AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2026-06-10 · Security-related medium

File: AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md

Summary

Updated CloudWatchFullAccessV2 policy documentation to include new iam:PassRole permissions for PutLogAlarm API.

Security assessment

Adds IAM permissions documentation for alarm creation, directly relating to access control security. Explicitly mentions scoped permissions (scheduled-query resources and alarm resources) which impacts security configuration.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md b/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
index b2c88ba34..3d392c318 100644
--- a//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
+++ b//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md
@@ -57,0 +58 @@ Change | Description | Date
+CloudWatchFullAccessV2 – Updated policy |  CloudWatch added permissions to **CloudWatchFullAccessV2**. Two `iam:PassRole` permissions were added to support the `PutLogAlarm` API: passing a Scheduled Query Execution Role to `logs.amazonaws.com` (scoped to scheduled-query resources), and passing a Log Lines Role to `cloudwatch.amazonaws.com` (scoped to alarm resources). | June 15, 2026