Amazon managed policies for Internet Monitor - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Internet Monitor

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: CloudWatchInternetMonitorServiceRolePolicy

This policy is attached to the service-linked role named AWSServiceRoleForInternetMonitor to allow Internet Monitor to access resources in your account, such as Amazon Virtual Private Cloud resources or Network Load Balancers, so that you can select them when you create a monitor. For more information, see Service-linked role for Internet Monitor.

Amazon managed policy: CloudWatchInternetMonitorReadOnlyAccess

You can attach CloudWatchInternetMonitorReadOnlyAccess to your IAM entities. This policy grants access to read-only actions to work with monitors and data in with Internet Monitor. Attach it to IAM users and other principals who need access to only read-only actions.

Specifically, the scope of this policy includes internetmonitor: so that users can use read-only Internet Monitor actions and resources. It includes some cloudwatch: policies to retrieve information on CloudWatch metrics. It includes some logs: policies to manage log queries.

To view the permissions for this policy, see CloudWatchInternetMonitorReadOnlyAccess in the Amazon Managed Policy Reference.

Amazon managed policy: CloudWatchInternetMonitorFullAccess

You can attach CloudWatchInternetMonitorFullAccess to your IAM entities. This policy grants full access to Actions for Internet Monitor for working with Internet Monitor. Attach it to IAM users and other principals who need full access to Internet Monitor actions.

Specifically, scope of this policy includes internetmonitor: so that users can use Internet Monitor actions and resources. It includes some cloudwatch: policies to retrieve information on CloudWatch alarms and metrics. It includes some logs: policies to manage log queries. It includes some ec2:, cloudfront:, elasticloadbalancing:, and workspaces: policies to work with resources that you add to monitors so that Internet Monitor can create a traffic profile for your application. It contains some iam: policies to manage IAM roles.

To view the permissions for this policy, see CloudWatchInternetMonitorFullAccess in the Amazon Managed Policy Reference.

Internet Monitor updates to Amazon managed policies

To view details about updates to Amazon managed policies for Internet Monitor since this service began tracking these changes, see CloudWatch updates to Amazon managed policies. For automatic alerts about managed policy changes in CloudWatch, subscribe to the RSS feed on the CloudWatch Document history page.