IAM permissions for Amazon CloudWatch Internet Monitor
To access actions for working with monitors and data in Amazon CloudWatch Internet Monitor, users must have the correct permissions.
For more information about security in Amazon CloudWatch, see Identity and access management for Amazon CloudWatch.
Permissions for read-only access in Amazon CloudWatch Internet Monitor
To access read-only actions to work with monitors and data in Amazon CloudWatch Internet Monitor, users must be signed in as a user or role that has the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "internetmonitor:Get*", "internetmonitor:List*", "internetmonitor:StartQuery", "internetmonitor:StopQuery", "logs:DescribeLogGroups", "logs:GetQueryResults", "logs:StartQuery", "logs:StopQuery" ], "Resource": "*" } ] }
Permissions for full access in Amazon CloudWatch Internet Monitor
To create a monitor in Amazon CloudWatch Internet Monitor, and to have full access to actions for working with monitors and data in Internet Monitor, users must be signed in with a user or role that has the following permissions:
Permissions to create a service-linked role that is associated with Internet Monitor. For more information, see Service-linked role for Amazon CloudWatch Internet Monitor.
Permissions to actions that enable full access to work with monitors and data in Internet Monitor.
Note
If you create an identity-based permissions policy that is more restrictive, users with that policy might not have full access to create and work with monitors and data in Internet Monitor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "internetmonitor:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor", "Condition": { "StringLike": { "iam:AWSServiceName": "internetmonitor.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor" }, { "Action": [ "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "workspaces:DescribeWorkspaceDirectories", "cloudfront:GetDistribution" ], "Effect": "Allow", "Resource": "*" } ] }