PutSinkPolicy
Creates or updates the resource policy that grants permissions to source accounts to link to the monitoring account sink. When you create a sink policy, you can grant permissions to all accounts in an organization or to individual accounts.
You can also use a sink policy to limit the types of data that is shared. The six types of services with their respective resource types that you can allow or deny are:
-
Metrics - Specify with
AWS::CloudWatch::Metric -
Log groups - Specify with
AWS::Logs::LogGroup -
Traces - Specify with
AWS::XRay::Trace -
Application Insights - Applications - Specify with
AWS::ApplicationInsights::Application -
Internet Monitor - Specify with
AWS::InternetMonitor::Monitor -
Application Signals - Specify with
AWS::ApplicationSignals::ServiceandAWS::ApplicationSignals::ServiceLevelObjective
See the examples in this section to see how to specify permitted source accounts and data types.
Request Syntax
POST /PutSinkPolicy HTTP/1.1
Content-type: application/json
{
"Policy": "string",
"SinkIdentifier": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- Policy
-
The JSON policy to use. If you are updating an existing policy, the entire existing policy is replaced by what you specify here.
The policy must be in JSON string format with quotation marks escaped and no newlines.
For examples of different types of policies, see the Examples section on this page.
Type: String
Required: Yes
- SinkIdentifier
-
The ARN of the sink to attach this policy to.
Type: String
Pattern:
^[a-zA-Z0-9][a-zA-Z0-9_:\.\-\/]{0,2047}$Required: Yes
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"Policy": "string",
"SinkArn": "string",
"SinkId": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
Errors
For information about the errors that are common to all actions, see Common Errors.
- InternalServiceFault
-
Unexpected error while processing the request. Retry the request.
HTTP Status Code: 500
- InvalidParameterException
-
A parameter is specified incorrectly.
HTTP Status Code: 400
- MissingRequiredParameterException
-
A required parameter is missing from the request.
HTTP Status Code: 400
- ResourceNotFoundException
-
The request references a resource that does not exist.
HTTP Status Code: 404
Examples
Permission for all accounts in an organization
The following example grants permission for all accounts in the organization
o-xxxxxxxxxxx to be linked to this sink.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Action\": [\"oam:CreateLink\", \"oam:UpdateLink\"], \"Effect\": \"Allow\", \"Resource\": \"*\", \"Principal\": \"*\", \"Condition\": { \"StringEquals\": { \"aws:PrincipalOrgID\": \"o-xxxxxxxxxxx\" } } }]}" }Permission for individual accounts, allowing all resource types
The following example grants permission for two specified accounts to be linked to this sink.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{ \"Action\": [\"oam:CreateLink\", \"oam:UpdateLink\"], \"Effect\": \"Allow\", \"Resource\": \"*\", \"Principal\": { \"AWS\": [\"1111111111111\", \"222222222222\"]} }] }"}Permission for individual accounts, allowing only metrics and logs to be shared
The following example grants permission for two specified accounts to be linked to this sink. The link allows metrics and logs to be shared, but not traces.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Action\": [\"oam:CreateLink\", \"oam:UpdateLink\"], \"Effect\": \"Allow\", \"Resource\": \"*\", \"Principal\": { \"AWS\": [\"1111111111111\", \"222222222222\"]}, \"Condition\": { \"ForAllValues:StringEquals\": { \"oam:ResourceTypes\": [ \"AWS::CloudWatch::Metric\", \"AWS::Logs::LogGroup\" ] } } }] }"
}Human-readable policy example- not for copying
The following example will not work if used, but is included to show a human-readable version of a sink policy. This is the same policy as the previous example, and grants permission for two specified accounts to be linked to this sink. The link allows metrics and logs to be shared, but not traces.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": {
"Version": "2012-10-17",
"Statement": [{
"Action": ["oam:CreateLink", "oam:UpdateLink"],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": ["1111111111111", "222222222222"]
},
"Condition": {
"ForAllValues:StringEquals": {
"oam:ResourceTypes": [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup"
]
}
}
}]
}
}Permissions for full usage of Application Insights
The following example policy will allow full usage of Application Insights. Full usage requires sharing of logs, metrics, traces, and application insights applications.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": {
"Version": "2012-10-17",
"Statement": [{
"Action": ["oam:CreateLink", "oam:UpdateLink"],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": ["1111111111111", "222222222222"]
},
"Condition": {
"ForAllValues:StringEquals": {
"oam:ResourceTypes": [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
"AWS::ApplicationInsights::Application"
]
}
}
}]
}
}Permissions for full usage of Internet Monitor
The following example policy will allow full usage of Internet Monitor. Full usage requires sharing of logs, metrics, and internet monitors.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": {
"Version": "2012-10-17",
"Statement": [{
"Action": ["oam:CreateLink", "oam:UpdateLink"],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": ["1111111111111", "222222222222"]
},
"Condition": {
"ForAllValues:StringEquals": {
"oam:ResourceTypes": [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::InternetMonitor::Monitor"
]
}
}
}]
}
}Permissions for full usage of Application Signals
The following example policy will allow full usage of Application Signals. Full usage requires sharing of logs, metrics, traces, and Application Signals services and service level objectives.
Sample Request
{
"SinkIdentifier": "arn:aws:oam:us-west-1:111111111111:sink/abcd1234-a123-456a-a12b-a123b456c789",
"Policy": {
"Version": "2012-10-17",
"Statement": [{
"Action": ["oam:CreateLink", "oam:UpdateLink"],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": ["1111111111111", "222222222222"]
},
"Condition": {
"ForAllValues:StringEquals": {
"oam:ResourceTypes": [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
"AWS::ApplicationSignals::Service",
"AWS::ApplicationSignals::ServiceLevelObjective"
]
}
}
}]
}
}See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
