CloudWatch API operations and required permissions for actions CloudWatch Application Signals API operations and required permissions for actions CloudWatch Contributor Insights API operations and required permissions for actions CloudWatch Events API operations and required permissions for actions CloudWatch Logs API operations and required permissions for actions Amazon EC2 API operations and required permissions for actions Amazon EC2 Auto Scaling API operations and required permissions for actions

Amazon CloudWatch permissions reference

The following table lists each CloudWatch API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your CloudWatch policies to express conditions. For a complete list of AWS-wide keys, see AWS Global and IAM Condition Context Keys in the IAM User Guide.

Note

To specify an action, use the cloudwatch: prefix followed by the API operation name. For example: cloudwatch:GetMetricData, cloudwatch:ListMetrics, or cloudwatch:* (for all CloudWatch actions).

Topics

CloudWatch API operations and required permissions for actions
CloudWatch Application Signals API operations and required permissions for actions
CloudWatch Contributor Insights API operations and required permissions for actions
CloudWatch Events API operations and required permissions for actions
CloudWatch Logs API operations and required permissions for actions
Amazon EC2 API operations and required permissions for actions
Amazon EC2 Auto Scaling API operations and required permissions for actions

CloudWatch API operations and required permissions for actions

CloudWatch API operations	Required permissions (API actions)
DeleteAlarms	`cloudwatch:DeleteAlarms` Required to delete an alarm.
DeleteDashboards	`cloudwatch:DeleteDashboards` Required to delete a dashboard.
DeleteMetricStream	`cloudwatch:DeleteMetricStream` Required to delete a metric stream.
DescribeAlarmHistory	`cloudwatch:DescribeAlarmHistory` Required to view alarm history. To retrieve information about composite alarms, your `cloudwatch:DescribeAlarmHistory` permission must have a `*` scope. You can't return information about composite alarms if your `cloudwatch:DescribeAlarmHistory` permission has a narrower scope.
DescribeAlarms	`cloudwatch:DescribeAlarms` Required to retrieve information about alarms. To retrieve information about composite alarms, your `cloudwatch:DescribeAlarms` permission must have a `*` scope. You can't return information about composite alarms if your `cloudwatch:DescribeAlarms` permission has a narrower scope.
DescribeAlarmsForMetric	`cloudwatch:DescribeAlarmsForMetric` Required to view alarms for a metric.
DisableAlarmActions	`cloudwatch:DisableAlarmActions` Required to disable an alarm action.
EnableAlarmActions	`cloudwatch:EnableAlarmActions` Required to enable an alarm action.
GetDashboard	`cloudwatch:GetDashboard` Required to display data about existing dashboards.
GetMetricData	`cloudwatch:GetMetricData` Required to graph metric data in the CloudWatch console, to retrieve large batches of metric data, and perform metric math on that data.
GetMetricStatistics	`cloudwatch:GetMetricStatistics` Required to view graphs in other parts of the CloudWatch console and in dashboard widgets.
GetMetricStream	`cloudwatch:GetMetricStream` Required to view information about a metric stream.
GetMetricWidgetImage	`cloudwatch:GetMetricWidgetImage` Required to retrieve a snapshot graph of one or more CloudWatch metrics as a bitmap image.
ListDashboards	`cloudwatch:ListDashboards` Required to view the list of CloudWatch dashboards in your account.
ListEntitiesForMetric (CloudWatch console-only permission)	`cloudwatch:ListEntitiesForMetric` Required to find the entities associated with a metric. Required to explore related telemetry within the CloudWatch console.
ListMetrics	`cloudwatch:ListMetrics` Required to view or search metric names within the CloudWatch console and in the CLI. Required to select metrics on dashboard widgets.
ListMetricStreams	`cloudwatch:ListMetricStreams` Required to view or search the list of metric streams in the account.
PutCompositeAlarm	`cloudwatch:PutCompositeAlarm` Required to create a composite alarm. To create a composite alarm, your `cloudwatch:PutCompositeAlarm` permission must have a `*` scope. You can't return information about composite alarms if your `cloudwatch:PutCompositeAlarm` permission has a narrower scope.
PutDashboard	`cloudwatch:PutDashboard` Required to create a dashboard or update an existing dashboard.
PutMetricAlarm	`cloudwatch:PutMetricAlarm` Required to create or update an alarm.
PutMetricData	`cloudwatch:PutMetricData` Required to create metrics.
PutMetricStream	`cloudwatch:PutMetricStream` Required to create a metric stream.
SetAlarmState	`cloudwatch:SetAlarmState` Required to manually set an alarm's state.
StartMetricStreams	`cloudwatch:StartMetricStreams` Required to start the flow of metrics in a metric stream.
StopMetricStreams	`cloudwatch:StopMetricStreams` Required to temporarily stop the flow of metrics in a metric stream.
TagResource	`cloudwatch:TagResource` Required to add or update tags on CloudWatch resources such as alarms and Contributor Insights rules.
UntagResource	`cloudwatch:UntagResource` Required to remove tags from CloudWatch resources .

CloudWatch Application Signals API operations and required permissions for actions

CloudWatch Application Signals API operations	Required permissions (API actions)
BatchGetServiceLevelObjectiveBudgetReport	`application-signals:BatchGetServiceLevelObjectiveBudgetReport` Required to retrieve service level objective budget reports.
CreateServiceLevelObjective	`application-signals:CreateServiceLevelObjective` Required to create a service level objective (SLO).
DeleteServiceLevelObjective	`application-signals:DeleteServiceLevelObjective` Required to delete a service level objective (SLO).
GetService	`application-signals:GetService` Required to retrieve information about a service discovered by Application Signals.
GetServiceLevelObjective	`application-signals:GetServiceLevelObjective` Required to retrieve information about a service level objective (SLO).
ListServiceDependencies	`application-signals:ListServiceDependencies` Required to retrieve a list of service dependencies of a service that you specify. This service and the dependencies were discovered by Application Signals.
ListServiceDependents	`application-signals:ListServiceDependents` Required to retrieve a list of dependents that invoked a service that you specify. This service and the dependents were discovered by Application Signals.
ListServiceLevelObjectives	`application-signals:ListServiceLevelObjectives` Required to retrieve a list of service level objectives (SLOs) in the account.
ListServiceOperations	`application-signals:ListServiceOperations` Required to retrieve a list of service operations of a service that you specify. This service and the dependencies were discovered by Application Signals.
ListServices	`application-signals:ListServices` Required to retrieve a list of services discovered by Application Signals.
ListTagsForResource	`application-signals:ListTagsForResource` Required to retrieve a list of the tags associated with a resource.
StartDiscovery	`application-signals:StartDiscovery` Required to be able to enable Application Signals in the account and create the required service-linked role.
TagResource	`application-signals:TagResource` Required to be able to add tags to resources.
UntagResource	`application-signals:UntagResource` Required to be able to remove tags from resources.
UpdateServiceLevelObjective	`application-signals:UpdateServiceLevelObjective` Required to update an existing service level objective

CloudWatch Contributor Insights API operations and required permissions for actions

Important

When you grant a user the cloudwatch:PutInsightRule permission, by default that user can create a rule that evaluates any log group in CloudWatch Logs. You can add IAM policy conditions that limit these permissions for a user to include and exclude specific log groups. For more information, see Using condition keys to limit Contributor Insights users' access to log groups.

CloudWatch Contributor Insights API operations	Required permissions (API actions)
DeleteInsightRules	`cloudwatch:DeleteInsightRules` Required to delete Contributor Insights rules.
DescribeInsightRules	`cloudwatch:DescribeInsightRules` Required to view the Contributor Insights rules in your account.
EnableInsightRules	`cloudwatch:EnableInsightRules` Required to enable Contributor Insights rules.
GetInsightRuleReport	`cloudwatch:GetInsightRuleReport` Required to retrieve time series data and other statistics collectd by Contributor Insights rules.
PutInsightRule	`cloudwatch:PutInsightRule` Required to create Contributor Insights rules. See the Important note at the beginning of this table.

CloudWatch Events API operations and required permissions for actions

CloudWatch Events API operations	Required permissions (API actions)
DeleteRule	`events:DeleteRule` Required to delete a rule.
DescribeRule	`events:DescribeRule` Required to list the details about a rule.
DisableRule	`events:DisableRule` Required to disable a rule.
EnableRule	`events:EnableRule` Required to enable a rule.
ListRuleNamesByTarget	`events:ListRuleNamesByTarget` Required to list rules associated with a target.
ListRules	`events:ListRules` Required to list all rules in your account.
ListTargetsByRule	`events:ListTargetsByRule` Required to list all targets associated with a rule.
PutEvents	`events:PutEvents` Required to add custom events that can be matched to rules.
PutRule	`events:PutRule` Required to create or update a rule.
PutTargets	`events:PutTargets` Required to add targets to a rule.
RemoveTargets	`events:RemoveTargets` Required to remove a target from a rule.
TestEventPattern	`events:TestEventPattern` Required to test an event pattern against a given event.

CloudWatch Logs API operations and required permissions for actions

Note

CloudWatch Logs permissions can be found in the CloudWatch Logs user guide.

Amazon EC2 API operations and required permissions for actions

Amazon EC2 API operations	Required permissions (API actions)
DescribeInstanceStatus	`ec2:DescribeInstanceStatus` Required to view EC2 instance status details.
DescribeInstances	`ec2:DescribeInstances` Required to view EC2 instance details.
RebootInstances	`ec2:RebootInstances` Required to reboot an EC2 instance.
StopInstances	`ec2:StopInstances` Required to stop an EC2 instance.
TerminateInstances	`ec2:TerminateInstances` Required to terminate an EC2 instance.

Amazon EC2 Auto Scaling API operations and required permissions for actions

Amazon EC2 Auto Scaling API operations Required permissions (API actions)

Amazon EC2 Auto Scaling API operations	Required permissions (API actions)
Scaling	`autoscaling:Scaling` Required to scale an Auto Scaling group.
Trigger	`autoscaling:Trigger` Required to trigger an Auto Scaling action.

Scaling

autoscaling:Scaling

Required to scale an Auto Scaling group.

Trigger

autoscaling:Trigger

Required to trigger an Auto Scaling action.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies for Application Insights

Compliance validation