Menu
Amazon CloudWatch Events
User Guide

Using Identity-Based Policies (IAM Policies) for CloudWatch Events

This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

The following shows an example of a permissions policy that allows a user to put event data into Amazon Kinesis.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchEventsInvocationAccess",
            "Effect": "Allow",
            "Action": [
                "kinesis:PutRecord"
            ],
            "Resource": "*"
        }
    ]
}

The sections in this topic cover the following:

Permissions Required to Use the CloudWatch Console

For a user to work with CloudWatch Events in the CloudWatch console, that user must have a minimum set of permissions that allows the user to describe other AWS resources for their AWS account. In order to use CloudWatch Events in the CloudWatch console, you must have permissions from the following services:

  • Automation

  • Auto Scaling

  • CloudTrail

  • CloudWatch

  • CloudWatch Events

  • IAM

  • Amazon Kinesis

  • Lambda

  • Amazon SNS

  • Amazon SWF

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the CloudWatch console, also attach the CloudWatchEventsReadOnlyAccess managed policy to the user, as described in AWS Managed (Predefined) Policies for CloudWatch Events.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the CloudWatch API.

The full set of permissions required to work with the CloudWatch console are listed below:

  • automation:CreateAction

  • automation:DescribeAction

  • automation:UpdateAction

  • autoscaling:DescribeAutoScalingGroups

  • cloudtrail:DescribeTrails

  • ec2:DescribeInstances

  • ec2:DescribeVolumes

  • events:DeleteRule

  • events:DescribeRule

  • events:DisableRule

  • events:EnableRule

  • events:ListRuleNamesByTarget

  • events:ListRules

  • events:ListTargetsByRule

  • events:PutEvents

  • events:PutRule

  • events:PutTargets

  • events:RemoveTargets

  • events:TestEventPattern

  • iam:ListRoles

  • kinesis:ListStreams

  • lambda:AddPermission

  • lambda:ListFunctions

  • lambda:RemovePermission

  • sns:GetTopicAttributes

  • sns:ListTopics

  • sns:SetTopicAttributes

  • swf:DescribeAction

  • swf:ReferenceAction

  • swf:RegisterAction

  • swf:RegisterDomain

  • swf:UpdateAction

AWS Managed (Predefined) Policies for CloudWatch Events

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to CloudWatch Events:

  • CloudWatchEventsFullAccess – Grants full access to CloudWatch Events.

  • CloudWatchEventsInvocationAccess – Allows CloudWatch Events to relay events to the streams in Amazon Kinesis Streams in your account.

  • CloudWatchEventsReadOnlyAccess – Grants read-only access to CloudWatch Events.

  • CloudWatchEventsBuiltInTargetExecutionAccess – Allows built-in targets in CloudWatch Events to perform Amazon EC2 actions on your behalf.

IAM Roles for Sending Events

In order for CloudWatch Events to relay events to your Amazon Kinesis stream targets, you must create an IAM role.

To create an IAM role for sending CloudWatch Events

  1. Open the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. Follow the steps in Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide to create an IAM role. As you follow the steps to create a role, do the following:

    • In Role Name, use a name that is unique within your AWS account (for example, CloudWatchEventsSending).

    • In Select Role Type, choose AWS Service Roles, and then choose Amazon CloudWatch Events. This grants CloudWatch Events permissions to assume the role.

    • In Attach Policy, choose CloudWatchEventsInvocationAccess.

You can also create your own custom IAM policies to allow permissions for CloudWatch Events actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. For more information about IAM policies, see Overview of IAM Policies in the IAM User Guide. For more information about managing and creating custom IAM policies, see Managing IAM Policies in the IAM User Guide.

Customer Managed Policy Examples

In this section, you can find example user policies that grant permissions for various CloudWatch Events actions. These policies work when you are using the CloudWatch Events API, AWS SDKs, or the AWS CLI.

Note

All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.

You can use the following sample IAM policies listed to limit the CloudWatch Events access for your IAM users and roles.

Example 1: CloudWatchEventsBuiltInTargetExecutionAccess

The following policy allows built-in targets in CloudWatch Events to perform Amazon EC2 actions on your behalf.

Important

Creating rules with built-in targets is supported only in the AWS Management Console.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchEventsBuiltInTargetExecutionAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:RebootInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:CreateSnapshot"
            ],
            "Resource": "*"
        }
    ]
}

Example 2: CloudWatchEventsInvocationAccess

The following policy allows CloudWatch Events to relay events to the streams in Amazon Kinesis streams in your account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchEventsInvocationAccess",
            "Effect": "Allow",
            "Action": [
                "kinesis:PutRecord"
            ],
            "Resource": "*"
        }
    ]
}

Example 3: CloudWatchEventsConsoleAccess

The following policy ensures that IAM users can use the CloudWatch Events console.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchEventsConsoleAccess",
            "Effect": "Allow",
            "Action": [
                "automation:CreateAction",
                "automation:DescribeAction",
                "automation:UpdateAction",
                "autoscaling:DescribeAutoScalingGroups",
                "cloudtrail:DescribeTrails",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "events:*",
                "iam:ListRoles",
                "kinesis:ListStreams",
                "lambda:AddPermission",
                "lambda:ListFunctions",
                "lambda:RemovePermission",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "sns:SetTopicAttributes",
                "swf:DescribeAction",
                "swf:ReferenceAction",
                "swf:RegisterAction",
                "swf:RegisterDomain",
                "swf:UpdateAction"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRoleForCloudWatchEvents",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::*:role/AWS_Events_Invoke_Targets",
                "arn:aws:iam::*:role/AWS_Events_Actions_Execution"
            ]
        }
    ]
}

Example 4: CloudWatchEventsFullAccess

The following policy allows performing actions against CloudWatch Events through the AWS CLI and SDK.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchEventsFullAccess",
            "Effect": "Allow",
            "Action": "events:*",
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRoleForCloudWatchEvents",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/AWS_Events_Invoke_Targets"
        }
    ]
}

Example 5: CloudWatchEventsReadOnlyAccess

The following policy provides read-only access to CloudWatch Events.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchEventsReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "events:Describe*",
                "events:List*",
                "events:TestEventPattern"
            ],
            "Resource": "*"
        }
    ]
}