Amazon CloudWatch permissions reference
The following table lists each CloudWatch API operation and the corresponding actions for
which you can grant permissions to perform the action. You specify the actions in the
policy's Action
field, and you specify a wildcard character (*) as the
resource value in the policy's Resource
field.
You can use Amazon-wide condition keys in your CloudWatch policies to express conditions. For a complete list of Amazon-wide keys, see Amazon Global and IAM Condition Context Keys in the IAM User Guide.
Note
To specify an action, use the cloudwatch:
prefix followed by the API
operation name. For example: cloudwatch:GetMetricData
,
cloudwatch:ListMetrics
, or cloudwatch:*
(for all CloudWatch
actions).
Topics
- CloudWatch API operations and required permissions for actions
- CloudWatch Application Signals API operations and required permissions for actions
- CloudWatch Contributor Insights API operations and required permissions for actions
- CloudWatch Events API operations and required permissions for actions
- CloudWatch Logs API operations and required permissions for actions
- Amazon EC2 API operations and required permissions for actions
- Amazon EC2 Auto Scaling API operations and required permissions for actions
CloudWatch API operations and required permissions for actions
CloudWatch API operations | Required permissions (API actions) |
---|---|
Required to delete an alarm. |
|
Required to delete a dashboard. |
|
Required to delete a metric stream. |
|
Required to view alarm history. To retrieve information about
composite alarms, your
|
|
Required to retrieve information about alarms. To retrieve information about composite alarms, your
|
|
Required to view alarms for a metric. |
|
Required to disable an alarm action. |
|
Required to enable an alarm action. |
|
Required to display data about existing dashboards. |
|
Required to graph metric data in the CloudWatch console, to retrieve large batches of metric data, and perform metric math on that data. |
|
Required to view graphs in other parts of the CloudWatch console and in dashboard widgets. |
|
Required to view information about a metric stream. |
|
Required to retrieve a snapshot graph of one or more CloudWatch metrics as a bitmap image. |
|
Required to view the list of CloudWatch dashboards in your account. |
|
ListEntitiesForMetric (CloudWatch console-only permission) |
Required to find the entities associated with a metric. Required to explore related telemetry within the CloudWatch console. |
Required to view or search metric names within the CloudWatch console and in the CLI. Required to select metrics on dashboard widgets. |
|
Required to view or search the list of metric streams in the account. |
|
Required to create a composite alarm. To create a composite alarm, your
|
|
Required to create a dashboard or update an existing dashboard. |
|
Required to create or update an alarm. |
|
Required to create metrics. |
|
Required to create a metric stream. |
|
Required to manually set an alarm's state. |
|
Required to start the flow of metrics in a metric stream. |
|
Required to temporarily stop the flow of metrics in a metric stream. |
|
Required to add or update tags on CloudWatch resources such as alarms and Contributor Insights rules. |
|
Required to remove tags from CloudWatch resources . |
CloudWatch Application Signals API operations and required permissions for actions
CloudWatch Application Signals API operations | Required permissions (API actions) |
---|---|
Required to retrieve service level objective budget reports. |
|
Required to create a service level objective (SLO). |
|
Required to delete a service level objective (SLO). |
|
Required to retrieve information about a service discovered by Application Signals. |
|
Required to retrieve information about a service level objective (SLO). |
|
Required to retrieve a list of service dependencies of a service that you specify. This service and the dependencies were discovered by Application Signals. |
|
Required to retrieve a list of dependents that invoked a service that you specify. This service and the dependents were discovered by Application Signals. |
|
Required to retrieve a list of service level objectives (SLOs) in the account. |
|
Required to retrieve a list of service operations of a service that you specify. This service and the dependencies were discovered by Application Signals. |
|
Required to retrieve a list of services discovered by Application Signals. |
|
Required to retrieve a list of the tags associated with a resource. |
|
Required to be able to enable Application Signals in the account and create the required service-linked role. |
|
Required to be able to add tags to resources. |
|
Required to be able to remove tags from resources. |
|
Required to update an existing service level objective |
CloudWatch Contributor Insights API operations and required permissions for actions
Important
When you grant a user the cloudwatch:PutInsightRule
permission,
by default that user can create a rule that evaluates any log group in CloudWatch Logs.
You can add IAM policy conditions that limit these permissions for a user to
include and exclude specific log groups. For more information, see Using condition keys to limit
Contributor Insights users' access to log groups.
CloudWatch Contributor Insights API operations | Required permissions (API actions) |
---|---|
Required to delete Contributor Insights rules. |
|
Required to view the Contributor Insights rules in your account. |
|
Required to enable Contributor Insights rules. |
|
Required to retrieve time series data and other statistics collectd by Contributor Insights rules. |
|
Required to create Contributor Insights rules. See the Important note at the beginning of this table. |
CloudWatch Events API operations and required permissions for actions
CloudWatch Events API operations | Required permissions (API actions) |
---|---|
Required to delete a rule. |
|
Required to list the details about a rule. |
|
Required to disable a rule. |
|
Required to enable a rule. |
|
Required to list rules associated with a target. |
|
Required to list all rules in your account. |
|
Required to list all targets associated with a rule. |
|
Required to add custom events that can be matched to rules. |
|
Required to create or update a rule. |
|
Required to add targets to a rule. |
|
Required to remove a target from a rule. |
|
Required to test an event pattern against a given event. |
CloudWatch Logs API operations and required permissions for actions
Note
CloudWatch Logs permissions can be found in the CloudWatch Logs user guide.
Amazon EC2 API operations and required permissions for actions
Amazon EC2 API operations | Required permissions (API actions) |
---|---|
Required to view EC2 instance status details. |
|
Required to view EC2 instance details. |
|
Required to reboot an EC2 instance. |
|
Required to stop an EC2 instance. |
|
Required to terminate an EC2 instance. |
Amazon EC2 Auto Scaling API operations and required permissions for actions
Amazon EC2 Auto Scaling API operations | Required permissions (API actions) |
---|---|
Scaling |
Required to scale an Auto Scaling group. |
Trigger |
Required to trigger an Auto Scaling action. |