AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2026-07-10 · Documentation low

File: systems-manager/latest/userguide/using-service-linked-roles.md

Summary

Added note about Automation no longer using service-linked roles for CloudWatch monitoring, requiring execution identity permissions

Security assessment

The update documents a security-conscious architecture change (moving from service-linked roles to execution identities) but doesn't indicate remediation of a specific security flaw. It provides guidance for secure configuration practices.

Diff

diff --git a/systems-manager/latest/userguide/using-service-linked-roles.md b/systems-manager/latest/userguide/using-service-linked-roles.md
index 4a9fb53ad..5ed1a4a2c 100644
--- a//systems-manager/latest/userguide/using-service-linked-roles.md
+++ b//systems-manager/latest/userguide/using-service-linked-roles.md
@@ -24,0 +25,4 @@ For information about other services that support service-linked roles, see [AWS
+###### Note
+
+Systems Manager Automation no longer uses the service-linked role for CloudWatch alarm monitoring. This operation now uses your runbook execution identity. Make sure your execution identity has the required permissions. For more information, see [Configuring Automations to monitor CloudWatch Alarms](./automation-cw-alarm-monitoring.html).
+