AWS AI Ops Update: Adds support for cross account investigations for CloudWatch investigations AI Operations (AIOps).

AWS · AWS · commit ea005e96bad7 · 2025-06-24T18:13:47.000Z
diff --git a/.changes/next-release/feature-AWSAIOps-6e2cc2c.json b/.changes/next-release/feature-AWSAIOps-6e2cc2c.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS AI Ops",
+    "contributor": "",
+    "description": "Adds support for cross account investigations for CloudWatch investigations AI Operations (AIOps)."
+}
diff --git a/services/aiops/src/main/resources/codegen-resources/service-2.json b/services/aiops/src/main/resources/codegen-resources/service-2.json
@@ -32,7 +32,7 @@
         {"shape":"InternalServerException"},
         {"shape":"ConflictException"}
       ],
-      "documentation":"<p>Creates an <i>investigation group</i> in your account. Creating an investigation group is a one-time setup task for each Region in your account. It is a necessary task to be able to perform investigations.</p> <p>Settings in the investigation group help you centrally manage the common properties of your investigations, such as the following:</p> <ul> <li> <p>Who can access the investigations</p> </li> <li> <p>Whether investigation data is encrypted with a customer managed Key Management Service key.</p> </li> <li> <p>How long investigations and their data are retained by default.</p> </li> </ul> <p>Currently, you can have one investigation group in each Region in your account. Each investigation in a Region is a part of the investigation group in that Region</p> <p>To create an investigation group and set up Amazon Q Developer operational investigations, you must be signed in to an IAM principal that has the either the <code>AIOpsConsoleAdminPolicy</code> or the <code>AdministratorAccess</code> IAM policy attached, or to an account that has similar permissions.</p> <important> <p>You can configure CloudWatch alarms to start investigations and add events to investigations. If you create your investigation group with <code>CreateInvestigationGroup</code> and you want to enable alarms to do this, you must use <a href=\"https://docs.aws.amazon.com/operationalinvestigations/latest/AmazonQDeveloperOperationalInvestigationsAPIReference/API_PutInvestigationGroupPolicy.html\">PutInvestigationGroupPolicy</a> to create a resource policy that grants this permission to CloudWatch alarms. </p> <p>For more information about configuring CloudWatch alarms to work with Amazon Q Developer operational investigations, see </p> </important>",
+      "documentation":"<p>Creates an <i>investigation group</i> in your account. Creating an investigation group is a one-time setup task for each Region in your account. It is a necessary task to be able to perform investigations.</p> <p>Settings in the investigation group help you centrally manage the common properties of your investigations, such as the following:</p> <ul> <li> <p>Who can access the investigations</p> </li> <li> <p>Whether investigation data is encrypted with a customer managed Key Management Service key.</p> </li> <li> <p>How long investigations and their data are retained by default.</p> </li> </ul> <p>Currently, you can have one investigation group in each Region in your account. Each investigation in a Region is a part of the investigation group in that Region</p> <p>To create an investigation group and set up CloudWatch investigations, you must be signed in to an IAM principal that has the either the <code>AIOpsConsoleAdminPolicy</code> or the <code>AdministratorAccess</code> IAM policy attached, or to an account that has similar permissions.</p> <important> <p>You can configure CloudWatch alarms to start investigations and add events to investigations. If you create your investigation group with <code>CreateInvestigationGroup</code> and you want to enable alarms to do this, you must use <a href=\"https://docs.aws.amazon.com/operationalinvestigations/latest/AmazonQDeveloperOperationalInvestigationsAPIReference/API_PutInvestigationGroupPolicy.html\">PutInvestigationGroupPolicy</a> to create a resource policy that grants this permission to CloudWatch alarms. </p> <p>For more information about configuring CloudWatch alarms to work with CloudWatch investigations, see </p> </important>",
       "idempotent":true
     },
     "DeleteInvestigationGroup":{
@@ -154,7 +154,7 @@
         {"shape":"InternalServerException"},
         {"shape":"ConflictException"}
       ],
-      "documentation":"<p>Displays the tags associated with a Amazon Q Developer operational investigations resource. Currently, investigation groups support tagging.</p>"
+      "documentation":"<p>Displays the tags associated with a CloudWatch investigations resource. Currently, investigation groups support tagging.</p>"
     },
     "PutInvestigationGroupPolicy":{
       "name":"PutInvestigationGroupPolicy",
@@ -296,15 +296,15 @@
       "members":{
         "name":{
           "shape":"StringWithPatternAndLengthLimits",
-          "documentation":"<p>A name for the investigation group.</p>"
+          "documentation":"<p>Provides a name for the investigation group.</p>"
         },
         "roleArn":{
           "shape":"RoleArn",
-          "documentation":"<p>Specify the ARN of the IAM role that Amazon Q Developer operational investigations will use when it gathers investigation data. The permissions in this role determine which of your resources that Amazon Q Developer operational investigations will have access to during investigations.</p> <p>For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-Security-Data\">How to control what data Amazon Q has access to during investigations</a>.</p>"
+          "documentation":"<p>Specify the ARN of the IAM role that CloudWatch investigations will use when it gathers investigation data. The permissions in this role determine which of your resources that CloudWatch investigations will have access to during investigations.</p> <p>For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-Security-Data\">How to control what data Amazon Q has access to during investigations</a>.</p>"
         },
         "encryptionConfiguration":{
           "shape":"EncryptionConfiguration",
-          "documentation":"<p>Use this structure if you want to use a customer managed KMS key to encrypt your investigation data. If you omit this parameter, Amazon Q Developer operational investigations will use an Amazon Web Services key to encrypt the data. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS\">Encryption of investigation data</a>.</p>"
+          "documentation":"<p>Use this structure if you want to use a customer managed KMS key to encrypt your investigation data. If you omit this parameter, CloudWatch investigations will use an Amazon Web Services key to encrypt the data. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS\">Encryption of investigation data</a>.</p>"
         },
         "retentionInDays":{
           "shape":"Retention",
@@ -320,11 +320,15 @@
         },
         "chatbotNotificationChannel":{
           "shape":"ChatbotNotificationChannel",
-          "documentation":"<p>Use this structure to integrate Amazon Q Developer operational investigations with Amazon Q in chat applications. This structure is a string array. For the first string, specify the ARN of an Amazon SNS topic. For the array of strings, specify the ARNs of one or more Amazon Q in chat applications configurations that you want to associate with that topic. For more information about these configuration ARNs, see <a href=\"https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html\">Getting started with Amazon Q in chat applications</a> and <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies\">Resource type defined by Amazon Web Services Chatbot</a>.</p>"
+          "documentation":"<p>Use this structure to integrate CloudWatch investigations with Amazon Q in chat applications. This structure is a string array. For the first string, specify the ARN of an Amazon SNS topic. For the array of strings, specify the ARNs of one or more Amazon Q in chat applications configurations that you want to associate with that topic. For more information about these configuration ARNs, see <a href=\"https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html\">Getting started with Amazon Q in chat applications</a> and <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies\">Resource type defined by Amazon Web Services Chatbot</a>.</p>"
         },
         "isCloudTrailEventHistoryEnabled":{
           "shape":"Boolean",
-          "documentation":"<p>Specify <code>true</code> to enable Amazon Q Developer operational investigations to have access to change events that are recorded by CloudTrail. The default is <code>true</code>.</p>"
+          "documentation":"<p>Specify <code>true</code> to enable CloudWatch investigations to have access to change events that are recorded by CloudTrail. The default is <code>true</code>.</p>"
+        },
+        "crossAccountConfigurations":{
+          "shape":"CrossAccountConfigurations",
+          "documentation":"<p>Number of <code>sourceAccountId</code> values that have been configured for cross-account access.</p>"
         }
       }
     },
@@ -337,6 +341,22 @@
         }
       }
     },
+    "CrossAccountConfiguration":{
+      "type":"structure",
+      "members":{
+        "sourceRoleArn":{
+          "shape":"RoleArn",
+          "documentation":"<p>The ARN of an existing role which will be used to do investigations on your behalf. </p>"
+        }
+      },
+      "documentation":"<p>This structure contains information about the cross-account configuration in the account. </p>"
+    },
+    "CrossAccountConfigurations":{
+      "type":"list",
+      "member":{"shape":"CrossAccountConfiguration"},
+      "max":25,
+      "min":0
+    },
     "DeleteInvestigationGroupPolicyOutput":{
       "type":"structure",
       "members":{
@@ -485,7 +505,11 @@
         },
         "isCloudTrailEventHistoryEnabled":{
           "shape":"Boolean",
-          "documentation":"<p>Specifies whether Amazon Q Developer operational investigationshas access to change events that are recorded by CloudTrail.</p>"
+          "documentation":"<p>Specifies whether CloudWatch investigationshas access to change events that are recorded by CloudTrail.</p>"
+        },
+        "crossAccountConfigurations":{
+          "shape":"CrossAccountConfigurations",
+          "documentation":"<p>Lists the <code>AWSAccountId</code> of the accounts configured for cross-account access and the results of the last scan performed on each account.</p>"
         }
       }
     },
@@ -594,7 +618,7 @@
       "members":{
         "resourceArn":{
           "shape":"String",
-          "documentation":"<p>The ARN of the Amazon Q Developer operational investigations resource that you want to view tags for. You can use the <a href=\"https://docs.aws.amazon.com/operationalinvestigations/latest/AmazonQDeveloperOperationalInvestigationsAPIReference/API_ListInvestigationGroups.html\">ListInvestigationGroups</a> operation to find the ARNs of investigation groups.</p> <p>The ARN format for an investigation group is <code>arn:aws:aiops:<i>Region</i>:<i>account-id</i>:investigation-group:<i>investigation-group-id</i> </code>.</p>",
+          "documentation":"<p>The ARN of the CloudWatch investigations resource that you want to view tags for. You can use the <a href=\"https://docs.aws.amazon.com/operationalinvestigations/latest/AmazonQDeveloperOperationalInvestigationsAPIReference/API_ListInvestigationGroups.html\">ListInvestigationGroups</a> operation to find the ARNs of investigation groups.</p> <p>The ARN format for an investigation group is <code>arn:aws:aiops:<i>Region</i>:<i>account-id</i>:investigation-group:<i>investigation-group-id</i> </code>.</p>",
           "location":"uri",
           "locationName":"resourceArn"
         }
@@ -806,23 +830,27 @@
         },
         "roleArn":{
           "shape":"RoleArn",
-          "documentation":"<p>Specify this field if you want to change the IAM role that Amazon Q Developer operational investigations will use when it gathers investigation data. To do so, specify the ARN of the new role.</p> <p>The permissions in this role determine which of your resources that Amazon Q Developer operational investigations will have access to during investigations.</p> <p>For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-Security-Data\">EHow to control what data Amazon Q has access to during investigations</a>.</p>"
+          "documentation":"<p>Specify this field if you want to change the IAM role that CloudWatch investigations will use when it gathers investigation data. To do so, specify the ARN of the new role.</p> <p>The permissions in this role determine which of your resources that CloudWatch investigations will have access to during investigations.</p> <p>For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-Security-Data\">EHow to control what data Amazon Q has access to during investigations</a>.</p>"
         },
         "encryptionConfiguration":{
           "shape":"EncryptionConfiguration",
-          "documentation":"<p>Use this structure if you want to use a customer managed KMS key to encrypt your investigation data. If you omit this parameter, Amazon Q Developer operational investigations will use an Amazon Web Services key to encrypt the data. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS\">Encryption of investigation data</a>.</p>"
+          "documentation":"<p>Use this structure if you want to use a customer managed KMS key to encrypt your investigation data. If you omit this parameter, CloudWatch investigations will use an Amazon Web Services key to encrypt the data. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS\">Encryption of investigation data</a>.</p>"
         },
         "tagKeyBoundaries":{
           "shape":"TagKeyBoundaries",
           "documentation":"<p>Enter the existing custom tag keys for custom applications in your system. Resource tags help Amazon Q narrow the search space when it is unable to discover definite relationships between resources. For example, to discover that an Amazon ECS service depends on an Amazon RDS database, Amazon Q can discover this relationship using data sources such as X-Ray and CloudWatch Application Signals. However, if you haven't deployed these features, Amazon Q will attempt to identify possible relationships. Tag boundaries can be used to narrow the resources that will be discovered by Amazon Q in these cases.</p> <p>You don't need to enter tags created by myApplications or CloudFormation, because Amazon Q can automatically detect those tags.</p>"
         },
         "chatbotNotificationChannel":{
           "shape":"ChatbotNotificationChannel",
-          "documentation":"<p>Use this structure to integrate Amazon Q Developer operational investigations with Amazon Q in chat applications. This structure is a string array. For the first string, specify the ARN of an Amazon SNS topic. For the array of strings, specify the ARNs of one or more Amazon Q in chat applications configurations that you want to associate with that topic. For more information about these configuration ARNs, see <a href=\"https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html\">Getting started with Amazon Q in chat applications</a> and <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies\">Resource type defined by Amazon Web Services Chatbot</a>.</p>"
+          "documentation":"<p>Use this structure to integrate CloudWatch investigations with Amazon Q in chat applications. This structure is a string array. For the first string, specify the ARN of an Amazon SNS topic. For the array of strings, specify the ARNs of one or more Amazon Q in chat applications configurations that you want to associate with that topic. For more information about these configuration ARNs, see <a href=\"https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html\">Getting started with Amazon Q in chat applications</a> and <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies\">Resource type defined by Amazon Web Services Chatbot</a>.</p>"
         },
         "isCloudTrailEventHistoryEnabled":{
           "shape":"Boolean",
-          "documentation":"<p>Specify <code>true</code> to enable Amazon Q Developer operational investigations to have access to change events that are recorded by CloudTrail. The default is <code>true</code>.</p>"
+          "documentation":"<p>Specify <code>true</code> to enable CloudWatch investigations to have access to change events that are recorded by CloudTrail. The default is <code>true</code>.</p>"
+        },
+        "crossAccountConfigurations":{
+          "shape":"CrossAccountConfigurations",
+          "documentation":"<p>Used to configure cross-account access for an investigation group. It allows the investigation group to access resources in other accounts. </p>"
         }
       }
     },
@@ -839,5 +867,5 @@
       "exception":true
     }
   },
-  "documentation":"<p>The Amazon Q Developer operational investigations feature is a generative AI-powered assistant that can help you respond to incidents in your system. It uses generative AI to scan your system's telemetry and quickly surface suggestions that might be related to your issue. These suggestions include metrics, logs, deployment events, and root-cause hypotheses. </p> <p>You can use API actions to create, manage, and delete investigation groups and investigation group policies. To start and manage investigations, you must use the CloudWatch console.</p>"
+  "documentation":"<p>The CloudWatch investigations feature is a generative AI-powered assistant that can help you respond to incidents in your system. It uses generative AI to scan your system's telemetry and quickly surface suggestions that might be related to your issue. These suggestions include metrics, logs, deployment events, and root-cause hypotheses. </p> <p>You can use API actions to create, manage, and delete investigation groups and investigation group policies. To start and manage investigations, you must use the CloudWatch console.</p>"
 }
