AWS systems-manager medium security documentation change
Summary
Updated CloudWatch alarm integration documentation and removed IAM permission requirement
Security assessment
Removes dependency on iam:createServiceLinkedRole permission, reducing attack surface and documenting security-relevant automation cancellation behavior
Diff
diff --git a/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md b/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md index dfee600cf..6bf84e467 100644 --- a//systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md +++ b//systems-manager/latest/userguide/running-automations-multiple-accounts-regions.md @@ -229 +229 @@ You might not need to choose some of the options in the **Input parameters** sec - 12. (Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. To attach a CloudWatch alarm to your automation, the IAM principal that starts the automation must have permission for the `iam:createServiceLinkedRole` action. For more information about CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html). Note that if your alarm activates, the automation is cancelled and any `OnCancel` steps you have defined run. If you use AWS CloudTrail, you will see the API call in your trail. + 12. (Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. If your alarm enters `ALARM` state, the automation is canceled and any defined `onCancel` steps run. If you use AWS CloudTrail, you will see the `StopAutomationExecution` API call in your trail. For more information, see [Configuring Automations to monitor CloudWatch Alarms](./automation-cw-alarm-monitoring.html).