AWS Security ChangesHomeSearch

AWS awssupport documentation change

Service: awssupport · 2026-06-19 · Documentation low

File: awssupport/latest/user/support-devops-agent-resources.md

Summary

Replaced ACCOUNT_ID placeholders with 'suffix' in IAM role/policy names and clarified naming conventions

Security assessment

Change clarifies naming patterns for automatically created IAM resources but maintains existing security controls (confused deputy protection via source conditions). No vulnerability addressed.

Diff

diff --git a/awssupport/latest/user/support-devops-agent-resources.md b/awssupport/latest/user/support-devops-agent-resources.md
index 38fb3a6e3..22186b7ca 100644
--- a//awssupport/latest/user/support-devops-agent-resources.md
+++ b//awssupport/latest/user/support-devops-agent-resources.md
@@ -9 +9 @@
-Activation from the Support Center Console creates the following resources in `us-east-1`. Replace `ACCOUNT_ID` with your 12-digit AWS account ID. The `WebappAdmin` role suffix is a 12-character identifier derived from the agent space.
+Activation from the Support Center Console creates the following resources in `us-east-1`. Replace `ACCOUNT_ID` with your 12-digit AWS account ID. The role suffix is a 12-character identifier derived from the agent space.
@@ -14 +14 @@ AWS DevOps Agent | Agent space | `DevOpsAgentSpace` | Not applicable | Container
-AWS Identity and Access Management (IAM) | Role | `DevOpsAgentRole-AgentSpace-`ACCOUNT_ID`` | Trusted by `aidevops.amazonaws.com` with `aws:SourceAccount` and `aws:SourceArn` conditions that scope the role to agent spaces in your own account (confused-deputy protection). | Grants the agent the read-only investigation permissions across AWS services that it needs to investigate resources in your account. Permissions come from the AWS-managed `AIDevOpsAgentAccessPolicy` attached at activation time. For the full list, see [`AIDevOpsAgentAccessPolicy`](https://docs.aws.amazon.com/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.html#AIDevOpsAgentAccessPolicy) in the _AWS DevOps Agent User Guide_. The customer-managed `AIDevOpsAllowAwsSupportActionsPolicy-`ACCOUNT_ID`` policy is also attached.  
+AWS Identity and Access Management (IAM) | Role | `DevOpsAgentRole-AgentSpace-`suffix`` | Trusted by `aidevops.amazonaws.com` with `aws:SourceAccount` and `aws:SourceArn` conditions that scope the role to agent spaces in your own account (confused-deputy protection). | Grants the agent the read-only investigation permissions across AWS services that it needs to investigate resources in your account. Permissions come from the AWS-managed `AIDevOpsAgentAccessPolicy` attached at activation time. For the full list, see [`AIDevOpsAgentAccessPolicy`](https://docs.aws.amazon.com/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.html#AIDevOpsAgentAccessPolicy) in the _AWS DevOps Agent User Guide_. The customer-managed `AIDevOpsAllowAwsSupportActionsPolicy-`suffix`` policy is also attached.  
@@ -16 +16 @@ AWS Identity and Access Management (IAM) | Role | `DevOpsAgentRole-WebappAdmin-`
-AWS Identity and Access Management (IAM) | Customer-managed policy | `AIDevOpsAllowAwsSupportActionsPolicy-`ACCOUNT_ID`` | Attached to the `DevOpsAgentRole-AgentSpace-`ACCOUNT_ID`` role. | Grants `iam:CreateServiceLinkedRole`, scoped to the AWS Resource Explorer service-linked role ARN (`arn:aws:iam::`ACCOUNT_ID`:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer`). This permission allows the agent to create the AWS Resource Explorer service-linked role on your behalf if it doesn't already exist, so the agent can use AWS Resource Explorer for topology discovery.  
+AWS Identity and Access Management (IAM) | Customer-managed policy | `AIDevOpsAllowAwsSupportActionsPolicy-`suffix`` | Attached to the `DevOpsAgentRole-AgentSpace-`suffix`` role. | Grants `iam:CreateServiceLinkedRole`, scoped to the AWS Resource Explorer service-linked role ARN (`arn:aws:iam::`ACCOUNT_ID`:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer`). This permission allows the agent to create the AWS Resource Explorer service-linked role on your behalf if it doesn't already exist, so the agent can use AWS Resource Explorer for topology discovery.