Menu
Amazon CloudWatch
User Guide

Amazon CloudWatch Permissions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each CloudWatch API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your CloudWatch policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the cloudwatch: prefix followed by the API operation name. For example: cloudwatch:GetMetricStatistics, cloudwatch:ListMetrics, or cloudwatch:* (for all CloudWatch actions).

Tables

CloudWatch API Operations and Required Permissions for Actions

CloudWatch API OperationsRequired Permissions (API Actions)

DeleteAlarms

cloudwatch:DeleteAlarms

Required to delete an alarm.

DescribeAlarmHistory

cloudwatch:DescribeAlarmHistory

Required to view alarm history.

DescribeAlarms

cloudwatch:DescribeAlarms

Required to retrieve alarm information by name.

DescribeAlarmsForMetric

cloudwatch:DescribeAlarmsForMetric

Required to view alarms for a metric.

DisableAlarmActions

cloudwatch:DisableAlarmActions

Required to disable an alarm action.

EnableAlarmActions

cloudwatch:EnableAlarmActions

Required to enable an alarm action.

GetMetricData

cloudwatch:GetMetricData

Required to view or list dashboards and view metric data in dashboard widgets.

GetMetricStatistics

cloudwatch:GetMetricStatistics

Required to view graphs in other parts of the CloudWatch console and in dashboard widgets.

ListMetrics

cloudwatch:ListMetrics

Required to view or search metric names within the CloudWatch console and in the CLI. Required to select metrics on dashboard widgets.

PutMetricAlarm

cloudwatch:PutMetricAlarm

Required to create or update an alarm.

PutMetricData

cloudwatch:PutMetricData

Required to create metrics and create or delete dashboards.

SetAlarmState

cloudwatch:SetAlarmState

Required to manually set an alarm's state.


CloudWatch Events API Operations and Required Permissions for Actions

CloudWatch Events API OperationsRequired Permissions (API Actions)

DeleteRule

events:DeleteRule

Required to delete a rule.

DescribeRule

events:DescribeRule

Required to list the details about a rule.

DisableRule

events:DisableRule

Required to disable a rule.

EnableRule

events:EnableRule

Required to enable a rule.

ListRuleNamesByTarget

events:ListRuleNamesByTarget

Required to list rules associated with a target.

ListRules

events:ListRules

Required to list all rules in your account.

ListTargetsByRule

events:ListTargetsByRule

Required to list all targets associated with a rule.

PutEvents

events:PutEvents

Required to add custom events that can be matched to rules.

PutRule

events:PutRule

Required to create or update a rule.

PutTargets

events:PutTargets

Required to add targets to a rule.

RemoveTargets

events:RemoveTargets

Required to remove a target from a rule.

TestEventPattern

events:TestEventPattern

Required to test an event pattern against a given event.


CloudWatch Logs API Operations and Required Permissions for Actions

CloudWatch Logs API OperationsRequired Permissions (API Actions)

CancelExportTask

logs:CancelExportTask

Required to cancel a pending or running export task.

CreateExportTask

logs:CreateExportTask

Required to export data from a log group to an Amazon S3 bucket.

CreateLogGroup

logs:CreateLogGroup

Required to create a new log group.

CreateLogStream

logs:CreateLogStream

Required to create a new log stream in a log group.

DeleteDestination

logs:DeleteDestination

Required to delete a log destination and disables any subscription filters to it.

DeleteLogGroup

logs:DeleteLogGroup

Required to delete a log group and any associated archived log events.

DeleteLogStream

logs:DeleteLogStream

Required to delete a log stream and any associated archived log events.

DeleteMetricFilter

logs:DeleteMetricFilter

Required to delete a metric filter associated with a log group.

DeleteRetentionPolicy

logs:DeleteRetentionPolicy

Required to delete a log group's retention policy.

DeleteSubscriptionFilter

logs:DeleteSubscriptionFilter

Required to delete the subscription filter associated with a log group.

DescribeDestinations

logs:DescribeDestinations

Required to view all destinations associated with the account.

DescribeExportTasks

logs:DescribeExportTasks

Required to view all export tasks associated with the account.

DescribeLogGroups

logs:DescribeLogGroups

Required to view all log groups associated with the account.

DescribeLogStreams

logs:DescribeLogStreams

Required to view all log streams associated with a log group.

DescribeMetricFilters

logs:DescribeMetricFilters

Required to view all metrics associated with a log group.

DescribeSubscriptionFilters

logs:DescribeSubscriptionFilters

Required to view all subscription filters associated with a log group.

FilterLogEvents

logs:FilterLogEvents

Required to sort log events by log group filter pattern.

GetLogEvents

logs:GetLogEvents

Required to retrieve log events from a log stream.

PutDestination

logs:PutDestination

Required to create or update a destination log stream (such as an Amazon Kinesis stream).

PutDestinationPolicy

logs:PutDestinationPolicy

Required to create or update an access policy associated with an existing log destination.

PutLogEvents

logs:PutLogEvents

Required to upload a batch of log events to a log stream.

PutMetricFilter

logs:PutMetricFilter

Required to create or update a metric filter and associate it with a log group.

PutRetentionPolicy

logs:PutRetentionPolicy

Required to set the number of days to keep log events (retention) in a log group.

PutSubscriptionFilter

logs:PutSubscriptionFilter

Required to create or update a subscription filter and associate it with a log group.

TestMetricFilter

logs:TestMetricFilter

Required to test a filter pattern against a sampling of log event messages.


Amazon EC2 API Operations and Required Permissions for Actions

Amazon EC2 API OperationsRequired Permissions (API Actions)

DescribeInstanceStatus

ec2:DescribeInstanceStatus

Required to view EC2 instance status details.

DescribeInstances

ec2:DescribeInstances

Required to view EC2 instance details.

RebootInstances

ec2:RebootInstances

Required to reboot an EC2 instance.

StopInstances

ec2:StopInstances

Required to stop an EC2 instance.

TerminateInstances

ec2:TerminateInstances

Required to terminate an EC2 instance.


Auto Scaling API Operations and Required Permissions for Actions

Auto Scaling API OperationsRequired Permissions (API Actions)

Scaling

autoscaling:Scaling

Required to scale an Auto Scaling group.

Trigger

autoscaling:Trigger

Required to trigger an Auto Scaling action.