IAM policies to use Evidently
To fully manage CloudWatch Evidently, you must be signed in as an IAM user or role that has the following permissions:
The AmazonCloudWatchEvidentlyFullAccess policy
The ResourceGroupsandTagEditorReadOnlyAccess policy
Additionally, to be able to create a project that stores evaluation events in Amazon S3 or CloudWatch Logs, you need the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:DeleteLogDelivery", "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": [ "*" ] } ] }
Additional permissions for CloudWatch RUM integration
Additionally, if you intend to manage Evidently launches or experiments that integrate with Amazon CloudWatch RUM and use CloudWatch RUM metrics for monitoring, you need the AmazonCloudWatchRUMFullAccess policy. To create an IAM role to give the CloudWatch RUM web client permission to send data to CloudWatch RUM, you need the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*", "arn:aws:iam::*:policy/service-role/CloudWatchRUMEvidentlyPolicy-*" ] } ] }
Permissions for read-only access to Evidently
For other users who need to view Evidently data but don't need to create Evidently resources, you can grant the AmazonCloudWatchEvidentlyReadOnlyAccess policy.
