AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2026-07-10 · Security-related medium

File: systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md

Summary

Updated CloudWatch alarm integration documentation and removed IAM permission requirement

Security assessment

Removes dependency on iam:createServiceLinkedRole permission, reducing attack surface and documenting security-relevant automation cancellation behavior

Diff

diff --git a/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md b/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md
index dfee600cf..6bf84e467 100644
--- a//systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md
+++ b//systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md
@@ -229 +229 @@ You might not need to choose some of the options in the **Input parameters** sec
-  12. (Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. To attach a CloudWatch alarm to your automation, the IAM principal that starts the automation must have permission for the `iam:createServiceLinkedRole` action. For more information about CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html). Note that if your alarm activates, the automation is cancelled and any `OnCancel` steps you have defined run. If you use AWS CloudTrail, you will see the API call in your trail.
+  12. (Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. If your alarm enters `ALARM` state, the automation is canceled and any defined `onCancel` steps run. If you use AWS CloudTrail, you will see the `StopAutomationExecution` API call in your trail. For more information, see [Configuring Automations to monitor CloudWatch Alarms](./automation-cw-alarm-monitoring.html).