Add metadata for CloudWatch PutMetricData permission

anajmi07 · athewsey · commit ac1c147bdb83 · 2025-11-05T14:40:23.000+08:00
diff --git a/infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf b/infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf
@@ -111,6 +111,9 @@ resource "aws_iam_policy" "monitoring_permissions" {
         ]
       },
       {
+        # WILDCARD JUSTIFICATION: CloudWatch PutMetricData requires Resource="*" 
+        # as per AWS documentation. Condition restricts to bedrock-agentcore namespace only.
+        # Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html
         Effect   = "Allow"
         Resource = "*"
         Action   = "cloudwatch:PutMetricData"

Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,9 @@ resource "aws_iam_policy" "monitoring_permissions" {`
`111`	`111`	`]`
`112`	`112`	`},`
`113`	`113`	`{`
	`114`	`+ # WILDCARD JUSTIFICATION: CloudWatch PutMetricData requires Resource="*"`
	`115`	`+ # as per AWS documentation. Condition restricts to bedrock-agentcore namespace only.`
	`116`	`+ # Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html`
`114`	`117`	`Effect = "Allow"`
`115`	`118`	`Resource = "*"`
`116`	`119`	`Action = "cloudwatch:PutMetricData"`