对 CloudWatch 使用基于身份的策略(IAM 策略) - Amazon CloudWatch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

对 CloudWatch 使用基于身份的策略(IAM 策略)

本主题提供了基于身份的策略的示例,这些示例展示了账户管理员如何将权限策略附加到 IAM 身份(即用户、组和角色),从而授予对 CloudWatch 资源执行操作的权限。

重要

我们建议您首先阅读以下介绍性主题,这些主题讲解了管理 CloudWatch 资源访问的基本概念和选项。有关更多信息,请参阅 访问控制

本主题的各个部分涵盖以下内容:

下面介绍权限策略示例。

{ "Version": "2012-10-17", "Statement":[{ "Effect":"Allow", "Action":["cloudwatch:GetMetricData","cloudwatch:ListMetrics"], "Resource":"*", "Condition":{ "Bool":{ "aws:SecureTransport":"true" } } } ] }

本示例策略包含一个语句,该语句向一个组授予执行两个 CloudWatch 操作(cloudwatch:GetMetricDatacloudwatch:ListMetrics)的权限,但前提是该组对请求使用 SSL ("aws:SecureTransport":"true")。有关 IAM 策略语句中各元素的更多信息,请参阅 IAM 用户指南中的 指定策略元素:操作、效果和委托人IAM 策略元素参考

使用 CloudWatch 控制台所需的权限

用户若要能够使用 CloudWatch 控制台,则必须拥有一组最低的权限来允许其描述自己账户中的其他 Amazon 资源。CloudWatch 控制台需要来自以下服务的权限:

  • Amazon EC2 Auto Scaling

  • CloudTrail

  • CloudWatch

  • CloudWatch Events

  • CloudWatch Logs

  • Amazon EC2

  • OpenSearch Service

  • IAM

  • Kinesis

  • Lambda

  • Amazon S3

  • Amazon SNS

  • Amazon SQS

  • Amazon SWF

  • X-Ray(如果您使用的是 ServiceLens 功能)

如果创建比必需的最低权限更为严格的 IAM 策略,对于附加了该 IAM 策略的用户,控制台将无法按预期正常运行。要确保这些用户仍可使用 CloudWatch 控制台,也可向用户附加 CloudWatchReadOnlyAccess 托管式策略,如 Amazon用于 CloudWatch 的 托管式(预定义)策略 中所述。

对于只需要调用 Amazon CLI 或 CloudWatch API 的用户,无需为其提供最低控制台权限。

下面列出了使用 CloudWatch 控制台所需的一整套权限:

  • application-autoscaling:DescribeScalingPolicies

  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:DescribePolicies

  • cloudtrail:DescribeTrails

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarmHistory

  • cloudwatch:DescribeAlarms

  • cloudwatch:GetMetricData

  • cloudwatch:GetMetricStatistics

  • cloudwatch:ListMetrics

  • cloudwatch:PutMetricAlarm

  • cloudwatch:PutMetricData

  • ec2:DescribeInstances

  • ec2:DescribeTags

  • ec2:DescribeVolumes

  • es:DescribeElasticsearchDomain

  • es:ListDomainNames

  • events:DeleteRule

  • events:DescribeRule

  • events:DisableRule

  • events:EnableRule

  • events:ListRules

  • events:PutRule

  • iam:AttachRolePolicy

  • iam:CreateRole

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAttachedRolePolicies

  • iam:ListRoles

  • kinesis:DescribeStream

  • kinesis:ListStreams

  • lambda:AddPermission

  • lambda:CreateFunction

  • lambda:GetFunctionConfiguration

  • lambda:ListAliases

  • lambda:ListFunctions

  • lambda:ListVersionsByFunction

  • lambda:RemovePermission

  • logs:CancelExportTask

  • logs:CreateExportTask

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:DeleteLogGroup

  • logs:DeleteLogStream

  • logs:DeleteMetricFilter

  • logs:DeleteRetentionPolicy

  • logs:DeleteSubscriptionFilter

  • logs:DescribeExportTasks

  • logs:DescribeLogGroups

  • logs:DescribeLogStreams

  • logs:DescribeMetricFilters

  • logs:DescribeQueries

  • logs:DescribeSubscriptionFilters

  • logs:FilterLogEvents

  • logs:GetLogGroupFields

  • logs:GetLogRecord

  • logs:GetLogEvents

  • logs:GetQueryResults

  • logs:PutMetricFilter

  • logs:PutRetentionPolicy

  • logs:PutSubscriptionFilter

  • logs:StartQuery

  • logs:StopQuery

  • logs:TestMetricFilter

  • s3:CreateBucket

  • s3:ListBucket

  • sns:CreateTopic

  • sns:GetTopicAttributes

  • sns:ListSubscriptions

  • sns:ListTopics

  • sns:SetTopicAttributes

  • sns:Subscribe

  • sns:Unsubscribe

  • sqs:GetQueueAttributes

  • sqs:GetQueueUrl

  • sqs:ListQueues

  • sqs:SetQueueAttributes

  • swf:CreateAction

  • swf:DescribeAction

  • swf:ListActionTemplates

  • swf:RegisterAction

  • swf:RegisterDomain

  • swf:UpdateAction

此外,要查看 ServiceLens 中的服务地图,您需要 AWSXrayReadOnlyAccess

Amazon用于 CloudWatch 的 托管式(预定义)策略

Amazon 通过提供由 创建和管理的独立 IAM 策略来满足许多常用案例的要求。Amazon这些 Amazon 托管策略可针对常用案例授予必要的权限,使您免去调查所需权限的工作。有关更多信息,请参阅《IAM 用户指南》中的 Amazon 托管式策略

以下 Amazon 托管式策略(可附加到您账户中的用户)特定于 CloudWatch。

注意

您可以通过登录到 IAM 控制台并在该控制台中搜索特定策略来查看这些权限策略。

此外,您还可以创建您自己的自定义 IAM 策略,以授予对 CloudWatch 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。

CloudWatchFullAccess

CloudWatchFullAccess 策略授予对所有 CloudWatch 操作和资源的完全访问权限。其包含以下内容:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:*", "logs:*", "sns:*", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*", "Condition": { "StringLike": { "iam:AWSServiceName": "events.amazonaws.com" } } } ] }

CloudWatchActionsEC2Access

CloudWatchActionsEC2Access 策略授予对 CloudWatch 告警和指标,以及 Amazon EC2 元数据的只读访问权限。其还授予对 EC2 实例的停止、终止和重启 API 操作的访问权限。

CloudWatchActionsEC2Access 策略的内容如下。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:Describe*", "ec2:Describe*", "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" } ] }

CloudWatchReadOnlyAccess

CloudWatchReadOnlyAccess 策略授予对 CloudWatch 的只读访问权限。

CloudWatchReadOnlyAccess 策略的内容如下。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" } ] }

CloudWatchAutomaticDashboardsAccess

CloudWatch-CrossAccountAccess 托管式策略由CloudWatch-CrossAccountSharingRole IAM 角色使用。此角色和策略使跨账户控制面板的用户能够查看共享仪表板的各个账户中的自动控制面板。

CloudWatchAutomaticDashboardsAccess 策略的内容如下所示:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "elasticache:DescribeCacheClusters", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeLoadBalancers", "kinesis:DescribeStream", "kinesis:ListStreams", "lambda:GetFunction", "lambda:ListFunctions", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "route53:GetHealthCheck", "route53:ListHealthChecks", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListQueues", "synthetics:DescribeCanariesLastRun", "tag:GetResources" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "apigateway:GET" ], "Effect": "Allow", "Resource": [ "arn:aws:apigateway:*::/restapis*" ] } ]

CloudWatchAgentServerPolicy

CloudWatchAgentServerPolicy 策略可用于附加到 Amazon EC2 实例的 IAM 角色中,以允许 CloudWatch 代理从实例读取信息并将其写入 CloudWatch。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeVolumes", "ec2:DescribeTags", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" } ] }

CloudWatchAgentAdminPolicy

CloudWatchAgentAdminPolicy 策略可用于附加到 Amazon EC2 实例的 IAM 角色。此策略允许 CloudWatch 代理从实例读取信息并将其写入 CloudWatch,还可以将信息写入 Parameter Store。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeTags", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" } ] }
注意

您可以通过登录到 IAM 控制台并在该控制台中搜索特定策略来查看这些权限策略。

此外,您还可以创建您自己的自定义 IAM 策略,以授予对 CloudWatch 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。

Amazon用于 CloudWatch Synthetics 的 托管式(预定义)策略

CloudWatchSyntheticsFullAccessCloudWatchSyntheticsReadOnlyAccess Amazon 托管式策略可供您分配给将要管理或使用 CloudWatch Synthetics 的用户。以下其他策略也是相关的:

  • AmazonS3ReadOnlyAccessCloudWatchReadOnlyAccess – 在 CloudWatch 控制台中读取所有 Synthetics 数据所必需的策略。

  • AWSLambdaReadOnlyAccess – 可查看 Canary 使用的源代码。

  • CloudWatchSyntheticsFullAccess – 使您能够创建 Canary。此外,要创建将为其创建新 IAM 角色的 Canary,您还需要以下内联策略语句:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*", "arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*" ] } ] }
    重要

    通过向用户授予 iam:CreateRoleiam:CreatePolicyiam:AttachRolePolicy 权限,用户将获得对 Amazon 账户的完全管理访问权限。例如,具有这些权限的用户可以创建一个对所有资源具有完全权限的策略,并将该策略附加到任何角色。请谨慎地为相关人员授予这些权限。

    有关附加策略和向用户授予权限的信息,请参阅更改 IAM 用户的权限为用户或角色嵌入内联策略

Amazon适用于 Amazon CloudWatch RUM 的 托管式(预定义)策略

您可以将 Amazon 托管式策略 AmazonCloudWatchRUMFullAccessAmazonCloudWatchRUMReadOnlyAccess 分配给将管理或使用 CloudWatch RUM 的用户。

AmazonCloudWatchRUMFullAccess

AmazonCloudWatchRUMFullAccess 策略的内容如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rum:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/rum.amazonaws.com/AWSServiceRoleForRealUserMonitoring" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/RUM-Monitor*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "cognito-identity.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "arn:aws:cloudwatch:*:*:alarm:*" }, { "Effect": "Allow", "Action": [ "cognito-identity:CreateIdentityPool", "cognito-identity:ListIdentityPools", "cognito-identity:DescribeIdentityPool", "cognito-identity:GetIdentityPoolRoles", "cognito-identity:SetIdentityPoolRoles" ], "Resource": "arn:aws:cognito-identity:*:*:identitypool/*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:*RUMService*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:DescribeResourcePolicies" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:*:log-group::log-stream:*" }, { "Effect": "Allow", "Action": [ "synthetics:describeCanaries", "synthetics:describeCanariesLastRun" ], "Resource": "arn:aws:synthetics:*:*:canary:*" } ] }

AmazonCloudWatchRUMReadOnlyAccess

AmazonCloudWatchRUMReadOnlyAccess 策略的内容如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rum:Get*", "rum:List*" ], "Resource": "*" } ] }

AmazonCloudWatchRUMServiceRolePolicy

您无法将 AmazonCloudWatchRUMServiceRolePolicy 附加到 IAM 实体。此策略会附加到允许 CloudWatch RUM 向其他相关 Amazon 服务发布监控数据的服务相关角色。有关此服务相关角色的更多信息,请参阅 对 CloudWatch RUM 使用服务相关角色

Amazon适用于 CloudWatch Evidently 的 托管式(预定义)策略

您可以将 Amazon 托管式策略 CloudWatchSyntheticsFullAccessCloudWatchSyntheticsReadOnlyAccess 分配给将管理或使用 CloudWatch Evidently 的用户。

CloudWatchEvidentlyFullAccess

CloudWatchEvidentlyFullAccess 策略的内容如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "evidently:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:TagResource", "cloudwatch:UnTagResource" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:*" ] }, { "Effect": "Allow", "Action": [ "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:Evidently-Alarm-*" ] }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:*:sns:*:*:Evidently-*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": [ "*" ] } ] }

CloudWatchEvidentlyReadOnlyAccess

CloudWatchEvidentlyReadOnlyAccess 策略的内容如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "evidently:GetExperiment", "evidently:GetFeature", "evidently:GetLaunch", "evidently:GetProject", "evidently:ListExperiments", "evidently:ListFeatures", "evidently:ListLaunches", "evidently:ListProjects" ], "Resource": "*" } ] }

适用于 Amazon Systems Manager Incident Manager 的 Amazon 托管式策略

AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy 策略附加到一个与服务相关的角色,该角色允许 CloudWatch 在 Amazon Systems Manager Incident Manager 中代表您启动事件。有关更多信息,请参阅 CloudWatch 告警 Systems Manager Incident Manager 操作的服务相关角色权限

该策略具有以下权限:

  • ssm-incidents:StartIncident

CloudWatchSyntheticsFullAccess

CloudWatchSyntheticsFullAccess 策略的内容如下。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "synthetics:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::cw-syn-results-*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "s3:ListAllMyBuckets", "xray:GetTraceSummaries", "xray:BatchGetTraces", "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::cw-syn-*" }, { "Effect": "Allow", "Action": [ "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::aws-synthetics-library-*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "synthetics.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:Synthetics-*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:*" ] }, { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:AddPermission", "lambda:PublishVersion", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration" ], "Resource": [ "arn:aws:lambda:*:*:function:cwsyn-*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetLayerVersion", "lambda:PublishLayerVersion" ], "Resource": [ "arn:aws:lambda:*:*:layer:cwsyn-*", "arn:aws:lambda:*:*:layer:Synthetics:*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:*:sns:*:*:Synthetics-*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:aws:kms:*:*:key/*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": [ "s3.*.amazonaws.com" ] } } } ] }

CloudWatchSyntheticsReadOnlyAccess

CloudWatchSyntheticsReadOnlyAccess 策略的内容如下。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "synthetics:Describe*", "synthetics:Get*", "synthetics:List*" ], "Resource": "*" } ] }

客户托管式策略示例

本节的用户策略示例介绍如何授予对各 CloudWatch 操作的权限。当您使用 CloudWatch API、Amazon SDK 或 Amazon CLI 时,可以使用这些策略。

示例 1:允许用户对 CloudWatch 进行完全访问

要授予用户对 CloudWatch 的完全访问权限,您可以使用授予用户 CloudWatchFullAccess 托管式策略,而不必创建客户托管式策略。CloudWatchFullAccess 策略的内容列在 CloudWatchFullAccess 中。

示例 2:允许对 CloudWatch 进行只读访问

以下策略允许用户对 CloudWatch 进行只读访问以及查看 Amazon EC2 Auto Scaling 操作、CloudWatch 指标、CloudWatch Logs 数据以及告警相关 Amazon SNS 数据。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:Describe*", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" } ] }

示例 3:停止或终止 Amazon EC2 实例

以下策略允许 CloudWatch 告警操作停止或终止 EC2 实例。在以下示例中,GetMetricData、ListMetrics 和 DescribeAlarms 操作是可选的。建议您选择这些操作以确保正确停止或终止了实例。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": [ "*" ], "Effect": "Allow" } ] }

CloudWatch 对 Amazon 托管式策略的更新

查看有关 CloudWatch 的 Amazon 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。有关此页面更改的自动提示,请订阅 CloudWatch 文档历史记录页面上的 RSS 源。

更改 描述 日期

AmazonCloudWatchRUMFullAccess – 新策略

CloudWatch 添加了一项启用对 CloudWatch RUM 的全面管理的新策略。

CloudWatch RUM 允许您对 Web 应用程序执行真实的用户监控。有关更多信息,请参阅 使用 CloudWatch Rum

2021 年 11 月 29 日

AmazonCloudWatchRUMReadOnlyAccess – 新策略

CloudWatch 添加了一项启用对 CloudWatch RUM 的只读访问的新策略。

CloudWatch RUM 允许您对 Web 应用程序执行真实的用户监控。有关更多信息,请参阅 使用 CloudWatch Rum

2021 年 11 月 29 日

CloudWatchEvidentlyFullAccess – 新策略

CloudWatch 添加了一项启用对 CloudWatch Evidently 的全面管理的新策略。

CloudWatch Evidently 允许您对 Web 应用程序执行 A/B 实验,并逐步执行这些实验。有关更多信息,请参阅 使用 CloudWatch Evidently 执行启动和 A/B 实验

2021 年 11 月 29 日

CloudWatchEvidentlyReadOnlyAccess – 新策略

CloudWatch 添加了一项启用对 CloudWatch Evidently 的只读访问的新策略。

CloudWatch Evidently 允许您对 Web 应用程序执行 A/B 实验,并逐步执行这些实验。有关更多信息,请参阅 使用 CloudWatch Evidently 执行启动和 A/B 实验

2021 年 11 月 29 日

AWSServiceRoleForCloudWatchRUM – 新的托管式策略

CloudWatch 添加了一项新的服务相关角色的策略,以允许 CloudWatch RUM 将监控数据发布给其他相关 Amazon 服务。

2021 年 11 月 29 日

CloudWatchSyntheticsFullAccess – 对现有策略的更新

CloudWatch Synthetics 向 CloudWatchSyntheticsFullAccess 添加了权限,还更改了一个权限的范围。

添加了 kms:ListAliases 权限,以便用户可以列出可用于加密 canary 构件的可用 Amazon KMS 密钥。添加了 kms:DescribeKey 权限,以便用户可以查看将用于加密 canary 构件的密钥的详细信息。此外,还添加了 kms:Decrypt 权限,以便用户能够解密 canary 构件。此解密功能仅限用于 Amazon S3 存储桶中的资源。

s3:GetBucketLocation 权限的 Resource 范围从 * 更改为了 arn:aws:s3:::*

2021 年 9 月 29 日

CloudWatchSyntheticsFullAccess – 对现有策略的更新

CloudWatch Synthetics 添加了一个对 CloudWatchSyntheticsFullAccess 策略的权限。

lambda:UpdateFunctionCode 权限,以便使用此策略的用户可以更改 Canary 的运行时版本。

2021 年 7 月 20 日

AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy – 新托管式策略

CloudWatch 添加了一个新的托管式 IAM 策略,以允许 CloudWatch 在 Amazon Systems Manager Incident Manager 中创建事件。

2021 年 5 月 10 日

CloudWatchAutomaticDashboardsAccess – 对现有策略的更新

CloudWatch 添加了一个对 CloudWatchAutomaticDashboardsAccess 托管式策略的权限。synthetics:DescribeCanariesLastRun 权限添加到此策略中,以使跨账户控制面板用户能够查看有关 CloudWatch Synthetics canary 运行的详细信息。

2021 年 4 月 20 日

CloudWatch 开始跟踪更改

CloudWatch 开始跟踪其 Amazon 托管式策略的更改。

2021 年 4 月 14 日