Identity and access management for Amazon CloudWatch - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Identity and access management for Amazon CloudWatch

Access to Amazon CloudWatch requires credentials. Those credentials must have permissions to access Amazon resources, such as retrieving CloudWatch metric data about your cloud resources. The following sections provide details about how you can use Amazon Identity and Access Management (IAM) and CloudWatch to help secure your resources by controlling who can access them:


You can access Amazon as any of the following types of identities:

  • Amazon account root user – When you sign up for Amazon, you provide an email address and password that is associated with your Amazon account. These are your Amazon account user credentials and they provide complete access to all of your Amazon resources.


    For security reasons, we recommend that you use the Amazon account user credentials only to create an administrator, which is an IAM user with full permissions to your account. Then, you can use this administrator to create other IAM users and roles with limited permissions. For more information, see IAM Best Practices and Creating an Admin User and Group in the IAM User Guide.

  • IAM user – An IAM user is an identity within your Amazon account that has specific custom permissions (for example, permissions to view metrics in CloudWatch). You can use an IAM user name and password to sign in to secure Amazon webpages like the Amazon Web Services Management Console, Amazon Discussion Forums, or the Amazon Web Services Support Center.


    In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access Amazon services programmatically, either through one of the several SDKs or by using the Amazon Command Line Interface (CLI). The SDK and Amazon CLI tools use the access keys to cryptographically sign your request. If you don’t use the Amazon tools, you must sign the request yourself. CloudWatch supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon General Reference.


  • IAM role – An IAM role is another IAM identity you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access Amazon services and resources. IAM roles with temporary credentials are useful in the following situations:


    • Federated user access – Instead of creating an IAM user, you can use preexisting identities from Amazon Directory Service, your enterprise user directory, or a web identity provider (IdP). These are known as federated users. Amazon assigns a role to a federated user when access is requested through an IdP. For more information, see Federated Users and Roles in the IAM User Guide.


    • Cross-account access – You can use an IAM role in your account to grant another Amazon account permissions to access your account’s resources. For an example, see Tutorial: Delegate Access Across Amazon Accounts Using IAM Roles in the IAM User Guide.


    • Amazon service access – You can use an IAM role in your account to grant an Amazon service the permissions needed to access your account’s resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data stored in the bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an Amazon Service in the IAM User Guide.


    • Applications running on Amazon EC2 – Instead of storing access keys within the EC2 instance for use by applications running on the instance and making API requests, you can use an IAM role to manage temporary credentials for these applications. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you can create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see Using Roles for Applications on Amazon EC2 in the IAM User Guide.

Access control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access CloudWatch resources. For example, you must have permissions to create CloudWatch dashboard widgets, view metrics, and so on.

The following sections describe how to manage permissions for CloudWatch. We recommend that you read the overview first.