AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-07-01 · Documentation low

File: AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md

Summary

Added 'S3 bucket server access logs' to the list of permissions granted by the service-linked role policy and updated service name references (e.g., AWS Security Hub, Amazon Bedrock)

Security assessment

The change adds documentation about S3 server access logging permissions, which is a security feature for auditing access to S3 buckets. However, there's no evidence this addresses a specific vulnerability.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md b/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
index ee48108db..0275cb1ed 100644
--- a//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
+++ b//AmazonCloudWatch/latest/monitoring/using-service-linked-roles.md
@@ -208 +208 @@ This policy grants permissions for:
-  * Basic telemetry operations including describing VPCs, flow logs, log groups. It also includes permissions to enable logging configuration for EKS cluster logging, WAF put logging configuration, enabling NLB logs, Route53 Resolver query logging, Amazon EC2 detailed monitoring, Security Hub, Bedrock Agentcore Gateway, Bedrock Agentcore Memory, CloudFront Distribution, MSK Cluster, OpenTelemetry Enrichment, and Bedrock Agentcore Workload Identity. 
+  * Basic telemetry operations including describing VPCs, flow logs, log groups. It also includes permissions to enable logging configuration for EKS cluster logging, WAF put logging configuration, enabling NLB logs, Route53 Resolver query logging, Amazon EC2 detailed monitoring, AWS Security Hub, Amazon Bedrock Agentcore Gateway, Amazon Bedrock Agentcore Memory, Amazon CloudFront distribution, S3 bucket server access logs, MSK Cluster, OpenTelemetry Enrichment, and Amazon Bedrock Agentcore Workload Identity.