# Data security and data protection in Network Flow Monitor
Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between Amazon and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Web Services Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [Amazon Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Network Flow Monitor, see [Amazon Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Network Flow Monitor. The following topics show you how to configure Network Flow Monitor to meet your security and compliance objectives. You also learn how to use other Amazon services that help you to monitor and secure your Network Flow Monitor resources.
**Topics**
+ [
# Data protection in Network Flow Monitor
](data-protection-nfw.md)
+ [
# Infrastructure Security in Network Flow Monitor
](infrastructure-security-nfw.md)
+ [
# Identity and Access Management for Network Flow Monitor
](CloudWatch-NetworkFlowMonitor-security-iam.md)
# Data protection in Network Flow Monitor
The Amazon [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Network Flow Monitor. As described in this model, Amazon is responsible for protecting the global infrastructure that runs all of the Amazon Web Services Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the Amazon Web Services services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://www.amazonaws.cn/compliance/data-privacy-faq/).
For data protection purposes, we recommend that you protect Amazon Web Services account credentials and set up individual users with Amazon IAM Identity Center or Amazon Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with Amazon resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with Amazon CloudTrail. For information about using CloudTrail trails to capture Amazon activities, see [Working with CloudTrail trails](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *Amazon CloudTrail User Guide*.
+ Use Amazon encryption solutions, along with all default security controls within Amazon Web Services services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing Amazon through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://www.amazonaws.cn/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Network Flow Monitor or other Amazon Web Services services using the console, API, Amazon CLI, or Amazon SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
# Infrastructure Security in Network Flow Monitor
As a managed service, Network Flow Monitor is protected by the Amazon global network security procedures that are described in the [Amazon Web Services: Overview of Security Processes](https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf) whitepaper.
You use Amazon published API calls to access Network Flow Monitor through the network. Clients must support Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [Amazon Security Token Service](https://docs.amazonaws.cn/STS/latest/APIReference/Welcome.html) (Amazon STS) to generate temporary security credentials to sign requests.
# Identity and Access Management for Network Flow Monitor
Amazon Identity and Access Management (IAM) is an Amazon Web Services service that helps an administrator securely control access to Amazon resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Network Flow Monitor resources. IAM is an Amazon Web Services service that you can use with no additional charge.
**Topics**
+ [How Network Flow Monitor works with IAM](security_iam_service-with-iam-network-flow-monitor.md)
+ [Amazon managed policies](security-iam-awsmanpol-network-flow-monitor.md)
+ [Service-linked roles](using-service-linked-roles-network-flow-monitor.md)
# How Network Flow Monitor works with IAM
Before you use IAM to manage access to Network Flow Monitor, learn what IAM features are available to use with Network Flow Monitor.
To see tables showing a similar high-level view of how Amazon services work with most IAM features, see [Amazon services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**IAM features you can use with Network Flow Monitor**
| IAM feature | Network Flow Monitor support |
| --- | --- |
| [Identity-based policies](#security_iam_service-with-iam-id-based-policies-nfm) | Yes |
| [Resource-based policies](#security_iam_service-with-iam-resource-based-policies-nfm) | No |
| [Policy actions](#security_iam_service-with-iam-id-based-policies-actions-nfm) | Yes |
| [Policy resources](#security_iam_service-with-iam-id-based-policies-resources-nfm) | Yes |
| [Policy condition keys (service-specific)](#security_iam_service-with-iam-id-based-policies-conditionkeys-nfm) | Yes |
| [ACLs](#security_iam_service-with-iam-acls-nfm) | No |
| [ABAC (tags in policies)](#security_iam_service-with-iam-tags-nfm) | Yes |
| [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds-nfm) | Yes |
| [Principal permissions](#security_iam_service-with-iam-principal-permissions-nfm) | Yes |
| [Service roles](#security_iam_service-with-iam-roles-service-nfm) | No |
| [Service-linked roles](#security_iam_service-with-iam-roles-service-linked-nfm) | Yes |
## Identity-based policies for Network Flow Monitor
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
## Resource-based policies within Network Flow Monitor
**Supports resource-based policies:** No
Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM role trust policies and Amazon S3 bucket policies. In services that support resource-based policies, service administrators can use them to control access to a specific resource.
## Policy actions for Network Flow Monitor
**Supports policy actions:** Yes
Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
To see a list of Network Flow Monitor actions, see [Actions defined by Network Flow Monitor](https://docs.amazonaws.cn/service-authorization/latest/reference/list_amazoncloudwatchnetworkflowmonitor.html#amazoncloudwatchnetworkflowmonitor-actions-as-permissions) in the *Service Authorization Reference*.
Policy actions in Network Flow Monitor use the following prefix before the action:
```
networkflowmonitor
```
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"networkflowmonitor:action1",
"networkflowmonitor:action2"
]
```
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action:
```
"Action": "networkflowmonitor:Describe*"
```
## Policy resources for Network Flow Monitor
**Supports policy resources:** Yes
In the *Service Authorization Reference*, you can see the following information related to Network Flow Monitor:
+ To see a list of Network Flow Monitor resource types and their ARNs, see [Resources defined by Network Flow Monitor](https://docs.amazonaws.cn/service-authorization/latest/reference/list_amazoncloudwatchnetworkflowmonitor.html#amazoncloudwatchnetworkflowmonitor-resources-for-iam-policies).
+ To learn the actions that you can specify with the ARN of each resource, see [Actions defined by Network Flow Monitor](https://docs.amazonaws.cn/service-authorization/latest/reference/list_amazoncloudwatchnetworkflowmonitor.html#amazoncloudwatchnetworkflowmonitor-actions-as-permissions).
Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
## Policy condition keys for Network Flow Monitor
**Supports service-specific policy condition keys:** Yes
Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all Amazon global condition keys, see [Amazon global condition context keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
To see a list of Network Flow Monitor condition keys, see [Condition keys for Network Flow Monitor](https://docs.amazonaws.cn/service-authorization/latest/reference/list_amazoncloudwatchnetworkflowmonitor.html#amazoncloudwatchnetworkflowmonitor-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions defined by Network Flow Monitor](https://docs.amazonaws.cn/service-authorization/latest/reference/list_amazoncloudwatchnetworkflowmonitor.html#amazoncloudwatchnetworkflowmonitor-actions-as-permissions).
## ACLs in Network Flow Monitor
**Supports ACLs:** No
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
## ABAC with Network Flow Monitor
**Supports ABAC (tags in policies):** Yes
Network Flow Monitor has *partial* support for tags in policies. It supports tagging for one resource, monitors.
To use tags with Network Flow Monitor, use the Amazon Command Line Interface or an Amazon SDK. Tagging for Network Flow Monitor is not supported with the Amazon Web Services Management Console.
To learn more about using tags in policies in general, review the following information.
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and Amazon resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.
To control access based on tags, you provide tag information in the [condition element](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.
If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.
For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.amazonaws.cn/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
## Using temporary credentials with Network Flow Monitor
**Supports temporary credentials:** Yes
Temporary credentials provide short-term access to Amazon resources and are automatically created when you use federation or switch roles. Amazon recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp.html) and [Amazon Web Services services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Cross-service principal permissions for Network Flow Monitor
**Supports forward access sessions (FAS):** Yes
Forward access sessions (FAS) use the permissions of the principal calling an Amazon Web Services service, combined with the requesting Amazon Web Services service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_forward_access_sessions.html).
## Service roles for Network Flow Monitor
**Supports service roles:** No
A service role is an [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an Amazon Web Services service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
## Service-linked role for Network Flow Monitor
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an Amazon Web Services service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your Amazon Web Services account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For more information about the service-linked role for Network Flow Monitor, see [Service-linked roles for Network Flow Monitor](using-service-linked-roles-network-flow-monitor.md).
For details about creating or managing service-linked roles in general in Amazon, see [Amazon services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Find a service in the table that includes a `Yes` in the **Service-linked role** column. Choose the **Yes** link to view the service-linked role documentation for that service.
# Amazon managed policies for Network Flow Monitor
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.
For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## Amazon managed policy: CloudWatchNetworkFlowMonitorServiceRolePolicy
You can't attach `CloudWatchNetworkFlowMonitorServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role named **AWSServiceRoleForNetworkFlowMonitor**, which publishes network telemetry aggregation results, collected by Network Flow Monitor agents, to CloudWatch. It also allows the service to use Amazon Organizations to get information for multi-account scenarios.
To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorServiceRolePolicy.html) in the *Amazon Managed Policy Reference*.
For more information, see [Service-linked roles for Network Flow Monitor](using-service-linked-roles-network-flow-monitor.md).
## Amazon managed policy: CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy
You can't attach ` CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role named **AWSServiceRoleForNetworkFlowMonitor\$1Topology**. Using these permissions, as well as internal meta data information gathering (for performance efficiencies), this service-linked role gathers meta data about resource network configurations, such as describing route tables and gateways, for resources that this service monitors network traffic for. This meta data enables Network Flow Monitor to generate topology snapshots of the resources. When there is network degradation, Network Flow Monitor uses the topologies to provide insights into the location of issues in the network and to help determine attribution for issues.
To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy.html) in the *Amazon Managed Policy Reference*.
For more information, see [Service-linked roles for Network Flow Monitor](using-service-linked-roles-network-flow-monitor.md).
## Amazon managed policy: CloudWatchNetworkFlowMonitorAgentPublishPolicy
You can use this policy in IAM roles that are attached to Amazon EC2 and Amazon EKS instance resources to send telemetry reports (metrics) to a Network Flow Monitor endpoint.
To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html) in the *Amazon Managed Policy Reference*.
## Updates to the Network Flow Monitor service-linked roles
For updates to the Amazon managed policies for the Network Flow Monitor service-linked roles, see the [Amazon managed policies updates table](managed-policies-cloudwatch.md#security-iam-awsmanpol-updates) for CloudWatch. You can also subscribe to automatic RSS alerts on the CloudWatch [Document history page](DocumentHistory.md).
# Service-linked roles for Network Flow Monitor
Network Flow Monitor uses Amazon Identity and Access Management (IAM) [ service-linked roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Network Flow Monitor. The service-linked role is predefined by Network Flow Monitor and includes all the permissions that the service requires to call other Amazon services on your behalf.
Network Flow Monitor defines the permissions of the service-linked roles, and unless defined otherwise, only Network Flow Monitor can assume the roles. The defined permissions include the trust policies and the permissions policies, and the permissions policies cannot be attached to any other IAM entity.
You can delete the roles only after first deleting their related resources. This restriction protects your Network Flow Monitor resources because you can't inadvertently remove permissions to access the resources.
For information about other services that support service-linked roles, see [Amazon services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for Network Flow Monitor
Network Flow Monitor uses the following service-linked roles:
+ **AWSServiceRoleForNetworkFlowMonitor**
+ **AWSServiceRoleForNetworkFlowMonitor\$1Topology**
### Service-linked role permissions for AWSServiceRoleForNetworkFlowMonitor
Network Flow Monitor uses the service-linked role named **AWSServiceRoleForNetworkFlowMonitor**. This role allows Network Flow Monitor to publish CloudWatch aggregated telemetry metrics gathered for network traffic between instances, and between instances and Amazon locations. It also allows the service to use Amazon Organizations to get information for multi-account scenarios.
This service-linked role uses the managed policy `CloudWatchNetworkFlowMonitorServiceRolePolicy`.
To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorServiceRolePolicy.html) in the *Amazon Managed Policy Reference*.
The **AWSServiceRoleForNetworkFlowMonitor** service-linked role trusts the following service to assume the role:
+ `networkflowmonitor.amazonaws.com`
### Service-linked role permissions for AWSServiceRoleForNetworkFlowMonitor\$1Topology
Network Flow Monitor uses the service-linked role named **AWSServiceRoleForNetworkFlowMonitor\$1Topology**. This role allows Network Flow Monitor to generate a topology snapshot of the resources that you use with Network Flow Monitor.
This service-linked role uses the managed policy `CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy`.
To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy.html) in the *Amazon Managed Policy Reference*.
The **AWSServiceRoleForNetworkFlowMonitor\$1Topology** service-linked role trusts the following service to assume the role:
+ `topology.networkflowmonitor.amazonaws.com`
## Creating a service-linked role for Network Flow Monitor
You do not need to manually create the service-linked roles for Network Flow Monitor. The first time that you initialize Network Flow Monitor, Network Flow Monitor creates **AWSServiceRoleForNetworkFlowMonitor** and **AWSServiceRoleForNetworkFlowMonitor\$1Topology** for you.
For more information, see [Creating a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*.
## Editing a service-linked role for Network Flow Monitor
After Network Flow Monitor creates a service-linked role in your account, you cannot change the name of the role because various entities might reference the role. You can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Network Flow Monitor
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for the service-linked role before you can manually delete it.
**Note**
If the Network Flow Monitor service is using the role when you try to delete it, then the deletion might fail. If that happens, wait for a few minutes and then try again.
**To manually delete the service-linked role using IAM**
Use the IAM console, the Amazon CLI, or the Amazon API to delete the **AWSServiceRoleForNetworkFlowMonitor** or the **AWSServiceRoleForNetworkFlowMonitor\$1Topology** service-linked role. For more information, see [Deleting a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Updates to the Network Flow Monitor service-linked role
For updates to `CloudWatchNetworkFlowMonitorServiceRolePolicy` or `CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy`, the Amazon managed policies for the Network Flow Monitor service-linked roles, see [CloudWatch updates to Amazon managed policies](managed-policies-cloudwatch.md#security-iam-awsmanpol-updates). For automatic alerts about managed policy changes in CloudWatch, subscribe to the RSS feed on the CloudWatch [Document history](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/DocumentHistory.html) page.