View a markdown version of this page

Actions, resources, and condition keys for Amazon CloudWatch Observability Access Manager - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon CloudWatch Observability Access Manager

Amazon CloudWatch Observability Access Manager (service prefix: oam) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon CloudWatch Observability Access Manager

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateLink

oam:CreateLink

Write

oam:TagResource

Tagging, Write

application-signals:Link

Write

applicationinsights:Link

Write

cloudwatch:Link

Write

internetmonitor:Link

Write

logs:Link

Write

xray:Link

Write

CreateSink

oam:CreateSink

Write

oam:TagResource

Tagging, Write

DeleteLink

oam:DeleteLink

Write

DeleteSink

oam:DeleteSink

Write

GetLink

oam:GetLink

Read

GetSink

oam:GetSink

Read

GetSinkPolicy

oam:GetSinkPolicy

Read

ListAttachedLinks

oam:ListAttachedLinks

Read

ListLinks

oam:ListLinks

Read

ListSinks

oam:ListSinks

Read

ListTagsForResource

oam:ListTagsForResource

Read

PutSinkPolicy

oam:PutSinkPolicy

Write

TagResource

oam:TagResource

Tagging, Write

UntagResource

oam:UntagResource

Tagging, Write

UpdateLink

oam:UpdateLink

Write

application-signals:Link

Write

applicationinsights:Link

Write

cloudwatch:Link

Write

internetmonitor:Link

Write

logs:Link

Write

xray:Link

Write

Actions defined by Amazon CloudWatch Observability Access Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateLink

Grants permission to create a link between a monitoring account and a source account for cross-account monitoring

Sink*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

oam:ResourceTypes

Write

CreateSink

Grants permission to create a sink in an account so that it can be used as a monitoring account for cross-account monitoring

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteLink

Grants permission to delete a link between a monitoring account and a source account for cross-account monitoring

Link*

aws:ResourceTag/${TagKey}

Write

DeleteSink

Grants permission to delete a cross-account monitoring sink in a monitoring account

Sink*

aws:ResourceTag/${TagKey}

Write

GetLink

Grants permission to retrieve complete information about one cross-account monitoring link

Link*

aws:ResourceTag/${TagKey}

Read

GetSink

Grants permission to retrieve complete information about one cross-account monitoring sink

Sink*

aws:ResourceTag/${TagKey}

Read

GetSinkPolicy

Grants permission to retrieve information for the IAM policy for a cross-account monitoring sink

Sink*

aws:ResourceTag/${TagKey}

Read

ListAttachedLinks

Grants permission to retrieve a list of links that are linked for a cross-account monitoring sink

Sink*

aws:ResourceTag/${TagKey}

Read

ListLinks

Grants permission to retrieve the ARNs of cross-account monitoring links in this account

Read

ListSinks

Grants permission to retrieve the ARNs of cross-account monitoring sinks in this account

Read

ListTagsForResource

Grants permission to list the tags for a resource

Link

aws:ResourceTag/${TagKey}

Read

Sink

aws:ResourceTag/${TagKey}

PutSinkPolicy

Grants permission to create or update the IAM policy for a cross-account monitoring sink

Sink*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag a resource

Link

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Sink

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to untag a resource

Link

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Sink

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateLink

Grants permission to update an existing link between a monitoring account and a source account

Link*

aws:ResourceTag/${TagKey}

oam:ResourceTypes

Write

Resource types defined by Amazon CloudWatch Observability Access Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

Link

arn:${Partition}:oam:${Region}:${Account}:link/${ResourceId}

aws:ResourceTag/${TagKey}

Sink

arn:${Partition}:oam:${Region}:${Account}:sink/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon CloudWatch Observability Access Manager

Amazon CloudWatch Observability Access Manager defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString

oam:ResourceTypes

Filters access by the presence of resource types in the request

ArrayOfString