Amazon CloudWatch permissions reference - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon CloudWatch permissions reference

The following table lists each CloudWatch API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

You can use Amazon-wide condition keys in your CloudWatch policies to express conditions. For a complete list of Amazon-wide keys, see Amazon Global and IAM Condition Context Keys in the IAM User Guide.

Note

To specify an action, use the cloudwatch: prefix followed by the API operation name. For example: cloudwatch:GetMetricData, cloudwatch:ListMetrics, or cloudwatch:* (for all CloudWatch actions).

CloudWatch API operations and required permissions for actions

CloudWatch API operations Required permissions (API actions)

DeleteAlarms

cloudwatch:DeleteAlarms

Required to delete an alarm.

DeleteDashboards

cloudwatch:DeleteDashboards

Required to delete a dashboard.

DeleteMetricStream

cloudwatch:DeleteMetricStream

Required to delete a metric stream.

DescribeAlarmHistory

cloudwatch:DescribeAlarmHistory

Required to view alarm history. To retrieve information about composite alarms, your cloudwatch:DescribeAlarmHistory permission must have a * scope. You can't return information about composite alarms if your cloudwatch:DescribeAlarmHistory permission has a narrower scope.

DescribeAlarms

cloudwatch:DescribeAlarms

Required to retrieve information about alarms.

To retrieve information about composite alarms, your cloudwatch:DescribeAlarms permission must have a * scope. You can't return information about composite alarms if your cloudwatch:DescribeAlarms permission has a narrower scope.

DescribeAlarmsForMetric

cloudwatch:DescribeAlarmsForMetric

Required to view alarms for a metric.

DisableAlarmActions

cloudwatch:DisableAlarmActions

Required to disable an alarm action.

EnableAlarmActions

cloudwatch:EnableAlarmActions

Required to enable an alarm action.

GetDashboard

cloudwatch:GetDashboard

Required to display data about existing dashboards.

GetMetricData

cloudwatch:GetMetricData

Required to graph metric data in the CloudWatch console, to retrieve large batches of metric data, and perform metric math on that data.

GetMetricStatistics

cloudwatch:GetMetricStatistics

Required to view graphs in other parts of the CloudWatch console and in dashboard widgets.

GetMetricStream

cloudwatch:GetMetricStream

Required to view information about a metric stream.

GetMetricWidgetImage

cloudwatch:GetMetricWidgetImage

Required to retrieve a snapshot graph of one or more CloudWatch metrics as a bitmap image.

ListDashboards

cloudwatch:ListDashboards

Required to view the list of CloudWatch dashboards in your account.

ListEntitiesForMetric

(CloudWatch console-only permission)

cloudwatch:ListEntitiesForMetric

Required to find the entities associated with a metric. Required to explore related telemetry within the CloudWatch console.

ListMetrics

cloudwatch:ListMetrics

Required to view or search metric names within the CloudWatch console and in the CLI. Required to select metrics on dashboard widgets.

ListMetricStreams

cloudwatch:ListMetricStreams

Required to view or search the list of metric streams in the account.

PutCompositeAlarm

cloudwatch:PutCompositeAlarm

Required to create a composite alarm.

To create a composite alarm, your cloudwatch:PutCompositeAlarm permission must have a * scope. You can't return information about composite alarms if your cloudwatch:PutCompositeAlarm permission has a narrower scope.

PutDashboard

cloudwatch:PutDashboard

Required to create a dashboard or update an existing dashboard.

PutMetricAlarm

cloudwatch:PutMetricAlarm

Required to create or update an alarm.

PutMetricData

cloudwatch:PutMetricData

Required to create metrics.

PutMetricStream

cloudwatch:PutMetricStream

Required to create a metric stream.

SetAlarmState

cloudwatch:SetAlarmState

Required to manually set an alarm's state.

StartMetricStreams

cloudwatch:StartMetricStreams

Required to start the flow of metrics in a metric stream.

StopMetricStreams

cloudwatch:StopMetricStreams

Required to temporarily stop the flow of metrics in a metric stream.

TagResource

cloudwatch:TagResource

Required to add or update tags on CloudWatch resources such as alarms and Contributor Insights rules.

UntagResource

cloudwatch:UntagResource

Required to remove tags from CloudWatch resources .

CloudWatch Application Signals API operations and required permissions for actions

CloudWatch Application Signals API operations Required permissions (API actions)

BatchGetServiceLevelObjectiveBudgetReport

application-signals:BatchGetServiceLevelObjectiveBudgetReport

Required to retrieve service level objective budget reports.

CreateServiceLevelObjective

application-signals:CreateServiceLevelObjective

Required to create a service level objective (SLO).

DeleteServiceLevelObjective

application-signals:DeleteServiceLevelObjective

Required to delete a service level objective (SLO).

GetService

application-signals:GetService

Required to retrieve information about a service discovered by Application Signals.

GetServiceLevelObjective

application-signals:GetServiceLevelObjective

Required to retrieve information about a service level objective (SLO).

ListServiceDependencies

application-signals:ListServiceDependencies

Required to retrieve a list of service dependencies of a service that you specify. This service and the dependencies were discovered by Application Signals.

ListServiceDependents

application-signals:ListServiceDependents

Required to retrieve a list of dependents that invoked a service that you specify. This service and the dependents were discovered by Application Signals.

ListServiceLevelObjectives

application-signals:ListServiceLevelObjectives

Required to retrieve a list of service level objectives (SLOs) in the account.

ListServiceOperations

application-signals:ListServiceOperations

Required to retrieve a list of service operations of a service that you specify. This service and the dependencies were discovered by Application Signals.

ListServices

application-signals:ListServices

Required to retrieve a list of services discovered by Application Signals.

ListTagsForResource

application-signals:ListTagsForResource

Required to retrieve a list of the tags associated with a resource.

StartDiscovery

application-signals:StartDiscovery

Required to be able to enable Application Signals in the account and create the required service-linked role.

TagResource

application-signals:TagResource

Required to be able to add tags to resources.

UntagResource

application-signals:UntagResource

Required to be able to remove tags from resources.

UpdateServiceLevelObjective

application-signals:UpdateServiceLevelObjective

Required to update an existing service level objective

CloudWatch Contributor Insights API operations and required permissions for actions

Important

When you grant a user the cloudwatch:PutInsightRule permission, by default that user can create a rule that evaluates any log group in CloudWatch Logs. You can add IAM policy conditions that limit these permissions for a user to include and exclude specific log groups. For more information, see Using condition keys to limit Contributor Insights users' access to log groups.

CloudWatch Contributor Insights API operations Required permissions (API actions)

DeleteInsightRules

cloudwatch:DeleteInsightRules

Required to delete Contributor Insights rules.

DescribeInsightRules

cloudwatch:DescribeInsightRules

Required to view the Contributor Insights rules in your account.

EnableInsightRules

cloudwatch:EnableInsightRules

Required to enable Contributor Insights rules.

GetInsightRuleReport

cloudwatch:GetInsightRuleReport

Required to retrieve time series data and other statistics collectd by Contributor Insights rules.

PutInsightRule

cloudwatch:PutInsightRule

Required to create Contributor Insights rules. See the Important note at the beginning of this table.

CloudWatch Events API operations and required permissions for actions

CloudWatch Events API operations Required permissions (API actions)

DeleteRule

events:DeleteRule

Required to delete a rule.

DescribeRule

events:DescribeRule

Required to list the details about a rule.

DisableRule

events:DisableRule

Required to disable a rule.

EnableRule

events:EnableRule

Required to enable a rule.

ListRuleNamesByTarget

events:ListRuleNamesByTarget

Required to list rules associated with a target.

ListRules

events:ListRules

Required to list all rules in your account.

ListTargetsByRule

events:ListTargetsByRule

Required to list all targets associated with a rule.

PutEvents

events:PutEvents

Required to add custom events that can be matched to rules.

PutRule

events:PutRule

Required to create or update a rule.

PutTargets

events:PutTargets

Required to add targets to a rule.

RemoveTargets

events:RemoveTargets

Required to remove a target from a rule.

TestEventPattern

events:TestEventPattern

Required to test an event pattern against a given event.

CloudWatch Logs API operations and required permissions for actions

Note

CloudWatch Logs permissions can be found in the CloudWatch Logs user guide.

Amazon EC2 API operations and required permissions for actions

Amazon EC2 API operations Required permissions (API actions)

DescribeInstanceStatus

ec2:DescribeInstanceStatus

Required to view EC2 instance status details.

DescribeInstances

ec2:DescribeInstances

Required to view EC2 instance details.

RebootInstances

ec2:RebootInstances

Required to reboot an EC2 instance.

StopInstances

ec2:StopInstances

Required to stop an EC2 instance.

TerminateInstances

ec2:TerminateInstances

Required to terminate an EC2 instance.

Amazon EC2 Auto Scaling API operations and required permissions for actions

Amazon EC2 Auto Scaling API operations Required permissions (API actions)

Scaling

autoscaling:Scaling

Required to scale an Auto Scaling group.

Trigger

autoscaling:Trigger

Required to trigger an Auto Scaling action.