AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2026-07-04 · Documentation medium

File: AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.md

Summary

Clarified service-linked role creation: Added details about role creation behavior when organization-level rules are created by management vs delegated administrator accounts

Security assessment

Change explains operational behavior of role propagation in Organizations. While service-linked roles relate to permissions, this update doesn't address vulnerabilities or add security features—it merely documents existing role creation logic.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.md b/AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.md
index 8bc1525a0..0ae8af726 100644
--- a//AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.md
+++ b//AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.md
@@ -30 +30,3 @@ Telemetry config remains active until you turn it off. For more information, see
-Before you can configure telemetry for your organization, you need to enable trusted access between AWS Organizations and CloudWatch. When you enable trusted access, CloudWatch creates a service-linked role named **AWSServiceRoleForObservabilityAdmin** to support resource and telemetry configuration discovery for the organization. The role is created in all member accounts of the organization.
+Before you can configure telemetry for your organization, you need to enable trusted access between AWS Organizations and CloudWatch. When you enable trusted access, CloudWatch creates a service-linked role named **AWSServiceRoleForObservabilityAdmin** to support resource and telemetry configuration discovery for the organization.
+
+When a management account creates an organization-level rule, the service-linked role is automatically created in all member accounts and the delegated administrator account in the organization. However, when a delegated administrator account creates an organization-level rule, the service-linked role is automatically created in all member accounts but is _not_ automatically created in the management account. If a delegated administrator account creates the organization-level rule, you must manually create the **AWSServiceRoleForObservabilityAdmin** service-linked role in the management account.