Policy updates CloudWatchFullAccessV2 CloudWatchFullAccess CloudWatchReadOnlyAccess CloudWatchActionsEC2Access CloudWatch-CrossAccountAccess CloudWatchAutomaticDashboardsAccess CloudWatchAgentServerPolicy CloudWatchAgentAdminPolicy Amazon managed (predefined) policies for CloudWatch cross-account observability Amazon managed (predefined) policies for CloudWatch investigations Amazon managed (predefined) policies for CloudWatch Application Signals Amazon managed (predefined) policies for CloudWatch Synthetics Amazon managed (predefined) policies for Amazon CloudWatch RUM Amazon managed (predefined) policies for CloudWatch Evidently Amazon managed policy for Amazon Systems Manager Incident Manager

Amazon managed (predefined) policies for CloudWatch

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see Amazon managed policies in the IAM User Guide.

The following Amazon managed policies, which you can attach to users in your account, are specific to CloudWatch.

Topics

CloudWatch updates to Amazon managed policies
CloudWatchFullAccessV2
CloudWatchFullAccess
CloudWatchReadOnlyAccess
CloudWatchActionsEC2Access
CloudWatch-CrossAccountAccess
CloudWatchAutomaticDashboardsAccess
CloudWatchAgentServerPolicy
CloudWatchAgentAdminPolicy
Amazon managed (predefined) policies for CloudWatch cross-account observability
Amazon managed (predefined) policies for CloudWatch investigations
Amazon managed (predefined) policies for CloudWatch Application Signals
Amazon managed (predefined) policies for CloudWatch Synthetics
Amazon managed (predefined) policies for Amazon CloudWatch RUM
Amazon managed (predefined) policies for CloudWatch Evidently
Amazon managed policy for Amazon Systems Manager Incident Manager

CloudWatch updates to Amazon managed policies

View details about updates to Amazon managed policies for CloudWatch since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Document history page.

Change	Description	Date
CloudWatchApplicationSignalsReadOnlyAccess – Updated policy	CloudWatch updated the CloudWatchApplicationSignalsReadOnlyAccess policy to view how resources and services change in your account and view top observations for service anomalies in your account.	September 29, 2025
CloudWatchApplicationSignalsFullAccess – Updated policy	CloudWatch updated the CloudWatchApplicationSignalsFullAccess policy to view how resources and services change in your account and view top observations for service anomalies in your account.	September 29, 2025
AIOpsAssistantPolicy – Updated policy	CloudWatch updated the AIOpsAssistantPolicy to allow CloudWatch investigations access to additional resources to assist in queries, troubleshooting, and topology mapping. This policy grants CloudWatch investigations the necessary permissions for conducting investigations.	September 24, 2025
AIOpsConsoleAdminPolicy – Updated policy	CloudWatch updated the AIOpsConsoleAdminPolicy policy to permit validation of investigation groups across accounts. This policy grants users access to CloudWatch investigations actions, and to additional Amazon actions that are necessary for accessing investigation events.	June 13, 2025
AIOpsOperatorAccess – Updated policy	CloudWatch updated the AIOpsOperatorAccess policy to permit validation of investigation groups across accounts. This policy grants users access to CloudWatch investigations actions, and to additional Amazon actions that are necessary for accessing investigation events.	June 13, 2025
AIOpsAssistantPolicy – Updates to existing policy	CloudWatch updated the AIOpsAssistantPolicy IAM policy. It added permissions to enable CloudWatch Application Insights operational investigations to find information in your resources during investigations. The following permissions were added: `appsync:GetGraphqlApi`, `appsync:GetDataSource`, `iam:ListAttachedRolePolicies`, `iam:ListRolePolicies`, and `iam:ListRoles` Additionally, the `elastic-inference:Describe*` permission was removed from the policy.	June 13, 2025
AmazonCloudWatchRUMReadOnlyAccess – Updated policy	CloudWatch added permissions to the AmazonCloudWatchRUMReadOnlyAccess policy. The `synthetics: describeCanaries` and `synthetics:describeCanariesLastRun` was added so that CloudWatch RUM can display associated Synthetics Canaries to the RUM app monitor. The `cloudwatch:GetMetricData` was added so that CloudWatch RUM can display associated CloudWatch metrics to the RUM app monitor. The `cloudwatch:DescribeAlarms` was added so that CloudWatch RUM can display associated CloudWatch alarms to the RUM app monitor. The `logs:DescribeLogGroups` was added so that CloudWatch RUM can display associated CloudWatch logs to the RUM app monitor. The `xray:GetTraceSummaries` was added so that CloudWatch RUM can display associated X-Ray Trace segments to the RUM app monitor. The `rum:ListTagsForResources` was added so that CloudWatch RUM can display associated tags to the RUM app monitor.	June 28, 2025
AIOpsReadOnlyAccess – Updated policy	CloudWatch updated the AIOpsReadOnlyAccess policy to permit validation of investigation groups across accounts. This policy grants a user read-only permissions for Amazon AI Operations and other related services.	June 5, 2025
AmazonCloudWatchRUMReadOnlyAccess – Updated policy	CloudWatch added a permission to the AmazonCloudWatchRUMReadOnlyAccess policy. The `rum:GetResourcePolicy` permission was added so that CloudWatch RUM can view the resource policy attached to the RUM application monitor.	April 28, 2025
AIOpsConsoleAdminPolicy – New policy	CloudWatch created a new policy named AIOpsConsoleAdminPolicy. This policy grants users full administrative access for managing CloudWatch investigations, including the management of trusted identity propagation, and the management of IAM Identity Center and organizational access.	December 3, 2024
AIOpsOperatorAccess – New policy	CloudWatch created a new policy named AIOpsOperatorAccess. This policy grants users access to CloudWatch investigations actions, and to additional Amazon actions that are necessary for accessing investigation events.	December 3, 2024
AIOpsReadOnlyAccess – New policy	CloudWatch created a new policy named AIOpsReadOnlyAccess. This policy grants a user read-only permissions for Amazon AI Operations and other related services.	December 3, 2024
AIOpsAssistantPolicy – New policy	CloudWatch created a new policy named AIOpsAssistantPolicy. You don't assign this policy to a user. You assign this policy to the Amazon AI Operations assistant to enable CloudWatch investigations to analyze your Amazon resources during the investigation of operational events.	December 3, 2024
CloudWatchFullAccessV2 – Updates to existing policies	CloudWatch updated both CloudWatchFullAccessV2 and CloudWatchFullAccess. Permissions for Amazon OpenSearch Service were added to to enable CloudWatch Logs integration with OpenSearch Service for some features.	December 1, 2024
CloudWatchNetworkFlowMonitorServiceRolePolicy – New policy	CloudWatch added a new policy CloudWatchNetworkFlowMonitorServiceRolePolicy. The CloudWatchNetworkFlowMonitorServiceRolePolicy grants permissions for Network Flow Monitor to publish metrics to CloudWatch. It also allows the service to use Amazon Organizations to get information for multi-account scenarios.	December 1, 2024
CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy – New policy	CloudWatch added a new policy CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy. The CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy grants permissions for Network Flow Monitor to generate topology snapshots of resources used in your account.	December 1, 2024
CloudWatchNetworkFlowMonitorAgentPublishPolicy – New policy	CloudWatch added a new policy CloudWatchNetworkFlowMonitorAgentPublishPolicy. The CloudWatchNetworkFlowMonitorAgentPublishPolicy grants permissions for resources, such as Amazon EC2 and Amazon EKS instances, to send telemetry reports (metrics) to a Network Flow Monitor endpoint.	December 1, 2024
CloudWatchSyntheticsFullAccess – Update to an existing policy	CloudWatch updated the policy named CloudWatchSyntheticsFullAccess. The following CloudWatch Logs actions have been added to allow CloudWatch Synthetics to get and use canary log data in Lambda log groups. The `lambda:GetFunction` permission has also been added to allow Synthetics to get information about a specific function. `logs:GetLogRecord` – Required to expand a log entry in CloudWatch Logs Insights. (Required to view logs in the Synthetics console.) `logs:DescribeLogStreams` – Required to list all log streams on a log group. `logs:StartQuery` – Required to start a Logs Insights query (required in the Synthetics console to view logs). `logs:GetLogEvents` – Required to list log events from the specified log stream. Used for querying a specific log stream on a log group. `logs:FilterLogEvents` – Required to view logs in a canary’s log group. `logs:GetLogGroupFields` – Required for running a Logs Insights query in the console. (The Synthetics console links to the Logs Insights query. Without this permission, Logs Insights queries on a log group fail.) Additionally, Lambda layer version actions now apply to all CloudWatch Synthetics layer ARNs.	November 20, 2024
CloudWatchInternetMonitorReadOnlyAccess – New CloudWatchInternetMonitorReadOnlyAccess. This policy grants read only access to resources and actions available in the CloudWatch console for Internet Monitor. The scope of this policy includes `internetmonitor:` so that users can use read-only Internet Monitor actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch metrics. It includes some `logs:` policies to manage log queries.	November 14, 2024
CloudWatchInternetMonitorFullAccess – New policy	CloudWatch created a new policy named CloudWatchInternetMonitorFullAccess. This policy grants full access to resources and actions available in the CloudWatch console for Internet Monitor. The scope of this policy includes `internetmonitor:` so that users can use Internet Monitor actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `logs:` policies to manage log queries. It includes some `ec2:`, `cloudfront:`, `elasticloadbalancing:`, and `workspaces:` policies to work with resources that you add to monitors so that Internet Monitor can create a traffic profile for your application. It contains some `iam:` policies to manage IAM roles.	October 23, 2024
CloudWatchLambdaApplicationSignalsExecutionRolePolicy – New CloudWatchLambdaApplicationSignalsExecutionRolePolicy. This policy is used when CloudWatch Application Signals is enabled for Lambda workloads. It enables write access to X-Ray and the log group used by CloudWatch Application Signals.	October 16, 2024
CloudWatchSyntheticsFullAccess – Update to an existing policy	CloudWatch updated the policy named CloudWatchSyntheticsFullAccess. The `lambda:ListTags`, `lambda:TagResource`, and `lambda:UntagResource` permissions were added so that when you apply or change tags on a canary, you can choose to have Synthetics also apply those same tags or changes to the Lambda function that the canary uses.	October 11, 2024
CloudWatchApplicationSignalsReadOnlyAccess – New policy	CloudWatch created a new policy named CloudWatchApplicationSignalsReadOnlyAccess. This policy grants read only access to resources and actions available in the CloudWatch console for Application Signals. The scope of this policy includes `application-signals:` policies so that users can use read only actions and resources available in the CloudWatch console under Application Signals. It contains an `iam:` policy to manage IAM roles. It includes some `logs:` policies to manage log queries and filters. It includes `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `synthetics:` policies to retrive information about synthetics canaries. It includes `rum:` policies to manage RUM clients and jobs. It contains an `xray:` policy to obtain trace summaries.	June 7, 2024
CloudWatchApplicationSignalsFullAccess – New policy	CloudWatch created a new policy named CloudWatchApplicationSignalsFullAccess. This policy grants full access to resources and actions available in the CloudWatch console for Application Signals. The scope of this policy includes `application-signals:` so that users can use Application Signals actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `logs:` policies to manage log queries. It includes some `synthetics:` policies to write and retrieve information about synthetics canaries. It includes `rum:` policies to manage RUM clients and jobs. It contains an `xray:` policy to obtain trace summaries. It includes some `cloudwatch:` policies to manage CloudWatch alarms. It contains some `iam:` policies to manage IAM roles. It includes some `sns:` policies to manage Amazon Simple Notification Service notifications.	June 7, 2024
CloudWatchFullAccessV2 – Update to an existing policy	CloudWatch updated the policy named CloudWatchFullAccessV2. The scope of the `CloudWatchFullAccessPermissions` policy was updated to add `application-signals:*` so that users can use CloudWatch Application Signals to view, investigate, and diagnose issues with the health of their services.	May 20, 2024
CloudWatchReadOnlyAccess – Update to an existing policy	CloudWatch updated the policy named CloudWatchReadOnlyAccess. The scope of the `CloudWatchReadOnlyAccessPermissions` policy was updated to add `application-signals:BatchGet`, `application-signals:List`, and `application-signals:Get*` so that users can use CloudWatch Application Signals to view, investigate, and diagnose issues with the health of their services. The scope of `CloudWatchReadOnlyGetRolePermissions` was updated to add the `iam:GetRole` action so that users can check if CloudWatch Application Signals is set up.	May 20, 2024
CloudWatchApplicationSignalsServiceRolePolicy – Update to an existing policy	CloudWatch updated the policy named CloudWatchApplicationSignalsServiceRolePolicy. The scoping of the `logs:StartQuery` and `logs:GetQueryResults` permissions was changed to add the `arn:aws:logs:::log-group:/aws/appsignals/:` and `arn:aws:logs:::log-group:/aws/application-signals/data:*` ARNs to enable Application Signals on more architectures.	April 18, 2024
CloudWatchApplicationSignalsServiceRolePolicy – Update to an existing policy	CloudWatch changed the scope of a permission in CloudWatchApplicationSignalsServiceRolePolicy. The scope of the `cloudwatch:GetMetricData` permission was changed to `*` so that Application Signals can retrieve metrics from sources in linked accounts.	April 08, 2024
CloudWatchFullAccessV2 – Update to an existing policy	CloudWatch added permissions to CloudWatchFullAccessV2. Existing permissions for CloudWatch Synthetics, X-Ray, and CloudWatch RUM actions and new permissions for CloudWatch Application Signals were added so that users with this policy can manage CloudWatch Application Signals. The permission to create the CloudWatch Application Signals service-linked role was added to allow CloudWatch Application Signals to discover telemetry data in logs, metrics, traces, and tags.	December 5, 2023
CloudWatchReadOnlyAccess – Update to an existing policy	CloudWatch added permissions to CloudWatchReadOnlyAccess. Existing read-only permissions for CloudWatch Synthetics, X-Ray, and CloudWatch RUM actions and new read-only permissions for CloudWatch Application Signals were added so that users with this policy can triage and dignose their service health issues as reported by CloudWatch Application Signals. The `cloudwatch:GenerateQuery` permission was added so that users with this policy can generate a CloudWatch Metrics Insights query string from a natural language prompt.	December 5, 2023
CloudWatchReadOnlyAccess – Update to an existing policy.	CloudWatch added a permission to CloudWatchReadOnlyAccess. The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a CloudWatch Metrics Insights query string from a natural language prompt.	December 01, 2023
CloudWatchApplicationSignalsServiceRolePolicy – New policy	CloudWatch added a new policy CloudWatchApplicationSignalsServiceRolePolicy. The CloudWatchApplicationSignalsServiceRolePolicy grants an upcoming feature permissions to collect CloudWatch Logs data, X-Ray trace data, CloudWatch metrics data, and tagging data.	November 9, 2023
AWSServiceRoleForCloudWatchMetrics_DbPerfInsightsServiceRolePolicy – New policy	CloudWatch added a new policy AWSServiceRoleForCloudWatchMetrics_DbPerfInsightsServiceRolePolicy. The AWSServiceRoleForCloudWatchMetrics_DbPerfInsightsServiceRolePolicy grants permission to CloudWatch to fetch Performance Insights metrics from databases on your behalf.	September 20, 2023
CloudWatchReadOnlyAccess – Update to an existing policy	CloudWatch added a permission to CloudWatchReadOnlyAccess. The `application-autoscaling:DescribeScalingPolicies` permission was added so that users with this policy can access information about Application Auto Scaling policies.	September 14, 2023
CloudWatchFullAccessV2 – New policy	CloudWatch added a new policy CloudWatchFullAccessV2. The CloudWatchFullAccessV2 grants full access to CloudWatch actions and resources while better scoping the permissions granted to other services such as Amazon SNS and Amazon EC2 Auto Scaling. For more information, see CloudWatchFullAccessV2.	August 1, 2023
AWSServiceRoleForInternetMonitor – Update to an existing policy	Amazon CloudWatch Internet Monitor added new permissions to monitor Network Load Balancer resources. The `elasticloadbalancing:DescribeLoadBalancers` and `ec2:DescribeNetworkInterfaces` permissions are required so that Internet Monitor can monitor customers' Network Load Balancer traffic by analyzing flow logs for NLB resources. For more information, see Using Internet Monitor.	July 15, 2023
CloudWatchReadOnlyAccess – Update to an existing policy	CloudWatch added permissions to CloudWatchReadOnlyAccess. The `logs:StartLiveTail` and `logs:StopLiveTail` permissions were added so that users with this policy can use the console to start and stop CloudWatch Logs live tail sessions. For more information, see Use live tail to view logs in near real time.	June 6, 2023
CloudWatchCrossAccountSharingConfiguration – New policy	CloudWatch added a new policy to enable you to manage CloudWatch cross-account observability links that share CloudWatch metrics. For more information, see CloudWatch cross-account observability.	November 27, 2022
OAMFullAccess – New policy	CloudWatch added a new policy to enable you to fully manage CloudWatch cross-account observability links and sinks. For more information, see CloudWatch cross-account observability.	November 27, 2022
OAMReadOnlyAccess – New policy	CloudWatch added a new policy to enable you to view information about CloudWatch cross-account observability links and sinks. For more information, see CloudWatch cross-account observability.	November 27, 2022
CloudWatchFullAccess – Update to an existing policy	CloudWatch added permissions to CloudWatchFullAccess. The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.	November 27, 2022
CloudWatchReadOnlyAccess – Update to an existing policy	CloudWatch added permissions to CloudWatchReadOnlyAccess. The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.	November 27, 2022
AmazonCloudWatchRUMServiceRolePolicy – Update to an existing policy	CloudWatch RUM updated a condition key in AmazonCloudWatchRUMServiceRolePolicy. The `"Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/RUM" } }` condition key was changed to the following so that CloudWatch RUM can send custom metrics to custom metric namespaces. `"Condition": { "StringLike": { "cloudwatch:namespace": [ "RUM/CustomMetrics/*", "AWS/RUM" ] } }`	February 2, 2023
AmazonCloudWatchRUMReadOnlyAccess – Updated policy	CloudWatch added permissions the AmazonCloudWatchRUMReadOnlyAccess policy. The `rum:ListRumMetricsDestinations` and `rum:BatchGetRumMetricsDefinitions` permissions were added so that CloudWatch RUM can send extended metrics to CloudWatch and Evidently.	October 27, 2022
AmazonCloudWatchRUMServiceRolePolicy – Update to an existing policy	CloudWatch RUM added permissions to AmazonCloudWatchRUMServiceRolePolicy. The `cloudwatch:PutMetricData` permission was added so that CloudWatch RUM can send extended metrics to CloudWatch.	October 26, 2022
CloudWatchEvidentlyReadOnlyAccess – Update to an existing policy	CloudWatch Evidently added permissions to CloudWatchEvidentlyReadOnlyAccess. The `evidently:GetSegment`, `evidently:ListSegments`, and `evidently:ListSegmentReferences` permissions were added so that users with this policy can see Evidently audience segments that have been created.	August 12, 2022
CloudWatchSyntheticsFullAccess – Update to an existing policy	CloudWatch Synthetics added permissions to CloudWatchSyntheticsFullAccess. The `lambda:DeleteFunction` and `lambda:DeleteLayerVersion` permissions were added so that CloudWatch Synthetics can delete related resources when a canary is deleted. The `iam:ListAttachedRolePolicies` was added so that customers can view the policies that are attached to a canary's IAM role.	May 6, 2022
AmazonCloudWatchRUMFullAccess – New policy	CloudWatch added a new policy to enable full management of CloudWatch RUM. CloudWatch RUM allows you to perform real user monitoring of your web application. For more information, see CloudWatch RUM.	November 29, 2021
AmazonCloudWatchRUMReadOnlyAccess – New policy	CloudWatch added a new policy to enable read-only access to CloudWatch RUM. CloudWatch RUM allows you to perform real user monitoring of your web application. For more information, see CloudWatch RUM.	November 29, 2021
CloudWatchEvidentlyFullAccess – New policy	CloudWatch added a new policy to enable full management of CloudWatch Evidently. CloudWatch Evidently allows you to perform A/B experiments of your web applications, and to roll them out gradually. For more information, see Perform launches and A/B experiments with CloudWatch Evidently.	November 29, 2021
CloudWatchEvidentlyReadOnlyAccess – New policy	CloudWatch added a new policy to enable read-only access to CloudWatch Evidently. CloudWatch Evidently allows you to perform A/B experiments of your web applications, and to roll them out gradually. For more information, see Perform launches and A/B experiments with CloudWatch Evidently.	November 29, 2021
AWSServiceRoleForCloudWatchRUM – New managed policy	CloudWatch added a policy for a new service-linked role to allow CloudWatch RUM to pubish monitoring data to other relevant Amazon services.	November 29, 2021
CloudWatchSyntheticsFullAccess – Update to an existing policy	CloudWatch Synthetics added permissions to CloudWatchSyntheticsFullAccess, and also changed the scope of one permission. The `kms:ListAliases` permission was added so that users can list available Amazon KMS keys that can be used to encrypt canary artifacts. The `kms:DescribeKey` permission was added so that users can see the details of keys that will be used to encrypt for canary artifacts. And the `kms:Decrypt` permission was added to enable users to decrypt canary artifacts. This decryption ability is limited to use on resources within Amazon S3 buckets. The `Resource` scope of the `s3:GetBucketLocation` permission was changed from `` to `arn:aws:s3:::`.	September 29, 2021
CloudWatchSyntheticsFullAccess – Update to an existing policy	CloudWatch Synthetics added a permission to CloudWatchSyntheticsFullAccess. The `lambda:UpdateFunctionCode` permission was added so that users with this policy can change the runtime version of canaries.	July 20, 2021
AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy – New managed policy	CloudWatch added a new managed IAM policy to allow CloudWatch to create incidents in Amazon Systems Manager Incident Manager.	May 10, 2021
CloudWatchAutomaticDashboardsAccess – Update to an existing policy	CloudWatch added a permission to the CloudWatchAutomaticDashboardsAccess managed policy. The `synthetics:DescribeCanariesLastRun` permission was added to this policy to enable cross-account dashboard users to see details about CloudWatch Synthetics canary runs.	April 20, 2021
CloudWatch started tracking changes	CloudWatch started tracking changes for its Amazon managed policies.	April 14, 2021

CloudWatchFullAccessV2

Amazon recently added the CloudWatchFullAccessV2 managed IAM policy. This policy grants full access to CloudWatch actions and resources and also more properly scopes the permissions granted for other services such as Amazon SNS and Amazon EC2 Auto Scaling. We recommend that you begin using this policy instead of using CloudWatchFullAccess. Amazon plans to deprecate CloudWatchFullAccess in the near future.

It includes application-signals: permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some autoscaling:Describe permissions so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes some sns permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the oam:ListSinks and oam:ListAttachedLinks permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.

It includes Amazon OpenSearch Service permissions to support vended logs dashboards in CloudWatch Logs, which are created with Amazon OpenSearch Service analytics.

It includes rum, synthetics, and xray permissions so that users can have full access to CloudWatch Synthetics, Amazon X-Ray, and CloudWatch RUM, all of which are under the CloudWatch service.

To see the full contents of the policy, see CloudWatchFullAccessV2 in the Amazon Managed Policy Reference Guide.

CloudWatchFullAccess

The CloudWatchFullAccess policy is on the path to deprecation. We recommend that you stop using it, and use CloudWatchFullAccessV2 instead.

CloudWatchReadOnlyAccess

The CloudWatchReadOnlyAccess policy grants read-only access to CloudWatch and related observability features.

The policy includes some logs: permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes autoscaling:Describe*, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the application-signals: permissions so that users can use Application Signals to monitor the health of their services. It includes application-autoscaling:DescribeScalingPolicies, so that users with this policy can access information about Application Auto Scaling policies. It includes sns:Get* and sns:List*, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the oam:ListSinks and oam:ListAttachedLinks permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the iam:GetRole permissions so that users can check if CloudWatch Application Signals have been set up.

It includes rum, synthetics, and xray permissions so that users can have read-only access to CloudWatch Synthetics, Amazon X-Ray, and CloudWatch RUM, all of which are under the CloudWatch service.

To see the full contents of the policy, see CloudWatchReadOnlyAccess in the Amazon Managed Policy Reference Guide.

CloudWatchActionsEC2Access

The CloudWatchActionsEC2Access policy grants read-only access to CloudWatch alarms and metrics in addition to Amazon EC2 metadata. It also grants access to the Stop, Terminate, and Reboot API actions for EC2 instances.

To see the full contents of the policy, see CloudWatchActionsEC2Access in the Amazon Managed Policy Reference Guide.

CloudWatch-CrossAccountAccess

The CloudWatch-CrossAccountAccess managed policy is used by the CloudWatch-CrossAccountSharingRole IAM role. This role and policy enable users of cross-account dashboards to view automatic dashboards in each account that is sharing dashboards.

To see the full contents of the policy, see CloudWatch-CrossAccountAccess in the Amazon Managed Policy Reference Guide.

CloudWatchAutomaticDashboardsAccess

The CloudWatchAutomaticDashboardsAccess managed policy grants access to CloudWatch for non-CloudWatch APIs, so that resources such as Lambda functions can be displayed on CloudWatch automatic dashboards.

To see the full contents of the policy, see CloudWatchAutomaticDashboardsAccess in the Amazon Managed Policy Reference Guide.

CloudWatchAgentServerPolicy

The CloudWatchAgentServerPolicy policy can be used in IAM roles that are attached to Amazon EC2 instances to allow the CloudWatch agent to read information from the instance and write it to CloudWatch.

To see the full contents of the policy, see CloudWatchAgentServerPolicy in the Amazon Managed Policy Reference Guide.

CloudWatchAgentAdminPolicy

The CloudWatchAgentAdminPolicy policy can be used in IAM roles that are attached to Amazon EC2 instances. This policy allows the CloudWatch agent to read information from the instance and write it to CloudWatch, and also to write information to Parameter Store.

To see the full contents of the policy, see CloudWatchAgentAdminPolicy in the Amazon Managed Policy Reference Guide.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for CloudWatch actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Amazon managed (predefined) policies for CloudWatch cross-account observability

The policies in this section grant permissions related to CloudWatch cross-account observability. For more information, see CloudWatch cross-account observability.

CloudWatchCrossAccountSharingConfiguration

The CloudWatchCrossAccountSharingConfiguration policy grants access to create, manage, and view Observability Access Manager links for sharing CloudWatch resources between accounts. For more information, see CloudWatch cross-account observability.

To see the full contents of the policy, see CloudWatchCrossAccountSharingConfiguration in the Amazon Managed Policy Reference Guide.

OAMFullAccess

The OAMFullAccess policy grants access to create, manage, and view Observability Access Manager sinks and links, which are used for CloudWatch cross-account observability.

The OAMFullAccess policy by itself does not permit you to share observability data across links. To create a link to share CloudWatch metrics, you also need either CloudWatchFullAccess or CloudWatchCrossAccountSharingConfiguration. To create a link to share CloudWatch Logs log groups, you also need either CloudWatchLogsFullAccess or CloudWatchLogsCrossAccountSharingConfiguration. To create a link to share X-Ray traces, you also need either AWSXRayFullAccess or AWSXRayCrossAccountSharingConfiguration.

For more information, see CloudWatch cross-account observability.

To see the full contents of the policy, see OAMFullAccess in the Amazon Managed Policy Reference Guide.

OAMReadOnlyAccess

The OAMReadOnlyAccess policy grants read-only access to Observability Access Manager resources, which are used for CloudWatch cross-account observability. For more information, see CloudWatch cross-account observability.

To see the full contents of the policy, see OAMReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon managed (predefined) policies for CloudWatch investigations

The policies in this section grant permissions related to CloudWatch investigations. For more information, see CloudWatch investigations.

AIOpsConsoleAdminPolicy

The AIOpsConsoleAdminPolicy policy grants full access to all CloudWatch investigations actions and their required permissions via the Amazon console. This policy also grants limited access to other service's APIs required for CloudWatch investigations functionality.

The aiops permissions grant access to all CloudWatch investigations actions.
The organizations, sso, identitystore, and sts permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions.
The ssm permissions are required for SSM Ops Item integration with third-party issue management.
The iam permissions are needed so that administrators can pass IAM roles to the aiops and ssm.integrations services, and the role is later used by the assistant to analyze Amazon resources

Important
These permissions allow users with this policy to pass any IAM role to the aiops and ssm.integrations services.
It allows APIs from services outside CloudWatch investigations, which are required for investigation feature functionality. These include actions to configure Amazon Q Developer in chat applications, Amazon KMS, CloudTrail trails, and SSM third-party issue management.

To see the full contents of the policy, see AIOpsConsoleAdminPolicy in the Amazon Managed Policy Reference Guide.

AIOpsOperatorAccess

The AIOpsOperatorAccess policy grants access to a limited set of CloudWatch investigations APIs which include creating, updating, and deleting investigations, investigation events, and investigation resources.

This policy only provides access to investigations. You should be sure that IAM principals with this policy also have permissions to read CloudWatch observability data such as metrics, SLOs, and CloudWatch Logs query results.

The aiops permissions allow access to CloudWatch investigations APIs to create, update, and delete investigations.
The sso, identitystore, and sts permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions.
The ssm permissions are required for SSM Ops Item integration with third-party issue management.

To see the full contents of the policy, see AIOpsOperatorAccess in the Amazon Managed Policy Reference Guide.

AIOpsReadOnlyAccess

The AIOpsReadOnlyAccess policy grants read-only permissions for CloudWatch investigations and other related services.

The aiops permissions allow access to CloudWatch investigations APIs to get, list, and validate investigation groups.
The sso permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions.
The ssm permissions are required for SSM Ops Item integration with third-party issue management.

To see the full contents of the policy, see AIOpsReadOnlyAccess in the Amazon Managed Policy Reference Guide.

IAM policy for CloudWatch investigations (AIOpsAssistantPolicy)

The AIOpsAssistantPolicy policy is not to be assigned to users or administrators. Instead, it is assigned AIOpsAssistantPolicy to Amazon AI Operations to enable it to analyze your Amazon resources during investigations of operational events. This policy is scoped based on the resources that CloudWatch investigations supports during investigations, and will be updated as more resources are supported.

You can also choose to assign the general Amazon ReadOnlyAccess to the assistant in addition to assigning it AIOpsAssistantPolicy. The reason to do this is that ReadOnlyAccess will be updated more frequently by Amazon with permissions for new Amazon services and actions that are released. The AIOpsAssistantPolicy will also be updated for new actions, but not as frequently.

To see the full contents of the policy, see AIOpsAssistantPolicy in the Amazon Managed Policy Reference Guide.

Amazon managed (predefined) policies for CloudWatch Application Signals

The policies in this section grant permissions related to CloudWatch Application Signals. For more information, see Application Signals.

CloudWatchApplicationSignalsReadOnlyAccess

Amazon has added the CloudWatchApplicationSignalsReadOnlyAccess managed IAM policy. This policy grants read only access to actions and resources available to users in the CloudWatch console under Application Signals. It includes application-signals: policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It includes an iam:GetRole policy to allow users to retrieve information about an IAM role. It includes logs: policies to start and stop queries, retrieve the configuration for a metruc filter, and obtain query results. It includes cloudwatch: policies so that users can obtain information about a CloudWatch alarm or metrics. It includes synthetics: policies so that users can retrieve information about synthetics canary runs. It includes rum: policies to run batch operations, retrieve data, and update metrics definitions for RUM clients. It includes an xray: policy to retrieve trace summaries.

To see the full contents of the policy, see CloudWatchApplicationSignalsReadOnlyAccess in the Amazon Managed Policy Reference Guide.

CloudWatchApplicationSignalsFullAccess

Amazon has added the CloudWatchApplicationSignalsFullAccess managed IAM policy. This policy grants access to all actions and resources available to users in the CloudWatch console. It includes application-signals: policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It uses cloudwatch: policies to retrieve data from metrics and alarms. It uses logs: policies to manage queries and filters. It uses synthetics: policies so that users can retrieve information about synthetics canary runs. It includes rum: policies to run batch operations, retrieve data and update metrics definitions for RUM clients. It includes an xray: policy to retrieve trace summaries. It includes arn:aws:cloudwatch:*:*:alarm: policies so that users can retrieve information about a service level objective (SLO) alarm. It includes iam: policies to manage IAM roles. It uses sns: policies to create, list, and subscribe to an Amazon SNS topic.

To see the full contents of the policy, see CloudWatchApplicationSignalsFullAccess in the Amazon Managed Policy Reference Guide.

CloudWatchLambdaApplicationSignalsExecutionRolePolicy

This policy is used when CloudWatch Application Signals is enabled for Lambda workloads. It enables write access to X-Ray and the log group used by CloudWatch Application Signals.

To see the full contents of the policy, see CloudWatchLambdaApplicationSignalsExecutionRolePolicy in the Amazon Managed Policy Reference Guide.

Amazon managed (predefined) policies for CloudWatch Synthetics

The CloudWatchSyntheticsFullAccess and CloudWatchSyntheticsReadOnlyAccess Amazon managed policies are available for you to assign to users who will manage or use CloudWatch Synthetics. The following additional policies are also relevant:

AmazonS3ReadOnlyAccess and CloudWatchReadOnlyAccess – These are necessary to read all Synthetics data in the CloudWatch console.
AWSLambdaReadOnlyAccess – Required to view the source code used by canaries.
CloudWatchSyntheticsFullAccess – Allows you to create canaries. Additionally, to create and delete canaries that have a new IAM role created for them, you need specific inline policy permissions.

Important
Granting a user the iam:CreateRole, iam:DeleteRole, iam:CreatePolicy, iam:DeletePolicy, iam:AttachRolePolicy, and iam:DetachRolePolicy permissions gives that user full administrative access to create, attach, and delete roles and policies that have ARNs that match arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole* and arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role that matches that ARN pattern. Be careful to whom you grant these permissions.

For information about attaching policies and granting permissions to users, see Changing Permissions for an IAM User and To embed an inline policy for a user or role.

CloudWatchSyntheticsFullAccess

To see the full contents of the policy, see CloudWatchSyntheticsFullAccess in the Amazon Managed Policy Reference Guide.

CloudWatchSyntheticsReadOnlyAccess

To see the full contents of the policy, see CloudWatchSyntheticsReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon managed (predefined) policies for Amazon CloudWatch RUM

The AmazonCloudWatchRUMFullAccess and AmazonCloudWatchRUMReadOnlyAccess Amazon managed policies are available for you to assign to users who will manage or use CloudWatch RUM.

AmazonCloudWatchRUMFullAccess

To see the full contents of the policy, see AmazonCloudWatchRUMFullAccess in the Amazon Managed Policy Reference Guide.

AmazonCloudWatchRUMReadOnlyAccess

The AmazonCloudWatchRUMReadOnlyAccess allows read-only administrative access to CloudWatch RUM.

The synthetics permission allows displaying associated Synthetics Canaries to the RUM app monitor
The cloudwatch permission allows displaying associated CloudWatch metrics to the RUM app monitor
The cloudwatch alarms permission allows displaying associated CloudWatch alarms to the RUM app monitor
The cloudwatch logs permission allows displaying associated CloudWatch logs to the RUM app monitor
The x-ray permission allows displaying associated X-Ray Trace segments to the RUM app monitor
The rum permission allows displaying associated tags to the RUM app monitor

To see the full contents of the policy, see AmazonCloudWatchRUMReadOnlyAccess in the Amazon Managed Policy Reference Guide.

AmazonCloudWatchRUMServiceRolePolicy

You can't attach AmazonCloudWatchRUMServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows CloudWatch RUM to publish monitoring data to other relevant Amazon services. For more information about this service linked role, see Using service-linked roles for CloudWatch RUM.

To see the full contents of the policy, see AmazonCloudWatchRUMServiceRolePolicy in the Amazon Managed Policy Reference Guide.

Amazon managed (predefined) policies for CloudWatch Evidently

The CloudWatchEvidentlyFullAccess and CloudWatchEvidentlyReadOnlyAccess Amazon managed policies are available for you to assign to users who will manage or use CloudWatch Evidently.

CloudWatchEvidentlyFullAccess

To see the full contents of the policy, see CloudWatchEvidentlyFullAccess in the Amazon Managed Policy Reference Guide.

CloudWatchEvidentlyReadOnlyAccess

To see the full contents of the policy, see CloudWatchEvidentlyReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy for Amazon Systems Manager Incident Manager

The AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy policy is attached to a service-linked role that allows CloudWatch to start incidents in Amazon Systems Manager Incident Manager on your behalf. For more information, see Service-linked role permissions for CloudWatch alarms Systems Manager Incident Manager actions.

The policy has the following permission:

ssm-incidents:StartIncident

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

CloudWatch dashboard permissions update

Customer managed policy examples