Permissions for read-only access Permissions for full access

IAM permissions for Amazon CloudWatch Internet Monitor

To access actions for working with monitors and data in Amazon CloudWatch Internet Monitor, users must have the correct permissions.

For more information about security in Amazon CloudWatch, see Identity and access management for Amazon CloudWatch.

Permissions for read-only access in Amazon CloudWatch Internet Monitor

To access read-only actions to work with monitors and data in Amazon CloudWatch Internet Monitor, users must be signed in as a user or role that has the following permissions:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "internetmonitor:Get*",
                "internetmonitor:List*",
                "internetmonitor:StartQuery",
                "internetmonitor:StopQuery",
                "logs:DescribeLogGroups",
                "logs:GetQueryResults",
                "logs:StartQuery",
                "logs:StopQuery"
                ],
            "Resource": "*"
        }
    ]
}

Permissions for full access in Amazon CloudWatch Internet Monitor

To create a monitor in Amazon CloudWatch Internet Monitor, and to have full access to actions for working with monitors and data in Internet Monitor, users must be signed in with a user or role that has the following permissions:

Permissions to create a service-linked role that is associated with Internet Monitor. For more information, see Service-linked role for Amazon CloudWatch Internet Monitor.
Permissions to actions that enable full access to work with monitors and data in Internet Monitor.

Note

If you create an identity-based permissions policy that is more restrictive, users with that policy might not have full access to create and work with monitors and data in Internet Monitor.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "internetmonitor:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "internetmonitor.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor"
        },
        {
            "Action": [
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeLoadBalancers",
                "workspaces:DescribeWorkspaceDirectories",
                "cloudfront:GetDistribution"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon managed policies

Service-linked role