The AWS Management Console is throwing errors when Claud Watch is launched:
For some accounts, the search may redirect to URLs that are not covered in the default access list defined in the "AWS Management Console SSO" service in PAM. The PAM session logs should have a message if a service tries to access a URL that is not allowed. In this case, it involved URLs ending in aws.a2z.com, a valid AWS domain.
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
Adding *.aws.a2z.com to the access list in the PAM service "AWS Management Console SSO" resolved the problem. Review the PAM session logs for any other URLs whose access may be denied.
As of May 2021, the aws.a2z.com domain is scheduled to be added by default in future maintenance and main releases, starting with 3.4.4, 4.0.1 and 4.1. No other domain was identified that should be included by default at this time.