AWS systems-manager medium security documentation change
Summary
Updated CloudWatch alarm integration documentation and removed IAM permission requirement
Security assessment
Removes dependency on iam:createServiceLinkedRole permission while documenting security controls for automation cancellation
Diff
diff --git a/systems-manager/latest/userguide/running-automations-scale.md b/systems-manager/latest/userguide/running-automations-scale.md index e21f6d029..163f81b8d 100644 --- a//systems-manager/latest/userguide/running-automations-scale.md +++ b//systems-manager/latest/userguide/running-automations-scale.md @@ -79 +79 @@ In the **Concurrency** section, choose an option: - 11. (Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. To attach a CloudWatch alarm to your automation, the IAM principal that starts the automation must have permission for the `iam:createServiceLinkedRole` action. For more information about CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html). Note that if your alarm activates, the automation is stopped. If you use AWS CloudTrail, you will see the API call in your trail. + 11. (Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. If your alarm enters `ALARM` state, the automation is canceled and any defined `onCancel` steps run. If you use AWS CloudTrail, you will see the `StopAutomationExecution` API call in your trail. For more information, see [Configuring Automations to monitor CloudWatch Alarms](./automation-cw-alarm-monitoring.html).