AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-05-25 · Documentation low

File: AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md

Summary

Updated service-linked role references to service role for cross-account cross-Region functionality. Changed role name from AWSServiceRoleForCloudWatchCrossAccount to ServiceRoleForCloudWatchCrossAccountV2.

Security assessment

Changes involve IAM role configuration which relates to access control security features. However, there's no evidence of a specific vulnerability being addressed. The update appears to be a routine enhancement of cross-account monitoring security documentation.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
index 151eca672..b0290274f 100644
--- a//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
+++ b//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
@@ -7 +7 @@
-Service-linked role permissions for CloudWatch alarms EC2 actionsService-linked role permissions for CloudWatch telemetry configService-linked role permissions for CloudWatch telemetry enablementService-linked role permissions for CloudWatch Application SignalsService-linked role permissions for CloudWatch alarms Systems Manager OpsCenter actionsService-linked role permissions for CloudWatch alarms Systems Manager Incident Manager actionsService-linked role permissions for CloudWatch cross-account cross-RegionService-linked role permissions for CloudWatch database Performance InsightsService-linked role permissions for CloudWatch Logs centralizationCreating a service-linked role for CloudWatchEditing a service-linked role for CloudWatchDeleting a service-linked role for CloudWatchRole updates
+Service-linked role permissions for CloudWatch alarms EC2 actionsService-linked role permissions for CloudWatch telemetry configService-linked role permissions for CloudWatch telemetry enablementService-linked role permissions for CloudWatch Application SignalsService-linked role permissions for CloudWatch alarms Systems Manager OpsCenter actionsService-linked role permissions for CloudWatch alarms Systems Manager Incident Manager actionsService role permissions for CloudWatch cross-account cross-RegionService-linked role permissions for CloudWatch database Performance InsightsService-linked role permissions for CloudWatch Logs centralizationCreating a service-linked role for CloudWatchEditing a service-linked role for CloudWatchDeleting a service-linked role for CloudWatchRole updates
@@ -44 +44 @@ The AWSServiceRoleForCloudWatchEvents service-linked role permissions policy all
-The **AWSServiceRoleForCloudWatchCrossAccount** service-linked role permissions policy allows CloudWatch to complete the following actions:
+The **ServiceRoleForCloudWatchCrossAccountV2** service role permissions policy allows CloudWatch to complete the following actions:
@@ -404 +404 @@ The **AWSServiceRoleForCloudWatchAlarms_ActionSSMIncidents** service-linked role
-## Service-linked role permissions for CloudWatch cross-account cross-Region
+## Service role permissions for CloudWatch cross-account cross-Region
@@ -406 +406 @@ The **AWSServiceRoleForCloudWatchAlarms_ActionSSMIncidents** service-linked role
-CloudWatch uses the service-linked role named **AWSServiceRoleForCloudWatchCrossAccount** – CloudWatch uses this role to access CloudWatch data in other AWS accounts that you specify. The SLR only provides the assume role permission to allow the CloudWatch service to assume the role in the sharing account. It is the sharing role that provides access to data. 
+CloudWatch uses the service role named **ServiceRoleForCloudWatchCrossAccountV2** – CloudWatch uses this role to access CloudWatch data in other AWS accounts that you specify. The SLR only provides the assume role permission to allow the CloudWatch service to assume the role in the sharing account. It is the sharing role that provides access to data. 
@@ -408 +408 @@ CloudWatch uses the service-linked role named **AWSServiceRoleForCloudWatchCross
-The **AWSServiceRoleForCloudWatchCrossAccount** service-linked role permissions policy allows CloudWatch to complete the following actions:
+The **ServiceRoleForCloudWatchCrossAccountV2** service role permissions policy allows CloudWatch to complete the following actions:
@@ -415 +415 @@ The **AWSServiceRoleForCloudWatchCrossAccount** service-linked role permissions
-The **AWSServiceRoleForCloudWatchCrossAccount** service-linked role trusts the CloudWatch service to assume the role.
+The **ServiceRoleForCloudWatchCrossAccountV2** service role trusts the CloudWatch service to assume the role.
@@ -482 +482 @@ The first time that you enable service and topology discovery, Application Signa
-When you first enable an account to be a monitoring account for cross-account cross-Region functionality, CloudWatch creates **AWSServiceRoleForCloudWatchCrossAccount** for you. 
+When you first enable an account to be a monitoring account for cross-account cross-Region functionality, CloudWatch creates **ServiceRoleForCloudWatchCrossAccountV2** for you. 
@@ -490 +490 @@ For more information, see [Creating a Service-Linked Role](https://docs.aws.amaz
-CloudWatch does not allow you to edit the **AWSServiceRoleForCloudWatchEvents** , **AWSServiceRoleForCloudWatchAlarms_ActionSSM** , **AWSServiceRoleForCloudWatchCrossAccount** , or **AWSServiceRoleForCloudWatchMetrics_DbPerfInsights** roles. After you create these roles, you cannot change their names because various entities might reference these roles. However, you can edit the description of these roles using IAM. 
+CloudWatch does not allow you to edit the **AWSServiceRoleForCloudWatchEvents** , **AWSServiceRoleForCloudWatchAlarms_ActionSSM** , **ServiceRoleForCloudWatchCrossAccountV2** , or **AWSServiceRoleForCloudWatchMetrics_DbPerfInsights** roles. After you create these roles, you cannot change their names because various entities might reference these roles. However, you can edit the description of these roles using IAM.