IAM permissions for Amazon CloudWatch Internet Monitor - Amazon CloudWatch
Permissions required to view a monitorPermissions required to create a monitor
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM permissions for Amazon CloudWatch Internet Monitor

To use Amazon CloudWatch Internet Monitor, users must have the correct permissions.

For more information about security in Amazon CloudWatch, see Identity and access management for Amazon CloudWatch.

Permissions required to view a monitor

To view a monitor for Amazon CloudWatch Internet Monitor in the Amazon Web Services Management Console, you must be signed in as a user or role that has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "internetmonitor:Get*",
                "internetmonitor:List*",
                "logs:DescribeLogGroups",
                "logs:GetQueryResults",
                "logs:StartQuery",
                "logs:StopQuery",
                "cloudwatch:GetMetricData"
                ],
            "Resource": "*"
        }
    ]
}

Permissions required to create a monitor

To create a monitor in Amazon CloudWatch Internet Monitor, users must have permission to create a service-linked role that is associated with Internet Monitor. To learn more about the Internet Monitor service-linked role, see Using a service-linked role for Amazon CloudWatch Internet Monitor.

To create a monitor for Amazon CloudWatch Internet Monitor in the Amazon Web Services Management Console, you must be signed in as a user or role that has the permissions included in the following policy.

Note

If you create an identity-based permissions policy that is more restrictive, users with that policy won't be able to create a monitor.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "internetmonitor:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "internetmonitor.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor"
        },
        {
            "Action": [
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeLoadBalancers",
                "workspaces:DescribeWorkspaceDirectories",
                "cloudfront:GetDistribution"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}