AWS AmazonCloudWatch medium security documentation change
Summary
Updated CloudWatchFullAccessV2 policy documentation to include new iam:PassRole permissions for PutLogAlarm API.
Security assessment
Adds IAM permissions documentation for alarm creation, directly relating to access control security. Explicitly mentions scoped permissions (scheduled-query resources and alarm resources) which impacts security configuration.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md b/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md index b2c88ba34..3d392c318 100644 --- a//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md +++ b//AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.md @@ -57,0 +58 @@ Change | Description | Date +CloudWatchFullAccessV2 – Updated policy | CloudWatch added permissions to **CloudWatchFullAccessV2**. Two `iam:PassRole` permissions were added to support the `PutLogAlarm` API: passing a Scheduled Query Execution Role to `logs.amazonaws.com` (scoped to scheduled-query resources), and passing a Log Lines Role to `cloudwatch.amazonaws.com` (scoped to alarm resources). | June 15, 2026