IAM policies to use Evidently - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM policies to use Evidently

To fully manage CloudWatch Evidently, you must be signed in as an IAM user or role that has the following permissions:

  • The AmazonCloudWatchEvidentlyFullAccess policy

  • The ResourceGroupsandTagEditorReadOnlyAccess policy

Additionally, to be able to create a project that stores evaluation events in Amazon S3 or CloudWatch Logs, you need the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:DeleteLogDelivery", "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": [ "*" ] } ]

Additional permissions for CloudWatch RUM integration

Additionally, if you intend to manage Evidently launches or experiments that integrate with Amazon CloudWatch RUM and use CloudWatch RUM metrics for monitoring, you need the AmazonCloudWatchRUMFullAccess policy. To create an IAM role to give the CloudWatch RUM web client permission to send data to CloudWatch RUM, you need the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*", "arn:aws:iam::*:policy/service-role/CloudWatchRUMEvidentlyPolicy-*" ] } ] }

Permissions for read-only access to Evidently

For other users who need to view Evidently data but don't need to create Evidently resources, you can grant the AmazonCloudWatchEvidentlyReadOnlyAccess policy.