CloudWatch API operations and required permissions for actions CloudWatch Contributor Insights API operations and required permissions for actions CloudWatch Events API operations and required permissions for actions CloudWatch Logs API operations and required permissions for actions Amazon EC2 API operations and required permissions for actions Amazon EC2 Auto Scaling API operations and required permissions for actions

Amazon CloudWatch permissions reference

The following table lists each CloudWatch API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

You can use Amazon-wide condition keys in your CloudWatch policies to express conditions. For a complete list of Amazon-wide keys, see Amazon Global and IAM Condition Context Keys in the IAM User Guide.

Note

To specify an action, use the cloudwatch: prefix followed by the API operation name. For example: cloudwatch:GetMetricData, cloudwatch:ListMetrics, or cloudwatch:* (for all CloudWatch actions).

Topics

CloudWatch API operations and required permissions for actions
CloudWatch Contributor Insights API operations and required permissions for actions
CloudWatch Events API operations and required permissions for actions
CloudWatch Logs API operations and required permissions for actions
Amazon EC2 API operations and required permissions for actions
Amazon EC2 Auto Scaling API operations and required permissions for actions

CloudWatch API operations and required permissions for actions

CloudWatch API operations	Required permissions (API actions)
DeleteAlarms	`cloudwatch:DeleteAlarms` Required to delete an alarm.
DeleteDashboards	`cloudwatch:DeleteDashboards` Required to delete a dashboard.
DeleteMetricStream	`cloudwatch:DeleteMetricStream` Required to delete a metric stream.
DescribeAlarmHistory	`cloudwatch:DescribeAlarmHistory` Required to view alarm history. To retrieve information about composite alarms, your `cloudwatch:DescribeAlarmHistory` permission must have a `*` scope. You can't return information about composite alarms if your `cloudwatch:DescribeAlarmHistory` permission has a narrower scope.
DescribeAlarms	`cloudwatch:DescribeAlarms` Required to retrieve information about alarms. To retrieve information about composite alarms, your `cloudwatch:DescribeAlarms` permission must have a `*` scope. You can't return information about composite alarms if your `cloudwatch:DescribeAlarms` permission has a narrower scope.
DescribeAlarmsForMetric	`cloudwatch:DescribeAlarmsForMetric` Required to view alarms for a metric.
DisableAlarmActions	`cloudwatch:DisableAlarmActions` Required to disable an alarm action.
EnableAlarmActions	`cloudwatch:EnableAlarmActions` Required to enable an alarm action.
GetDashboard	`cloudwatch:GetDashboard` Required to display data about existing dashboards.
GetMetricData	`cloudwatch:GetMetricData` Required to graph metric data in the CloudWatch console, to retrieve large batches of metric data, and perform metric math on that data.
GetMetricStatistics	`cloudwatch:GetMetricStatistics` Required to view graphs in other parts of the CloudWatch console and in dashboard widgets.
GetMetricStream	`cloudwatch:GetMetricStream` Required to view information about a metric stream.
GetMetricWidgetImage	`cloudwatch:GetMetricWidgetImage` Required to retrieve a snapshot graph of one or more CloudWatch metrics as a bitmap image.
ListDashboards	`cloudwatch:ListDashboards` Required to view the list of CloudWatch dashboards in your account.
ListMetrics	`cloudwatch:ListMetrics` Required to view or search metric names within the CloudWatch console and in the CLI. Required to select metrics on dashboard widgets.
ListMetricStreams	`cloudwatch:ListMetricStreams` Required to view or search the list of metric streams in the account.
PutCompositeAlarm	`cloudwatch:PutCompositeAlarm` Required to create a composite alarm. To create a composite alarm, your `cloudwatch:PutCompositeAlarm` permission must have a `*` scope. You can't return information about composite alarms if your `cloudwatch:PutCompositeAlarm` permission has a narrower scope.
PutDashboard	`cloudwatch:PutDashboard` Required to create a dashboard or update an existing dashboard.
PutMetricAlarm	`cloudwatch:PutMetricAlarm` Required to create or update an alarm.
PutMetricData	`cloudwatch:PutMetricData` Required to create metrics.
PutMetricStream	`cloudwatch:PutMetricStream` Required to create a metric stream.
SetAlarmState	`cloudwatch:SetAlarmState` Required to manually set an alarm's state.
StartMetricStreams	`cloudwatch:StartMetricStreams` Required to start the flow of metrics in a metric stream.
StopMetricStreams	`cloudwatch:StopMetricStreams` Required to temporarily stop the flow of metrics in a metric stream.
TagResource	`cloudwatch:TagResource` Required to add or update tags on CloudWatch resources such as alarms and Contributor Insights rules.
UntagResource	`cloudwatch:UntagResource` Required to remove tags from CloudWatch resources .

CloudWatch Contributor Insights API operations and required permissions for actions

Important

When you grant a user the cloudwatch:PutInsightRule permission, by default that user can create a rule that evaluates any log group in CloudWatch Logs. You can add IAM policy conditions that limit these permissions for a user to include and exclude specific log groups. For more information, see Using condition keys to limit Contributor Insights users' access to log groups.

CloudWatch Contributor Insights API operations	Required permissions (API actions)
DeleteInsightRules	`cloudwatch:DeleteInsightRules` Required to delete Contributor Insights rules.
DescribeInsightRules	`cloudwatch:DescribeInsightRules` Required to view the Contributor Insights rules in your account.
EnableInsightRules	`cloudwatch:EnableInsightRules` Required to enable Contributor Insights rules.
GetInsightRuleReport	`cloudwatch:GetInsightRuleReport` Required to retrieve time series data and other statistics collectd by Contributor Insights rules.
PutInsightRule	`cloudwatch:PutInsightRule` Required to create Contributor Insights rules. See the Important note at the beginning of this table.

CloudWatch Events API operations and required permissions for actions

CloudWatch Events API operations	Required permissions (API actions)
DeleteRule	`events:DeleteRule` Required to delete a rule.
DescribeRule	`events:DescribeRule` Required to list the details about a rule.
DisableRule	`events:DisableRule` Required to disable a rule.
EnableRule	`events:EnableRule` Required to enable a rule.
ListRuleNamesByTarget	`events:ListRuleNamesByTarget` Required to list rules associated with a target.
ListRules	`events:ListRules` Required to list all rules in your account.
ListTargetsByRule	`events:ListTargetsByRule` Required to list all targets associated with a rule.
PutEvents	`events:PutEvents` Required to add custom events that can be matched to rules.
PutRule	`events:PutRule` Required to create or update a rule.
PutTargets	`events:PutTargets` Required to add targets to a rule.
RemoveTargets	`events:RemoveTargets` Required to remove a target from a rule.
TestEventPattern	`events:TestEventPattern` Required to test an event pattern against a given event.

CloudWatch Logs API operations and required permissions for actions

CloudWatch Logs API operations	Required permissions (API actions)
CancelExportTask	`logs:CancelExportTask` Required to cancel a pending or running export task.
CreateExportTask	`logs:CreateExportTask` Required to export data from a log group to an Amazon S3 bucket.
CreateLogGroup	`logs:CreateLogGroup` Required to create a new log group.
CreateLogStream	`logs:CreateLogStream` Required to create a new log stream in a log group.
DeleteDestination	`logs:DeleteDestination` Required to delete a log destination and disables any subscription filters to it.
DeleteLogGroup	`logs:DeleteLogGroup` Required to delete a log group and any associated archived log events.
DeleteLogStream	`logs:DeleteLogStream` Required to delete a log stream and any associated archived log events.
DeleteMetricFilter	`logs:DeleteMetricFilter` Required to delete a metric filter associated with a log group.
DeleteQueryDefinition	`logs:DeleteQueryDefinition` Required to delete a saved query definition in CloudWatch Logs Insights.
DeleteResourcePolicy	`logs:DeleteResourcePolicy` Required to delete a CloudWatch Logs resource policy.
DeleteRetentionPolicy	`logs:DeleteRetentionPolicy` Required to delete a log group's retention policy.
DeleteSubscriptionFilter	`logs:DeleteSubscriptionFilter` Required to delete the subscription filter associated with a log group.
DescribeDestinations	`logs:DescribeDestinations` Required to view all destinations associated with the account.
DescribeExportTasks	`logs:DescribeExportTasks` Required to view all export tasks associated with the account.
DescribeLogGroups	`logs:DescribeLogGroups` Required to view all log groups associated with the account.
DescribeLogStreams	`logs:DescribeLogStreams` Required to view all log streams associated with a log group.
DescribeMetricFilters	`logs:DescribeMetricFilters` Required to view all metrics associated with a log group.
DescribeQueryDefinitions	`logs:DescribeQueryDefinitions` Required to see the list of saved query definitions in CloudWatch Logs Insights.
DescribeQueries	`logs:DescribeQueries` Required to see the list of CloudWatch Logs Insights queries that are scheduled, executing, or have recently excecuted.
DescribeResourcePolicies	`logs:DescribeResourcePolicies` Required to view a list of CloudWatch Logs resource policies.
DescribeSubscriptionFilters	`logs:DescribeSubscriptionFilters` Required to view all subscription filters associated with a log group.
FilterLogEvents	`logs:FilterLogEvents` Required to sort log events by log group filter pattern.
GetLogEvents	`logs:GetLogEvents` Required to retrieve log events from a log stream.
GetLogGroupFields	`logs:GetLogGroupFields` Required to retrieve the list of fields that are included in the log events in a log group.
GetLogRecord	`logs:GetLogRecord` Required to retrieve the details from a single log event.
GetQueryResults	`logs:GetQueryResults` Required to retrieve the results of CloudWatch Logs Insights queries.
ListTagsLogGroup	`logs:ListTagsLogGroup` Required to list the tags associated with a log group.
PutDestination	`logs:PutDestination` Required to create or update a destination log stream (such as an Kinesis stream).
PutDestinationPolicy	`logs:PutDestinationPolicy` Required to create or update an access policy associated with an existing log destination.
PutLogEvents	`logs:PutLogEvents` Required to upload a batch of log events to a log stream.
PutMetricFilter	`logs:PutMetricFilter` Required to create or update a metric filter and associate it with a log group.
PutQueryDefinition	`logs:PutQueryDefinition` Required to save a query in CloudWatch Logs Insights.
PutResourcePolicy	`logs:PutResourcePolicy` Required to create a CloudWatch Logs resource policy.
PutRetentionPolicy	`logs:PutRetentionPolicy` Required to set the number of days to keep log events (retention) in a log group.
PutSubscriptionFilter	`logs:PutSubscriptionFilter` Required to create or update a subscription filter and associate it with a log group.
StartQuery	`logs:StartQuery` Required to start CloudWatch Logs Insights queries.
StopQuery	`logs:StopQuery` Required to stop a CloudWatch Logs Insights query that is in progress.
TagLogGroup	`logs:TagLogGroup` Required to add or update log group tags.
TestMetricFilter	`logs:TestMetricFilter` Required to test a filter pattern against a sampling of log event messages.

Amazon EC2 API operations and required permissions for actions

Amazon EC2 API operations	Required permissions (API actions)
DescribeInstanceStatus	`ec2:DescribeInstanceStatus` Required to view EC2 instance status details.
DescribeInstances	`ec2:DescribeInstances` Required to view EC2 instance details.
RebootInstances	`ec2:RebootInstances` Required to reboot an EC2 instance.
StopInstances	`ec2:StopInstances` Required to stop an EC2 instance.
TerminateInstances	`ec2:TerminateInstances` Required to terminate an EC2 instance.

Amazon EC2 Auto Scaling API operations and required permissions for actions

Amazon EC2 Auto Scaling API operations Required permissions (API actions)

Amazon EC2 Auto Scaling API operations	Required permissions (API actions)
Scaling	`autoscaling:Scaling` Required to scale an Auto Scaling group.
Trigger	`autoscaling:Trigger` Required to trigger an Auto Scaling action.

Scaling

autoscaling:Scaling

Required to scale an Auto Scaling group.

Trigger

autoscaling:Trigger

Required to trigger an Auto Scaling action.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon managed policies for Application Insights

Compliance validation