对 CloudWatch 使用基于身份的策略(IAM 策略)
本主题提供了基于身份的策略的示例,这些示例展示了账户管理员如何将权限策略附加到 IAM 身份(即用户、组和角色),从而授予对 CloudWatch 资源执行操作的权限。
重要
我们建议您首先阅读以下介绍性主题,这些主题讲解了管理 CloudWatch 资源访问的基本概念和选项。有关更多信息,请参阅访问控制。
本主题的各个部分涵盖以下内容:
下面介绍权限策略示例。
{ "Version": "2012-10-17", "Statement":[{ "Effect":"Allow", "Action":["cloudwatch:GetMetricData","cloudwatch:ListMetrics"], "Resource":"*", "Condition":{ "Bool":{ "aws:SecureTransport":"true" } } } ] }
本示例策略包含一个语句,该语句向一个组授予执行两个 CloudWatch 操作(cloudwatch:GetMetricData 和 cloudwatch:ListMetrics)的权限,但前提是该组对请求使用 SSL ("aws:SecureTransport":"true")。有关 IAM policy 语句中各元素的更多信息,请参阅 IAM 用户指南中的 指定策略元素:操作、效果和委托人 和 IAM policy 元素参考。
使用 CloudWatch 控制台所需的权限
用户若要能够使用 CloudWatch 控制台,则必须拥有一组最低的权限来允许其描述自己账户中的其他 Amazon 资源。CloudWatch 控制台需要来自以下服务的权限:
-
Amazon EC2 Auto Scaling
-
CloudTrail
-
CloudWatch
-
CloudWatch Events
-
CloudWatch Logs
-
Amazon EC2
-
OpenSearch Service
-
IAM
-
Kinesis
-
Lambda
-
Amazon S3
-
Amazon SNS
-
Amazon SQS
-
Amazon SWF
-
X-Ray(如果您使用的是 ServiceLens 功能)
如果创建比必需的最低权限更为严格的 IAM policy,对于附加了该 IAM 策略的用户, 控制台将无法按预期正常运行。要确保这些用户仍可使用 CloudWatch 控制台,也可向用户附加 CloudWatchReadOnlyAccess 托管式策略,如 用于 CloudWatch 的 Amazon 托管式(预定义)策略 中所述。
对于只需要调用 Amazon CLI 或 CloudWatch API 的用户,无需为其提供最低控制台权限。
下面列出了使用 CloudWatch 控制台所需的一整套权限:
application-autoscaling:DescribeScalingPolicies
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribePolicies
cloudtrail:DescribeTrails
cloudwatch:DeleteAlarms
cloudwatch:DescribeAlarmHistory
cloudwatch:DescribeAlarms
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cloudwatch:PutMetricAlarm
cloudwatch:PutMetricData
ec2:DescribeInstances
ec2:DescribeTags
ec2:DescribeVolumes
es:DescribeElasticsearchDomain
es:ListDomainNames
events:DeleteRule
events:DescribeRule
events:DisableRule
events:EnableRule
events:ListRules
events:PutRule
iam:AttachRolePolicy
iam:CreateRole
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:ListAttachedRolePolicies
iam:ListRoles
kinesis:DescribeStream
kinesis:ListStreams
lambda:AddPermission
lambda:CreateFunction
lambda:GetFunctionConfiguration
lambda:ListAliases
lambda:ListFunctions
lambda:ListVersionsByFunction
lambda:RemovePermission
logs:CancelExportTask
logs:CreateExportTask
logs:CreateLogGroup
logs:CreateLogStream
logs:DeleteLogGroup
logs:DeleteLogStream
logs:DeleteMetricFilter
logs:DeleteRetentionPolicy
logs:DeleteSubscriptionFilter
logs:DescribeExportTasks
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:DescribeMetricFilters
logs:DescribeQueries
logs:DescribeSubscriptionFilters
logs:FilterLogEvents
logs:GetLogGroupFields
logs:GetLogRecord
logs:GetLogEvents
logs:GetQueryResults
logs:PutMetricFilter
logs:PutRetentionPolicy
logs:PutSubscriptionFilter
logs:StartQuery
logs:StopQuery
logs:TestMetricFilter
s3:CreateBucket
s3:ListBucket
sns:CreateTopic
sns:GetTopicAttributes
sns:ListSubscriptions
sns:ListTopics
sns:SetTopicAttributes
sns:Subscribe
sns:Unsubscribe
sqs:GetQueueAttributes
sqs:GetQueueUrl
sqs:ListQueues
sqs:SetQueueAttributes
swf:CreateAction
swf:DescribeAction
swf:ListActionTemplates
swf:RegisterAction
swf:RegisterDomain
swf:UpdateAction
此外,要查看 ServiceLens 中的服务地图,您需要 AWSXrayReadOnlyAccess
用于 CloudWatch 的 Amazon 托管式(预定义)策略
Amazon 通过提供由 Amazon 创建和管理的独立 IAM policy 来满足许多常用案例的要求。这些 Amazon 托管策略可针对常用案例授予必要的权限,使您免去调查所需权限的工作。有关更多信息,请参阅《IAM 用户指南》中的 Amazon 托管式策略。
以下 Amazon 托管式策略(可附加到您账户中的用户)特定于 CloudWatch。
注意
您可以通过登录到 IAM 控制台并在该控制台中搜索特定策略来查看这些权限策略。
此外,您还可以创建您自己的自定义 IAM 策略,以授予对 CloudWatch 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。
主题
- CloudWatchFullAccess
- CloudWatchReadOnlyAccess
- CloudWatchActionsEC2Access
- CloudWatchAutomaticDashboardsAccess
- CloudWatchAgentServerPolicy
- CloudWatchAgentAdminPolicy
- 用于 CloudWatch 跨账户可观测性的 Amazon 托管(预定义)策略
- 用于 CloudWatch Synthetics 的 Amazon 托管式(预定义)策略
- 适用于 Amazon CloudWatch RUM 的 Amazon 托管式(预定义)策略
- 适用于 CloudWatch Evidently 的 Amazon 托管式(预定义)策略
- 适用于 Amazon Systems Manager Incident Manager 的 Amazon 托管式策略
CloudWatchFullAccess
CloudWatchFullAccess 策略授予对所有 CloudWatch 和 CloudWatch Logs 操作和资源的完全访问权限。
它包含 autoscaling:Describe*,以便使用此策略的用户可以查看与 CloudWatch 告警关联的 Auto Scaling 操作。它包含 sns:*,以便使用此策略的用户可以检索、创建 Amazon SNS 主题并将其与 CloudWatch 告警关联。它包含 IAM 权限,以便使用此策略的用户可以查看有关与 CloudWatch 关联的服务相关角色的信息。它包含 oam:ListSinks 和 oam:ListAttachedLinks 权限,以便使用此策略的用户可以借助控制台在 CloudWatch 跨账户可观察性中查看源账户共享的数据。
其包含以下内容:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:Describe*", "cloudwatch:*", "logs:*", "sns:*", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "oam:ListSinks" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*", "Condition": { "StringLike": { "iam:AWSServiceName": "events.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "oam:ListAttachedLinks" ], "Resource": "arn:aws:oam:*:*:sink/*" } ] }
CloudWatchReadOnlyAccess
CloudWatchReadOnlyAccess 策略授予对 CloudWatch 的只读访问权限。
它包含一些 logs: 权限,以便使用此策略的用户可以借助控制台查看 CloudWatch 日志信息并使用 CloudWatch Logs Insights 查询。它包含 autoscaling:Describe*,以便使用此策略的用户可以查看与 CloudWatch 告警关联的 Auto Scaling 操作。它包括 sns:Get* 和 sns:List*,以便使用此策略的用户可以检索有关接收 CloudWatch 告警通知的 Amazon SNS 主题的信息。它包含 oam:ListSinks 和 oam:ListAttachedLinks 权限,以便使用此策略的用户可以借助控制台在 CloudWatch 跨账户可观察性中查看源账户共享的数据。
CloudWatchReadOnlyAccess 策略的内容如下。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents", "sns:Get*", "sns:List*", "oam:ListSinks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "oam:ListAttachedLinks" ], "Resource": "arn:aws:oam:*:*:sink/*" } ] }
CloudWatchActionsEC2Access
CloudWatchActionsEC2Access 策略授予对 CloudWatch 告警和指标,以及 Amazon EC2 元数据的只读访问权限。其还授予对 EC2 实例的停止、终止和重启 API 操作的访问权限。
CloudWatchActionsEC2Access 策略的内容如下。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:Describe*", "ec2:Describe*", "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" } ] }
CloudWatchAutomaticDashboardsAccess
CloudWatch-CrossAccountAccess 托管式策略由CloudWatch-CrossAccountSharingRole IAM 角色使用。此角色和策略使跨账户控制面板的用户能够查看共享仪表板的各个账户中的自动控制面板。
CloudWatchAutomaticDashboardsAccess 策略的内容如下所示:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "elasticache:DescribeCacheClusters", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeLoadBalancers", "kinesis:DescribeStream", "kinesis:ListStreams", "lambda:GetFunction", "lambda:ListFunctions", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "route53:GetHealthCheck", "route53:ListHealthChecks", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListQueues", "synthetics:DescribeCanariesLastRun", "tag:GetResources" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "apigateway:GET" ], "Effect": "Allow", "Resource": [ "arn:aws:apigateway:*::/restapis*" ] } ]
CloudWatchAgentServerPolicy
CloudWatchAgentServerPolicy 策略可用于附加到 Amazon EC2 实例的 IAM 角色中,以允许 CloudWatch 代理从实例读取信息并将其写入 CloudWatch。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeVolumes", "ec2:DescribeTags", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" } ] }
CloudWatchAgentAdminPolicy
CloudWatchAgentAdminPolicy 策略可用于附加到 Amazon EC2 实例的 IAM 角色。此策略允许 CloudWatch 代理从实例读取信息并将其写入 CloudWatch,还可以将信息写入 Parameter Store。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeTags", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" } ] }
注意
您可以通过登录到 IAM 控制台并在该控制台中搜索特定策略来查看这些权限策略。
此外,您还可以创建您自己的自定义 IAM 策略,以授予对 CloudWatch 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。
用于 CloudWatch 跨账户可观测性的 Amazon 托管(预定义)策略
本节中的策略授予与 CloudWatch 跨账户可观测性相关的权限。有关更多信息,请参阅CloudWatch 跨账户可观测性。
CloudWatchCrossAccountSharingConfiguration
CloudWatchCrossAccountSharingConfiguration 策略授予可创建、管理和查看可观测性访问管理器链接的权限,用于在账户之间共享 CloudWatch 资源。有关更多信息,请参阅CloudWatch 跨账户可观测性。内容如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:Link", "oam:ListLinks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "oam:DeleteLink", "oam:GetLink", "oam:TagResource" ], "Resource": "arn:aws:oam:*:*:link/*" }, { "Effect": "Allow", "Action": [ "oam:CreateLink", "oam:UpdateLink" ], "Resource": [ "arn:aws:oam:*:*:link/*", "arn:aws:oam:*:*:sink/*" ] } ] }
OAMFullAccess
OAMFullAccess 策略授予可创建、管理和查看可观测性访问管理器汇点和链接的权限,这些汇点和链接用于 CloudWatch 跨账户可观测性。
OAMFullAccess 策略本身不允许您跨链接共享可观测性数据。要创建可共享 CloudWatch 指标的链接,您还需要 CloudWatchFullAccess 或 CloudWatchCrossAccountSharingConfiguration。要创建可共享 CloudWatch Logs 日志组的链接,您还需要 CloudWatchLogsFullAccess 或 CloudWatchLogsCrossAccountSharingConfiguration。要创建可共享 X-Ray 追踪信息的链接,您还需要 AWSXRayFullAccess 或 AWSXRayCrossAccountSharingConfiguration。
有关更多信息,请参阅CloudWatch 跨账户可观测性。内容如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "oam:*" ], "Resource": "*" } ] }
OAMReadOnlyAccess
OAMReadOnlyAccess 策略授予 Observability Access Manager 资源的只读访问权限,用于 CloudWatch 跨账户可观测性。有关更多信息,请参阅CloudWatch 跨账户可观测性。内容如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "oam:Get*", "oam:List*" ], "Resource": "*" } ] }
用于 CloudWatch Synthetics 的 Amazon 托管式(预定义)策略
CloudWatchSyntheticsFullAccess 和 CloudWatchSyntheticsReadOnlyAccess Amazon 托管式策略可供您分配给将要管理或使用 CloudWatch Synthetics 的用户。以下其他策略也是相关的:
AmazonS3ReadOnlyAccess 和 CloudWatchReadOnlyAccess – 在 CloudWatch 控制台中读取所有 Synthetics 数据所必需的策略。
AWSLambdaReadOnlyAccess – 可查看 Canary 使用的源代码。
-
CloudWatchSyntheticsFullAccess 使您能够创建 Canary。此外,要创建和删除将为其创建新 IAM 角色的 Canary,您还需要以下内联策略语句:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*", "arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*" ] } ] }重要
授予用户
iam:CreateRole、iam:DeleteRole、iam:CreatePolicy、iam:DeletePolicy、iam:AttachRolePolicy和iam:DetachRolePolicy权限,将授予用户完全管理访问权限,用户可以创建、附加和删除具有匹配arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*和arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*的 ARN 的角色和策略。例如,拥有这些权限的用户可以创建一个对所有资源具有完全权限的策略,并将该策略附加到匹配该 ARN 模式的任何角色。请谨慎地为相关人员授予这些权限。有关附加策略和向用户授予权限的信息,请参阅更改 IAM 用户的权限和为用户或角色嵌入内联策略。
CloudWatchSyntheticsFullAccess
CloudWatchSyntheticsFullAccess 策略的内容如下。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "synthetics:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::cw-syn-results-*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "s3:ListAllMyBuckets", "xray:GetTraceSummaries", "xray:BatchGetTraces", "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::cw-syn-*" }, { "Effect": "Allow", "Action": [ "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::aws-synthetics-library-*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "synthetics.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:Synthetics-*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:*" ] }, { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:AddPermission", "lambda:PublishVersion", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration", "lambda:DeleteFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:cwsyn-*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetLayerVersion", "lambda:PublishLayerVersion", "lambda:DeleteLayerVersion" ], "Resource": [ "arn:aws:lambda:*:*:layer:cwsyn-*", "arn:aws:lambda:*:*:layer:Synthetics:*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:*:sns:*:*:Synthetics-*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:aws:kms:*:*:key/*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": [ "s3.*.amazonaws.com" ] } } } ] }
CloudWatchSyntheticsReadOnlyAccess
CloudWatchSyntheticsReadOnlyAccess 策略的内容如下。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "synthetics:Describe*", "synthetics:Get*", "synthetics:List*", "lambda:GetFunctionConfiguration" ], "Resource": "*" } ] }
适用于 Amazon CloudWatch RUM 的 Amazon 托管式(预定义)策略
您可以将 Amazon 托管式策略 AmazonCloudWatchRUMFullAccess 和 AmazonCloudWatchRUMReadOnlyAccess 分配给将管理或使用 CloudWatch RUM 的用户。
AmazonCloudWatchRUMFullAccess
AmazonCloudWatchRUMFullAccess 策略的内容如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rum:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/rum.amazonaws.com/AWSServiceRoleForRealUserMonitoring" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/RUM-Monitor*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "cognito-identity.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "arn:aws:cloudwatch:*:*:alarm:*" }, { "Effect": "Allow", "Action": [ "cognito-identity:CreateIdentityPool", "cognito-identity:ListIdentityPools", "cognito-identity:DescribeIdentityPool", "cognito-identity:GetIdentityPoolRoles", "cognito-identity:SetIdentityPoolRoles" ], "Resource": "arn:aws:cognito-identity:*:*:identitypool/*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:*RUMService*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:DescribeResourcePolicies" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:*:log-group::log-stream:*" }, { "Effect": "Allow", "Action": [ "synthetics:describeCanaries", "synthetics:describeCanariesLastRun" ], "Resource": "arn:aws:synthetics:*:*:canary:*" } ] }
AmazonCloudWatchRUMReadOnlyAccess
AmazonCloudWatchRUMReadOnlyAccess 策略的内容如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:ListRumMetricsDestinations", "rum:BatchGetRumMetricDefinitions" ], "Resource": "*" } ] }
AmazonCloudWatchRUMServiceRolePolicy
您无法将 AmazonCloudWatchRUMServiceRolePolicy 附加到 IAM 实体。此策略会附加到允许 CloudWatch RUM 向其他相关 Amazon 服务发布监控数据的服务相关角色。有关此服务相关角色的更多信息,请参阅 对 CloudWatch RUM 使用服务相关角色。
AmazonCloudWatchRUMServiceRolePolicy 的完整内容如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/RUM" } } } ] }
适用于 CloudWatch Evidently 的 Amazon 托管式(预定义)策略
您可以将 Amazon 托管式策略 CloudWatchSyntheticsFullAccess 和 CloudWatchSyntheticsReadOnlyAccess 分配给将管理或使用 CloudWatch Evidently 的用户。
CloudWatchEvidentlyFullAccess
CloudWatchEvidentlyFullAccess 策略的内容如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "evidently:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:TagResource", "cloudwatch:UnTagResource" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:*" ] }, { "Effect": "Allow", "Action": [ "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:Evidently-Alarm-*" ] }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:*:sns:*:*:Evidently-*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": [ "*" ] } ] }
CloudWatchEvidentlyReadOnlyAccess
CloudWatchEvidentlyReadOnlyAccess 策略的内容如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "evidently:GetExperiment", "evidently:GetFeature", "evidently:GetLaunch", "evidently:GetProject", "evidently:GetSegment", "evidently:ListExperiments", "evidently:ListFeatures", "evidently:ListLaunches", "evidently:ListProjects", "evidently:ListSegments", "evidently:ListSegmentReferencs" ], "Resource": "*" } ] }
适用于 Amazon Systems Manager Incident Manager 的 Amazon 托管式策略
AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy 策略附加到一个与服务相关的角色,该角色允许 CloudWatch 在 Amazon Systems Manager Incident Manager 中代表您启动事件。有关更多信息,请参阅CloudWatch 告警 Systems Manager Incident Manager 操作的服务相关角色权限。
该策略具有以下权限:
ssm-incidents:StartIncident
客户托管式策略示例
本节的用户策略示例介绍如何授予对各 CloudWatch 操作的权限。当您使用 CloudWatch API、Amazon SDK 或 Amazon CLI 时,可以使用这些策略。
示例 1:允许用户对 CloudWatch 进行完全访问
要授予用户对 CloudWatch 的完全访问权限,您可以使用授予用户 CloudWatchFullAccess 托管式策略,而不必创建客户托管式策略。CloudWatchFullAccess 策略的内容列在 CloudWatchFullAccess 中。
示例 2:允许对 CloudWatch 进行只读访问
以下策略允许用户对 CloudWatch 进行只读访问以及查看 Amazon EC2 Auto Scaling 操作、CloudWatch 指标、CloudWatch Logs 数据以及告警相关 Amazon SNS 数据。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:Describe*", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" } ] }
示例 3:停止或终止 Amazon EC2 实例
以下策略允许 CloudWatch 告警操作停止或终止 EC2 实例。在以下示例中,GetMetricData、ListMetrics 和 DescribeAlarms 操作是可选的。建议您选择这些操作以确保正确停止或终止了实例。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
CloudWatch 对 Amazon 托管式策略的更新
查看有关 CloudWatch 的 Amazon 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。有关此页面更改的自动提示,请订阅 CloudWatch 文档历史记录页面上的 RSS 源。
| 更改 | 说明 | 日期 |
|---|---|---|
|
CloudWatch 添加了新策略,助力您管理用于分享 CloudWatch 指标的 CloudWatch 跨账户可观测性链接。 有关更多信息,请参阅CloudWatch 跨账户可观测性。 |
2022 年 11 月 27 日 | |
|
OAMFullAccess – 新策略 |
CloudWatch 添加了新策略,助力您全面管理 CloudWatch 跨账户可观测性链接和汇点。 有关更多信息,请参阅CloudWatch 跨账户可观测性。 |
2022 年 11 月 27 日 |
|
OAMReadOnlyAccess – 新策略 |
CloudWatch 添加了新策略,助力您查看关于 CloudWatch 跨账户可观测性链接和汇点的信息。 有关更多信息,请参阅CloudWatch 跨账户可观测性。 |
2022 年 11 月 27 日 |
|
CloudWatchFullAccess – 对现有策略的更新 |
CloudWatch 添加了对 CloudWatchFullAccess 的权限。 添加了 |
2022 年 11 月 27 日 |
|
CloudWatchReadOnlyAccess – 对现有策略的更新 |
CloudWatch 添加了对 CloudWatchReadOnlyAccess 的权限。 添加了 |
2022 年 11 月 27 日 |
AmazonCloudWatchRUMReadOnlyAccess – 更新后的策略 |
CloudWatch 向 AmazonCloudWatchRUMReadOnlyAccess 策略添加了权限。 添加了 |
2022 年 10 月 27 日 |
AmazonCloudWatchRUMServiceRolePolicy – 对现有策略的更新 |
CloudWatch RUM 向 AmazonCloudWatchRUMServiceRolePolicy 添加了权限。 添加了 |
2022 年 10 月 26 日 |
|
CloudWatchEvidentlyReadOnlyAccess – 对现有策略的更新 |
CloudWatch Evidently 添加了对 CloudWatchEvidentlyReadOnlyAccess 的权限。 添加了 |
2022 年 8 月 12 日 |
|
CloudWatchSyntheticsFullAccess – 对现有策略的更新 |
CloudWatch Synthetics 添加了对 CloudWatchSyntheticsFullAccess 的权限。 添加了 |
2022 年 5 月 6 日 |
|
CloudWatch 添加了一项启用对 CloudWatch RUM 的全面管理的新策略。 CloudWatch RUM 允许您对 Web 应用程序执行真实的用户监控。有关更多信息,请参阅使用 CloudWatch Rum。 |
2021 年 11 月 29 日 | |
|
CloudWatch 添加了一项启用对 CloudWatch RUM 的只读访问的新策略。 CloudWatch RUM 允许您对 Web 应用程序执行真实的用户监控。有关更多信息,请参阅使用 CloudWatch Rum。 |
2021 年 11 月 29 日 | |
|
CloudWatch 添加了一项启用对 CloudWatch Evidently 的全面管理的新策略。 CloudWatch Evidently 允许您对 Web 应用程序执行 A/B 实验,并逐步执行这些实验。有关更多信息,请参阅使用 CloudWatch Evidently 执行启动和 A/B 实验。 |
2021 年 11 月 29 日 | |
|
CloudWatch 添加了一项启用对 CloudWatch Evidently 的只读访问的新策略。 CloudWatch Evidently 允许您对 Web 应用程序执行 A/B 实验,并逐步执行这些实验。有关更多信息,请参阅使用 CloudWatch Evidently 执行启动和 A/B 实验。 |
2021 年 11 月 29 日 | |
|
AWSServiceRoleForCloudWatchRUM – 新的托管式策略 |
CloudWatch 添加了一项新的服务相关角色的策略,以允许 CloudWatch RUM 将监控数据发布给其他相关 Amazon 服务。 |
2021 年 11 月 29 日 |
|
CloudWatchSyntheticsFullAccess – 对现有策略的更新 |
CloudWatch Synthetics 向 CloudWatchSyntheticsFullAccess 添加了权限,还更改了一个权限的范围。 添加了
|
2021 年 9 月 29 日 |
|
CloudWatchSyntheticsFullAccess – 对现有策略的更新 |
CloudWatch Synthetics 添加了一个对 CloudWatchSyntheticsFullAccess 策略的权限。
|
2021 年 7 月 20 日 |
|
AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy – 新托管式策略 |
CloudWatch 添加了一个新的托管式 IAM policy,以允许 CloudWatch 在 Amazon Systems Manager Incident Manager 中创建事件。 |
2021 年 5 月 10 日 |
CloudWatchAutomaticDashboardsAccess – 对现有策略的更新 |
CloudWatch 添加了一个对 CloudWatchAutomaticDashboardsAccess 托管式策略的权限。 |
2021 年 4 月 20 日 |
|
CloudWatch 开始跟踪更改 |
CloudWatch 开始跟踪其 Amazon 托管式策略的更改。 |
2021 年 4 月 14 日 |