# Amazon CloudWatch 权限参考
<a name="permissions-reference-cw"></a>

下表列出每个 CloudWatch API 操作以及您可授权执行该操作的相应操作。可在策略的 `Action` 字段中指定操作，在策略的 `Resource` 字段中指定通配符 (\$1) 作为资源值。

您可以在 CloudWatch 策略中使用 Amazon 范围的条件键来表达条件。有关 Amazon 范围的键的完整列表，请参阅 *IAM 用户指南*中的 [Amazon 全局和 IAM 条件上下文键](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html)。

**注意**  
要指定操作，请在 API 操作名称之前使用 `cloudwatch:` 前缀。例如：`cloudwatch:GetMetricData`、`cloudwatch:ListMetrics` 或 `cloudwatch:*`（适用于所有 CloudWatch 操作）。

**Topics**
+ [CloudWatch API 操作和必需的操作权限](#cw-permissions-table)
+ [CloudWatch Application Signals API 操作和所需的操作权限](#cw-application-signals-permissions-table)
+ [CloudWatch Contributor Insights API 操作和所需的操作权限](#cw-contributor-insights-permissions-table)
+ [CloudWatch Events API 操作和所需的操作权限](#cwe-permissions-table)
+ [CloudWatch Logs API 操作和所需的操作权限](#cwl-permissions-table)
+ [Amazon EC2 API 操作和所需的操作权限](#cw-ec2-permissions-table)
+ [Amazon EC2 Auto Scaling API 操作和所需的操作权限](#cw-as-permissions-table)

## CloudWatch API 操作和必需的操作权限
<a name="cw-permissions-table"></a>


| CloudWatch API 操作 | 所需权限（API 操作） | 
| --- | --- | 
|  [DeleteAlarms](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html)  |  `cloudwatch:DeleteAlarms` 要求删除警报。  | 
|  [DeleteDashboards](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DeleteDashboards.html)  |  `cloudwatch:DeleteDashboards` 删除控制面板所必需。  | 
|  [DeleteMetricStream](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DeleteMetricStream.html)  |  `cloudwatch:DeleteMetricStream` 删除指标流所需。  | 
|  [DescribeAlarmHistory](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DescribeAlarmHistory.html)  |  `cloudwatch:DescribeAlarmHistory` 要求查看警报历史记录。要检索有关复合告警的信息，`cloudwatch:DescribeAlarmHistory` 权限必须具有 `*` 范围。如果您的 `cloudwatch:DescribeAlarmHistory` 权限的范围较窄，则无法返回有关复合告警的信息。  | 
|  [DescribeAlarms](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DescribeAlarms.html)  |  `cloudwatch:DescribeAlarms` 检索有关告警的信息所需。 要检索有关复合告警的信息，`cloudwatch:DescribeAlarms` 权限必须具有 `*` 范围。如果您的 `cloudwatch:DescribeAlarms` 权限的范围较窄，则无法返回有关复合告警的信息。  | 
|  [DescribeAlarmsForMetric](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DescribeAlarmsForMetric.html)  |  `cloudwatch:DescribeAlarmsForMetric` 要求查看指标的警报。  | 
|  [DisableAlarmActions](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DisableAlarmActions.html)  |  `cloudwatch:DisableAlarmActions` 要求禁用警报操作。  | 
|  [EnableAlarmActions](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_EnableAlarmActions.html)  |  `cloudwatch:EnableAlarmActions` 要求启用警报操作。  | 
|  [GetDashboard](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_GetDashboard.html)  |  `cloudwatch:GetDashboard` 若要显示有关现有控制面板的数据，则是必需的。  | 
|  [GetMetricData](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html)  |  `cloudwatch:GetMetricData` 在 CloudWatch 控制台中检索大量指标数据以及对该数据执行指标数学运算所需。  | 
|  [GetMetricStatistics](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_GetMetricStatistics.html)  |  `cloudwatch:GetMetricStatistics` 在 CloudWatch 控制台的其他部分和控制面板小部件中查看图表所需。  | 
|  [GetMetricStream](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_GetMetricStream.html)  |  `cloudwatch:GetMetricStream` 查看指标流信息所需。  | 
|  [GetMetricWidgetImage](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_GetMetricWidgetImage.html)  |  `cloudwatch:GetMetricWidgetImage` 将一个或多个 CloudWatch 指标的图表快照作为位图图像检索所需。  | 
|  [ListDashboards](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_ListDashboards.html)  |  `cloudwatch:ListDashboards` 查看您的账户中 CloudWatch 控制面板的列表所需。  | 
|  ListEntitiesForMetric （CloudWatch 控制台专用权限）  |  `cloudwatch:ListEntitiesForMetric` 查找与指标关联的实体的所需权限。在 CloudWatch 控制台中探索相关遥测数据的所需权限。  | 
|  [ListMetrics](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html)  |  `cloudwatch:ListMetrics` 在 CloudWatch 控制台和 CLI 中查看或搜索指标名称所需。要求在控制面板小部件上选择指标。  | 
|  [ListMetricStreams](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_ListMetricStreams.html)  |  `cloudwatch:ListMetricStreams` 查看或搜索账户中指标流列表所需。  | 
|  [PutCompositeAlarm](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_PutCompositeAlarm.html)  |  `cloudwatch:PutCompositeAlarm` 创建复合告警所需 要创建复合告警，`cloudwatch:PutCompositeAlarm` 权限必须具有 `*` 范围。如果您的 `cloudwatch:PutCompositeAlarm` 权限的范围较窄，则无法返回有关复合告警的信息。  | 
|  [PutDashboard](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_PutDashboard.html)  |  `cloudwatch:PutDashboard` 创建控制面板或更新现有控制面板所必需。  | 
|  [PutMetricAlarm](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_PutMetricAlarm.html)  |  `cloudwatch:PutMetricAlarm` 要求创建或更新警报。  | 
|  [PutMetricData](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html)  |  `cloudwatch:PutMetricData` 若要创建指标，则是必需的。  | 
|  [PutMetricStream](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_PutMetricStream.html)  |  `cloudwatch:PutMetricStream` 创建指标流所需  | 
|  [SetAlarmState](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_SetAlarmState.html)  |  `cloudwatch:SetAlarmState` 要求手动设置警报的状态。  | 
|  [StartMetricStreams](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_StartMetricStreams.html)  |  `cloudwatch:StartMetricStreams` 开启指标流中的指标流程所需。  | 
|  [StopMetricStreams](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_StartMetricStreams.html)  |  `cloudwatch:StopMetricStreams` 临时停止指标流中的指标流程所需。  | 
|  [TagResource](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_TagResource.html)  |  `cloudwatch:TagResource` 在 CloudWatch 资源（如告警和 Contributor Insights 规则）上添加或更新标签所需。  | 
|  [UntagResource](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_UntagResource.html)  |  `cloudwatch:UntagResource` 从 CloudWatch 资源中移除标签所需。  | 

## CloudWatch Application Signals API 操作和所需的操作权限
<a name="cw-application-signals-permissions-table"></a>


| CloudWatch Application Signals API 操作 | 所需权限（API 操作） | 
| --- | --- | 
|  [ BatchGetServiceLevelObjectiveBudgetReport](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_BatchGetServiceLevelObjectiveBudgetReport.html)  |  `application-signals:BatchGetServiceLevelObjectiveBudgetReport` 检索服务级别目标预算报告所需。  | 
|  [ CreateServiceLevelObjective](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_CreateServiceLevelObjective.html)  |  `application-signals:CreateServiceLevelObjective` 创建服务级别目标（SLO）所需。  | 
|  [ DeleteServiceLevelObjective](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_DeleteServiceLevelObjective.html)  |  `application-signals:DeleteServiceLevelObjective` 删除服务级别目标（SLO）所需。  | 
|  [ GetService](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_GetService.html)  |  `application-signals:GetService` 检索 Application Signals 发现的服务相关信息所需。  | 
|  [ GetServiceLevelObjective](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_GetServiceLevelObjective.html)  |  `application-signals:GetServiceLevelObjective` 检索服务级别目标（SLO）相关信息所需。  | 
|  ListObservedEntities  |  `application-signals:ListObservedEntities` 授予权限以列出与其他实体关联的实体。  | 
|  [ ListServiceDependencies](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_ListServiceDependencies.html)  |  `application-signals:ListServiceDependencies` 检索您指定服务的服务依赖项列表所需。此服务和依赖项是由 Application Signals 发现的。  | 
|  [ ListServiceDependents](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_ListServiceDependents.html)  |  `application-signals:ListServiceDependents` 检索调用您指定服务的被依赖项列表所需。此服务和被依赖项是由 Application Signals 发现的。  | 
|  [ ListServiceLevelObjectives](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_ListServiceLevelObjectives.html)  |  `application-signals:ListServiceLevelObjectives` 检索账户中的服务级别目标（SLO）列表所需。  | 
|  [ ListServiceOperations](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_ListServiceOperations.html)  |  `application-signals:ListServiceOperations` 检索您指定服务的服务操作列表所需。此服务和依赖项是由 Application Signals 发现的。  | 
|  [ ListServices](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_ListServices.html)  |  `application-signals:ListServices` 检索 Application Signals 发现的服务列表所需。  | 
|  [ ListTagsForResource](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_ListTagsForResource.html)  |  `application-signals:ListTagsForResource` 检索与资源关联的标签的列表所需。  | 
|  [ StartDiscovery](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_StartDiscovery.html)  |  `application-signals:StartDiscovery` 能够在账户中启用 Application Signals 并创建所需服务相关角色所需。  | 
|  [ TagResource](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_TagResource.html)  |  `application-signals:TagResource` 能够为资源添加标签所需。  | 
|  [ UntagResource](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_UntagResource.html)  |  `application-signals:UntagResource` 能够从资源中移除标签所需。  | 
|  [ UpdateServiceLevelObjective](https://docs.amazonaws.cn/applicationsignals/latest/APIReference/API_UpdateServiceLevelObjective.html)  |  `application-signals:UpdateServiceLevelObjective` 更新现有服务级别目标所需  | 

## CloudWatch Contributor Insights API 操作和所需的操作权限
<a name="cw-contributor-insights-permissions-table"></a>

**重要**  
当您向用户授予 `cloudwatch:PutInsightRule` 权限时，默认情况下，该用户可以创建一个规则来评估 CloudWatch Logs 中的任何日志组。您可以添加 IAM 策略条件，以限制用户的这些权限，使其包含和排除特定的日志组。有关更多信息，请参阅 [使用条件键限制 Contributor Insights 用户对日志组的访问](iam-cw-condition-keys-contributor.md)。


| CloudWatch Contributor Insights API 操作 | 所需权限（API 操作） | 
| --- | --- | 
|  [DeleteInsightRules](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DeleteInsightRules.html)  |  `cloudwatch:DeleteInsightRules` 删除 Contributor Insights 规则所需。  | 
|  [DescribeInsightRules](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_DescribeInsightRules.html)  |  `cloudwatch:DescribeInsightRules` 查看您账户中的 Contributor Insights 规则所需。  | 
|  [EnableInsightRules](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_EnableInsightRules.html)  |  `cloudwatch:EnableInsightRules` 启用 Contributor Insights 规则所需。  | 
|  [GetInsightRuleReport](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_GetInsightRuleReport.html)  |  `cloudwatch:GetInsightRuleReport` 检索 Contributor Insights 规则收集的时间序列数据和其他统计数据所需。  | 
|  [PutInsightRule](https://docs.amazonaws.cn/AmazonCloudWatch/latest/APIReference/API_PutInsightRule.html)  |  `cloudwatch:PutInsightRule` 创建 Contributor Insights 规则所需。请参阅此表开头的 **Important（重要提示）**信息。  | 

## CloudWatch Events API 操作和所需的操作权限
<a name="cwe-permissions-table"></a>


| CloudWatch Events API 操作 | 所需权限（API 操作） | 
| --- | --- | 
|  [DeleteRule](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_DeleteRule.html)  |  `events:DeleteRule` 删除规则所必需的。  | 
|  [DescribeRule](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_DescribeRule.html)  |  `events:DescribeRule` 列出有关规则的详细信息所必需的。  | 
|  [DisableRule](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_DisableRule.html)  |  `events:DisableRule` 禁用规则所必需的。  | 
|  [EnableRule](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_EnableRule.html)  |  `events:EnableRule` 启用规则所必需的。  | 
|  [ListRuleNamesByTarget](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_ListRuleNamesByTarget.html)  |  `events:ListRuleNamesByTarget` 列出与目标关联的规则所必需的。  | 
|  [ListRules](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_ListRules.html)  |  `events:ListRules` 列出您账户中的所有规则所必需的。  | 
|  [ListTargetsByRule](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_ListTargetsByRule.html)  |  `events:ListTargetsByRule` 列出与规则关联的所有目标所必需的。  | 
|  [PutEvents](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_PutEvents.html)  |  `events:PutEvents` 添加可匹配到规则的自定义活动所必需的。  | 
|  [PutRule](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_PutRule.html)  |  `events:PutRule` 创建或更新规则所必需的。  | 
|  [PutTargets](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_PutTargets.html)  |  `events:PutTargets` 将目标添加到规则所必需的。  | 
|  [RemoveTargets](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_RemoveTargets.html)  |  `events:RemoveTargets` 从规则中删除目标所必需的。  | 
|  [TestEventPattern](https://docs.amazonaws.cn/AmazonCloudWatchEvents/latest/APIReference/API_TestEventPattern.html)  |  `events:TestEventPattern` 针对给定事件测试事件模式所必需的。  | 

## CloudWatch Logs API 操作和所需的操作权限
<a name="cwl-permissions-table"></a>

**注意**  
CloudWatch Logs 权限可在《[CloudWatch Logs 用户指南](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html)》中找到。

## Amazon EC2 API 操作和所需的操作权限
<a name="cw-ec2-permissions-table"></a>


| Amazon EC2 API 操作 | 所需权限（API 操作） | 
| --- | --- | 
|  [DescribeInstanceStatus](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeInstanceStatus.html)  |  `ec2:DescribeInstanceStatus` 查看 EC2 实例状态详细信息所必需的。  | 
|  [DescribeInstances](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeInstances.html)  |  `ec2:DescribeInstances` 查看 EC2 实例详细信息所必需的。  | 
|  [RebootInstances](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_RebootInstances.html)  |  `ec2:RebootInstances` 重启 EC2 实例所必需的。  | 
|  [StopInstances](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StopInstances.html)  |  `ec2:StopInstances` 停止 EC2 实例所必需的。  | 
|  [TerminateInstances](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_TerminateInstances.html)  |  `ec2:TerminateInstances` 终止 EC2 实例所必需的。  | 

## Amazon EC2 Auto Scaling API 操作和所需的操作权限
<a name="cw-as-permissions-table"></a>


| Amazon EC2 Auto Scaling API 操作 | 所需权限（API 操作） | 
| --- | --- | 
|  扩展  |  `autoscaling:Scaling` 扩展 Auto Scaling 组所需。  | 
|  触发器  |  `autoscaling:Trigger` 触发 Auto Scaling 操作所需。  |