Identity and Access management for Amazon CloudWatch Network Monitor
Amazon Identity and Access Management (IAM) is an Amazon service that helps an administrator securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use CloudWatch Network Monitor resources. IAM is an Amazon service that you can use with no additional charge. You can use features of IAM to allow other users, services, and applications to use your Amazon resources fully or in a limited way, without sharing your security credentials.
By default, IAM users don't have permission to create, view, or modify Amazon resources. To allow an IAM user to access resources, such as a global network, and perform tasks, you must:
-
Create an IAM policy that grants the user permission to use the specific resources and API actions they need
-
Attach the policy to the IAM user or to the group to which the user belongs
When you attach a policy to a user or group of users, it allows or denies the user permissions to perform the specified tasks on the specified resources.
Condition keys
The Condition
element (or Condition block) lets you specify
conditions in which a statement is in effect. The Condition element is optional. You
can build conditional expressions that use condition operators, such as equals or
less than, to match the condition in the policy with values in the request. For more
information, see IAM JSON policy elements: Condition operators in the Amazon
Identity and Access Management User Guide.
If you specify multiple Condition
elements in a statement, or
multiple keys in a single Condition
element, Amazon evaluates them using
a logical AND
operation. If you specify multiple values for a single
condition key, Amazon evaluates the condition using a logical OR
operation. All of the conditions must be met before the statement's permissions are
granted.
You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name.
You can attach tags to CloudWatch Network Monitor resources or pass tags in a request to Cloud WAN.
To control access based on tags, you provide tag information in the condition
element of a policy using the aws:ResourceTag/key-name
,
aws:RequestTag/key-name
, or aws:TagKeys
condition
keys. See IAM JSON
policy elements: Condition in the Amazon Identity and Access
Management User Guide for more information.
To see all Amazon global condition keys, see Amazon global condition context keys in the Amazon Identity and Access Management User Guide.
Tag core network resources
A tag is a metadata label that either you or Amazon assigns to an Amazon resource.
Each tag consists of a key and a value. For tags that you assign, you define the key
and the value. For example, you might define the key as purpose
and the
value as test
for one resource. Tags help you do the following:
-
Identify and organize your Amazon resources. Many Amazon services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related.
-
Control access to your Amazon resources. For more information, see Controlling access to Amazon resources using tags in the Amazon Identify and Access Management User Guide.
Delete the service-linked role
If you no longer need to use CloudWatch Network Monitor, we recommend that you delete the
AWSServiceRoleForNetworkMonitor
role.
You can delete these service-linked roles only after you delete your network monitor. For information about deleting your network monitor, see Delete a network monitor.
You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.
After you delete AWSServiceRoleForNetworkMonitor
CloudWatch Network Monitor will create the role again when you
create a new monitor.