IAM permissions for CloudWatch Network Monitor
To use Amazon CloudWatch Network Monitor users must have the correct permissions.
For more information about security in Amazon CloudWatch, see Identity and access management for Amazon CloudWatch.
Permissions required to view a monitor
To view a monitor for Amazon CloudWatch Network Monitor in the Amazon Web Services Management Console, you must be signed in as a user or role that has the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "networkmonitor:Get*", "networkmonitor:List*" ], "Resource": "*" } ] }
Permissions required to create a monitor
To create a monitor in Amazon CloudWatch Network Monitor, users must have permission to create a service-linked role that is associated with Network Monitor. To learn more about the service-linked role, see Using a service-linked role for CloudWatch Network Monitor.
To create a monitor for Amazon CloudWatch Network Monitor in the Amazon Web Services Management Console, you must be signed in as a user or role that has the permissions included in the following policy.
Note
If you create an identity-based permissions policy that is more restrictive, users with that policy won't be able to create a monitor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "networkmonitor:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/networkmonitor.amazonaws.com/AWSServiceRoleForNetworkMonitor", "Condition": { "StringLike": { "iam:AWSServiceName": "networkmonitor.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:GetRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/networkmonitor.amazonaws.com/AWSServiceRoleForNetworkMonitor" }, { "Action": [ "ec2:CreateSecurityGroup", "ec2:CreateNetworkInterface", "ec2:CreateTags" ], "Effect": "Allow", "Resource": "*" } ] }