| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Controlling User Access to Your AWS Account
Amazon CloudWatch integrates with AWS Identity and Access Management (AWS IAM) so that you can
specify which CloudWatch actions a user in your AWS Account can perform.
For example, you could create an AWS IAM policy that gives only certain
users in your organization permission to use
GetMetricStatistics. They could then use the action to retrieve data about your cloud resources.
You can't use AWS IAM to control access to CloudWatch data for specific resources. For example, you can't give a user access to CloudWatch data for only a specific set of instances or a specific LoadBalancer. Permissions granted using AWS IAM cover all the cloud resources you use with CloudWatch. In addition, you can't use AWS IAM roles with the Amazon CloudWatch command line tools.
Important
Using Amazon CloudWatch with AWS IAM doesn't change how you use CloudWatch. There are no changes to CloudWatch actions, and no new CloudWatch actions related to users and access control.
For an example of a policy that covers CloudWatch actions, see Example Policy for CloudWatch.
No CloudWatch ARNs
CloudWatch itself has no specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an AWS IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions. For more information about ARNs, go to ARNs in Using IAM.
CloudWatch Actions
In an AWS IAM policy, you can specify any and all actions
that CloudWatch offers. The action name must be prefixed with the
lowercase string cloudwatch:. For example:
cloudwatch:GetMetricStatistics,
cloudwatch:ListMetrics, or
cloudwatch:* (for all CloudWatch actions). For a
list of the actions, go to the Amazon CloudWatch API Reference.
CloudWatch Keys
CloudWatch implements the following policy keys, but no others. For more information about policy keys, go to Condition in Using IAM.
AWS-Wide Policy Keys
aws:CurrentTime—To check for date/time conditions.aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.aws:MultiFactorAuthAge—To check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is not used, this key is not present.aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, theaws:SecureTransportkey has no meaning.aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)aws:SourceIp—To check the IP address of the requester. Note that if you useaws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.aws:UserAgent—To check the client application that made the request.aws:userid—To check the user ID of the requester.aws:username—To check the user name of the requester, if available.
Note
Key names are case sensitive.
Example Policy for CloudWatch
This section shows a simple policy for controlling user access to Amazon CloudWatch.
Note
In the future, CloudWatch might add new actions that should logically be included in the following policy, based on the policy’s stated goals.
Example
The following sample policy allows a group to retrieve CloudWatch data, but only if the group uses SSL with the request.
{
"Statement":[{
"Effect":"Allow",
"Action":["cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics"],
"Resource":"*",
"Condition":{
"Bool":{
"aws:SecureTransport":"true"
}
}
}
]
}For general information about IAM, go to:
