you have the option to use a customer managed key that you create, own, and manage as an alternative. For more information, see [Encryption at rest](./AMG-encryption-at-rest.html).
+  11. Choose the IP addressing mode for your workspace:
@@ -92 +92 @@ For more information about network access control, see [Configure network access
-  12. Choose **Next**.
+     * **IPv4 only** – Resources in your workspace use IPv4 addressing exclusively.
@@ -94 +94,29 @@ For more information about network access control, see [Configure network access
-  13. If you chose **Service managed** , choose **Current account** to have Amazon Managed Grafana automatically create policies and permissions that allow it to read AWS data only in the current account.
+     * **Dual-stack (IPv4 + IPv6)** – Resources use both IPv4 and IPv6 addressing. Choose this if you have workloads that require IPv6 connectivity.
+
+###### Note
+
+Dual-stack mode requires Grafana version 10 or later.
+
+###### Important
+
+Before enabling dual-stack mode, verify the following:
+
+       * The `sso.signin.aws` domain is allowed in your network firewall and identity provider configurations.
+
+       * Your network allows IPv6 traffic.
+
+       * Any prefix lists used for network access control include the appropriate IP ranges.
+
+       * If your identity provider uses CORS validation, the new domain is added to the CORS allowlist.
+
+       * If your workspace uses a VPC configuration, your subnets must have IPv6 CIDR blocks assigned.
+
+Workspaces using direct SAML authentication or AWS Identity and Access Management Identity Center's built-in directory are not affected by the sign-in URL change. For more information, see [Assertion Consumer Service (ACS) endpoints](https://docs.aws.amazon.com/singlesignon/latest/userguide/multi-region-workforce-access.html#acs-endpoints) in the _AWS Identity and Access Management Identity Center User Guide_.
+
+If you later switch from dual-stack back to IPv4 only, any clients or resources currently connecting over IPv6 will lose access to your workspace.
+
+  12. (Optional) By default, Amazon Managed Grafana automatically provides you with encryption at rest and does this using AWS-owned encryption keys. But you have the option to use a customer managed key that you create, own, and manage as an alternative. For more information, see [Encryption at rest](./AMG-encryption-at-rest.html).
+
+  13. Choose **Next**.
+
+  14. If you chose **Service managed** , choose **Current account** to have Amazon Managed Grafana automatically create policies and permissions that allow it to read AWS data only in the current account.
@@ -106 +134 @@ Creating resources such as Amazon Managed Grafana workspaces in the management a
-  14. Select the AWS data sources that you want to query in this workspace. Selecting data sources enables Amazon Managed Grafana to create IAM roles and permissions that allow Amazon Managed Grafana to read data from these sources. You must still add the data sources in the Grafana workspace console.
+  15. Select the AWS data sources that you want to query in this workspace. Selecting data sources enables Amazon Managed Grafana to create IAM roles and permissions that allow Amazon Managed Grafana to read data from these sources. You must still add the data sources in the Grafana workspace console.
@@ -108 +136 @@ Creating resources such as Amazon Managed Grafana workspaces in the management a
-  15. (Optional) If you want Grafana alerts from this workspace to be sent to an Amazon Simple Notification Service (Amazon SNS) notification channel, select **Amazon SNS**. This enables Amazon Managed Grafana to create an IAM policy to publish to the Amazon SNS topics in your account with `TopicName` values that start with `grafana`. This does not completely set up Amazon SNS as a notification channel for the workspace. You can do that within the Grafana console in the workspace.
+  16. (Optional) If you want Grafana alerts from this workspace to be sent to an Amazon Simple Notification Service (Amazon SNS) notification channel, select **Amazon SNS**. This enables Amazon Managed Grafana to create an IAM policy to publish to the Amazon SNS topics in your account with `TopicName` values that start with `grafana`. This does not completely set up Amazon SNS as a notification channel for the workspace. You can do that within the Grafana console in the workspace.
@@ -110 +138 @@ Creating resources such as Amazon Managed Grafana workspaces in the management a
-  16. Choose **Next**.
+  17. Choose **Next**.
@@ -112 +140 @@ Creating resources such as Amazon Managed Grafana workspaces in the management a
-  17. Confirm the workspace details, and choose **Create workspace**.
+  18. Confirm the workspace details, and choose **Create workspace**.
@@ -128 +156 @@ You might need to refresh your browser to see the current status.
-  18. If you are using IAM Identity Center, do the following:
+  19. If you are using IAM Identity Center, do the following:
@@ -140 +168 @@ Assign at least one user as `Admin` for each workspace, in order to sign in to t
-  19. If you are using SAML, do the following:
+  20. If you are using SAML, do the following:
@@ -178 +206 @@ If you choose **I want to opt-out of assigning admins to my workspace.** , you w
-  20. In the workspace details page, choose the URL displayed under **Grafana workspace URL**.
+  21. In the workspace details page, choose the URL displayed under **Grafana workspace URL**.
@@ -180 +208 @@ If you choose **I want to opt-out of assigning admins to my workspace.** , you w
-  21. Choosing the workspace URL takes you to the landing page for the Grafana workspace console. Do one of the following:
+  22. Choosing the workspace URL takes you to the landing page for the Grafana workspace console. Do one of the following: