Actions, resources, and condition keys for Amazon CloudWatch

Amazon CloudWatch (service prefix: cloudwatch) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon CloudWatch
Resource types defined by Amazon CloudWatch
Condition keys for Amazon CloudWatch

Actions defined by Amazon CloudWatch

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys
BatchGetServiceLevelIndicatorReport	Grants permission to batch get service level indicator report	Read
BatchGetServiceLevelObjectiveBudgetReport	Grants permission to batch retrieve a service level objective budget report	Read	slo*
CreateServiceLevelObjective	Grants permission to create a service level objective	Write		aws:RequestTag/${TagKey} aws:TagKeys
DeleteAlarms	Grants permission to delete a collection of alarms	Write	alarm*
DeleteAnomalyDetector	Grants permission to delete the specified anomaly detection model from your account	Write
DeleteDashboards	Grants permission to delete all CloudWatch dashboards that you specify	Write	dashboard*
DeleteInsightRules	Grants permission to delete a collection of insight rules	Write	insight-rule*
DeleteMetricStream	Grants permission to delete the CloudWatch metric stream that you specify	Write	metric-stream*
DeleteServiceLevelObjective	Grants permission to delete a service level objective	Write	slo*
DescribeAlarmHistory	Grants permission to retrieve the history for the specified alarm	Read	alarm*
DescribeAlarms	Grants permission to describe all alarms, currently owned by the user's account	Read	alarm*
DescribeAlarmsForMetric	Grants permission to describe all alarms configured on the specified metric, currently owned by the user's account	Read
DescribeAnomalyDetectors	Grants permission to list the anomaly detection models that you have created in your account	Read
DescribeInsightRules	Grants permission to describe all insight rules, currently owned by the user's account	Read
DisableAlarmActions	Grants permission to disable actions for a collection of alarms	Write	alarm*
DisableInsightRules	Grants permission to disable a collection of insight rules	Write	insight-rule*
EnableAlarmActions	Grants permission to enable actions for a collection of alarms	Write	alarm*
EnableInsightRules	Grants permission to enable a collection of insight rules	Write	insight-rule*
EnableTopologyDiscovery	Grants permission to enable a CloudWatch topology discovery	Write
GenerateQuery	Grants permission to generate a Metrics Insights or Logs Insights query string from a natural language prompt	Read
GetDashboard	Grants permission to display the details of the CloudWatch dashboard you specify	Read	dashboard*
GetInsightRuleReport	Grants permission to return the top-N report of unique contributors over a time range for a given insight rule	Read	insight-rule*
GetMetricData	Grants permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data	Read
GetMetricStatistics	Grants permission to retrieve statistics for the specified metric	Read
GetMetricStream	Grants permission to return the details of a CloudWatch metric stream	Read	metric-stream*
GetMetricWidgetImage	Grants permission to retrieve snapshots of metric widgets	Read
GetService	Grants permission to retrieve information about a service	Read	service*
GetServiceData [permission only]	Grants permission to retrieve service data	Read	service*
GetServiceLevelObjective	Grants permission to retrieve information about service level objective	Read	slo*
GetTopologyDiscoveryStatus [permission only]	Grants permission to retrieve a CloudWatch topology discovery status	Read
GetTopologyMap	Grants permission to retrieve a CloudWatch topology map	Read
Link [permission only]	Grants permission to share CloudWatch resources with a monitoring account	Write
ListDashboards	Grants permission to return a list of all CloudWatch dashboards in your account	List
ListEntitiesForMetric [permission only]	Grants permission to retrieve all the entities that are emitting a given metric	List
ListManagedInsightRules	Grants permission to list available managed Insight Rules for a given Resource ARN	Read		aws:RequestTag/${TagKey} aws:TagKeys cloudwatch:requestManagedResourceARNs
ListMetricStreams	Grants permission to return a list of all CloudWatch metric streams in your account	List
ListMetrics	Grants permission to retrieve a list of valid metrics stored for the AWS account owner	List
ListServiceLevelObjectives	Grants permission to list service level objectives	List
ListServices	Grants permission to list services	List
ListTagsForResource	Grants permission to list tags for an Amazon CloudWatch resource	List	alarm
			insight-rule
			slo
	SCENARIO: CloudWatch-Alarm		alarm*
	SCENARIO: CloudWatch-InsightRule		insight-rule*
	SCENARIO: CloudWatch-ServiceLevelObjective		slo*
PutAnomalyDetector	Grants permission to create or update an anomaly detection model for a CloudWatch metric	Write
PutCompositeAlarm	Grants permission to create or update a composite alarm	Write	alarm*
PutCompositeAlarm	Grants permission to create or update a composite alarm	Write		aws:RequestTag/${TagKey} aws:TagKeys cloudwatch:AlarmActions
PutDashboard	Grants permission to create a CloudWatch dashboard, or update an existing dashboard if it already exists	Write	dashboard*
PutInsightRule	Grants permission to create a new insight rule or replace an existing insight rule	Write	insight-rule*
PutInsightRule		Write		aws:RequestTag/${TagKey} aws:TagKeys cloudwatch:requestInsightRuleLogGroups
PutManagedInsightRules	Grants permission to create managed Insight Rules	Write		aws:RequestTag/${TagKey} aws:TagKeys cloudwatch:requestManagedResourceARNs
PutMetricAlarm	Grants permission to create or update an alarm and associates it with the specified Amazon CloudWatch metric	Write	alarm*
PutMetricAlarm		Write		aws:RequestTag/${TagKey} aws:TagKeys cloudwatch:AlarmActions
PutMetricData	Grants permission to publish metric data points to Amazon CloudWatch	Write		cloudwatch:namespace
PutMetricStream	Grants permission to create a CloudWatch metric stream, or update an existing metric stream if it already exists	Write	metric-stream*
PutMetricStream		Write		aws:RequestTag/${TagKey} aws:TagKeys
SetAlarmState	Grants permission to temporarily set the state of an alarm for testing purposes	Write	alarm*
StartMetricStreams	Grants permission to start all CloudWatch metric streams that you specify	Write	metric-stream*
StopMetricStreams	Grants permission to stop all CloudWatch metric streams that you specify	Write	metric-stream*
TagResource	Grants permission to add tags to an Amazon CloudWatch resource	Tagging	alarm
			insight-rule
			slo
				aws:TagKeys aws:RequestTag/${TagKey}
	SCENARIO: CloudWatch-Alarm		alarm*
	SCENARIO: CloudWatch-InsightRule		insight-rule*
	SCENARIO: CloudWatch-ServiceLevelObjective		slo*
UntagResource	Grants permission to remove a tag from an Amazon CloudWatch resource	Tagging	alarm
			insight-rule
			slo
				aws:TagKeys
	SCENARIO: CloudWatch-Alarm		alarm*
	SCENARIO: CloudWatch-InsightRule		insight-rule*
	SCENARIO: CloudWatch-ServiceLevelObjective		slo*
UpdateServiceLevelObjective	Grants permission to update a service level objective	Write	slo*

Resource types defined by Amazon CloudWatch

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
alarm	`arn:${Partition}:cloudwatch:${Region}:${Account}:alarm:${AlarmName}`	aws:ResourceTag/${TagKey}
dashboard	`arn:${Partition}:cloudwatch::${Account}:dashboard/${DashboardName}`
insight-rule	`arn:${Partition}:cloudwatch:${Region}:${Account}:insight-rule/${InsightRuleName}`	aws:ResourceTag/${TagKey}
metric-stream	`arn:${Partition}:cloudwatch:${Region}:${Account}:metric-stream/${MetricStreamName}`	aws:ResourceTag/${TagKey}
slo	`arn:${Partition}:cloudwatch:${Region}:${Account}:slo/${SloName}`	aws:ResourceTag/${TagKey}
service	`arn:${Partition}:cloudwatch:${Region}:${Account}:service/${ServiceName}-${UniqueAttributesHex}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon CloudWatch

Amazon CloudWatch defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters actions based on the allowed set of values for each of the tags	String
aws:ResourceTag/${TagKey}	Filters actions based on tag-value associated with the resource	String
aws:TagKeys	Filters actions based on the presence of mandatory tags in the request	ArrayOfString
cloudwatch:AlarmActions	Filters actions based on defined alarm actions	ArrayOfString
cloudwatch:namespace	Filters actions based on the presence of optional namespace values	String
cloudwatch:requestInsightRuleLogGroups	Filters actions based on the Log Groups specified in an Insight Rule	ArrayOfString
cloudwatch:requestManagedResourceARNs	Filters access by the Resource ARNs specified in a managed Insight Rule	ArrayOfARN

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudTrail Data

Amazon CloudWatch Application Insights