AWS AmazonCloudWatch documentation change
Summary
Updated permissions documentation to include cloudwatch:PutLogAlarm for log alarms and corrected a typo in cloudwatch:PutMetricAlarm permission reference.
Security assessment
The change clarifies required IAM permissions for tagging CloudWatch alarms, improving security documentation but not addressing a specific vulnerability. It enhances permission accuracy which helps prevent misconfiguration risks.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch_alarms_and_tagging.md b/AmazonCloudWatch/latest/monitoring/CloudWatch_alarms_and_tagging.md index 5f773fc09..a4c6db0ea 100644 --- a//AmazonCloudWatch/latest/monitoring/CloudWatch_alarms_and_tagging.md +++ b//AmazonCloudWatch/latest/monitoring/CloudWatch_alarms_and_tagging.md @@ -13 +13 @@ The following list explains some details about how tagging works with CloudWatch - * To be able to set or update tags for a CloudWatch resource, you must be signed on to an account that has the `cloudwatch:TagResource` permission. For example, to create an alarm and set tags for it, you must have the `cloudwatch:TagResource` permission in addition to the `the cloudwatch:PutMetricAlarm ` permission. We recommend that you make sure anyone in your organization who will create or update CloudWatch resources has the `cloudwatch:TagResource` permission. + * To be able to set or update tags for a CloudWatch resource, you must be signed on to an account that has the `cloudwatch:TagResource` permission. For example, to create an alarm and set tags for it, you must have the `cloudwatch:TagResource` permission in addition to the `cloudwatch:PutMetricAlarm` (or `cloudwatch:PutLogAlarm` for log alarms) permission. We recommend that you make sure anyone in your organization who will create or update CloudWatch resources has the `cloudwatch:TagResource` permission.