How do I restrict access to the CloudWatch console?
I want to restrict access to the Amazon CloudWatch console by allowing specific users to perform specific actions on CloudWatch resources. How can I do this?
Short description
If you are the administrator of your AWS account, you can use identity-based policies to attach permissions to AWS Identity and Access Management (IAM) entities (users, groups, or roles). These identity-based policies can give your IAM entities the permissions they need to perform operations on CloudWatch resources. To do this:
- Create a custom read and write policy for CloudWatch resources using the IAM console
- Attach the policy to an IAM user
Resolution
Create a custom policy for CloudWatch resources
Note: To view all of the permissions that you need to work with CloudWatch, see Permissions required to use the CloudWatch console.
To create a custom policy for your CloudWatch resources, follow these steps:
1. Open the IAM console.
2. Choose Policies, and then choose Create Policy.
3. Choose JSON, and create a custom policy using this structure:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Description_1”, "Effect": "Allow", "Action": [premissions required], "Resource": "*" }, { "Sid": "Description_2”, "Effect": "Allow", "Action": [premissions required], "Resource": "*" }, . . . . { "Sid": "Description_n”, "Effect": "Allow", "Action": [premissions required], "Resource": "*" } ] }
Note: CloudWatch doesn't support resource-based policies. So, there are no CloudWatch ARNs that you can use in an IAM policy. You can use "*" as the resource when you write a policy to control access to CloudWatch actions.
4. Optionally, add a tag to your policy.
5. Choose review the policy, and enter a name and description for your policy. For example, CWPermissions.
6. Choose Create Policy.
Attach a custom policy to an IAM user
To attach the custom policy that you created to an IAM user, follow these steps:
1. Open the IAM console.
2. From the navigation pane, choose Users.
3. Choose the user that you want to add permissions to, and then choose Add permissions.
4. Choose Attach existing policies directly, and then choose the custom CloudWatch policy that you created.
5. Choose Next: Review, and then choose Add permissions.
This example policy allows users to create and visualize alerts in CloudWatch:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAlarms", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DescribeAlarmHistory", "cloudwatch:EnableAlarmActions", "cloudwatch:DeleteAlarms", "cloudwatch:DisableAlarmActions", "cloudwatch:DescribeAlarms", "cloudwatch:SetAlarmState" ], "Resource": "*" }, { "Sid": "visualizeAlarms", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:ListMetrics" "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
Note:
- You can use condition keys to limit access to CloudWatch namespaces. For more information, see Using condition keys to limit access to CloudWatch namespaces.
- If you want to restrict users from pulling CloudWatch metrics, then replace GetMetricData with PutMetricData.
Related information
Relevant content
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
