The AWS Management Console is throwing errors when Cloud Watch is launched:
For some accounts, the search may redirect to URLs that are not covered in the default access list defined in the "AWS Management Console SSO" service in PAM. The PAM session logs should have a message if a service tries to access a URL that is not allowed. In this case, it involved URLs ending in aws.a2z.com, a valid AWS domain.
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
Adding *.aws.a2z.com to the access list in the PAM service "AWS Management Console SSO" resolved the problem.
The aws.a2z.com domain is added by default on PAM 3.4.4, 4.0.1 and 4.1.