Condition keys for CloudWatch Observability Admin - Amazon CloudWatch
CentralizationSourceRegionsCentralizationDestinationRegionCentralizationBackupRegion
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Condition keys for CloudWatch Observability Admin

You can use IAM policies to control access to Amazon CloudWatch Observability Admin resources and actions by using condition keys.

Observability Admin has the following condition keys:

Condition Key Description Type

CentralizationSourceRegions

ArrayOfString

Filters access by the source Regions that are passed in the request

CentralizationDestinationRegion

String

Filters access by the destination Region that is passed in the request

CentralizationBackupRegion

String

Filters access by the backup Region that is passed in the request

CentralizationSourceRegions

Filters access by the backup region specified for centralization rules.

  • Availability – This key is available for the following resource types: organization-centralization-rule

  • Value type – String

Example JSON policy with observabilityadmin:CentralizationBackupRegion
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "observabilityadmin:CreateOrganizationCentralizationRule",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "observabilityadmin:CentralizationBackupRegion": "us-west-2"
        }
      }
    }
  ]
}

CentralizationDestinationRegion

Filters access by the destination region specified for centralization rules.

  • Availability – This key is available for the following resource types: organization-centralization-rule

  • Value type – String

Example JSON policy with observabilityadmin:CentralizationDestinationRegion
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "observabilityadmin:CreateOrganizationCentralizationRule",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "observabilityadmin:CentralizationDestinationRegion": "us-east-1"
        }
      }
    }
  ]
}

CentralizationBackupRegion

Filters access by the source regions specified for centralization rules.

  • Availability – This key is available for the following resource types: organization-centralization-rule

  • Value type – List of strings

Example JSON policy with observabilityadmin:CentralizationSourceRegions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "observabilityadmin:CreateOrganizationCentralizationRule",
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "observabilityadmin:CentralizationSourceRegions": ["us-west-1", "us-west-2"]
        }
      }
    }
  ]
}