Using resource-based policies with CloudWatch RUM - Amazon CloudWatch
Supported actionsSample policies to use with CloudWatch RUM

Using resource-based policies with CloudWatch RUM

You can attach a resource policy to a CloudWatch RUM app monitor. By default, app monitors do not have a resource policy attached to them. CloudWatch RUM resource based policies do not support cross-account access.

To learn more about AWS resource policies, see Identity-based policies and resource-based policies.

To learn more about how resource policies and identity policies are evaluated, see Policy evaluation logic.

To learn more about IAM policy grammar, see IAM JSON policy element reference.

Supported actions

Resource-based policies on app monitors support the rum:PutRumEvents action.

Sample policies to use with CloudWatch RUM

The following example allows anyone to write data to your app monitor, including those without SigV4 credentials.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rum:PutRumEvents",
            "Resource": "arn:aws:rum:region:accountID:appmonitor/app monitor name",
            "Principal" : "*"
           
        }
    ]
}

You can modify the policy to block specified source IP addresses by using the aws:SourceIp condition key. With this example, Using this policy, PutRumEvents from the IP address listed will be rejected. All other requests from other IP addresses will be accepted. For more information about this condition key, see Properties of the network in the IAM User Guide.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rum:PutRumEvents",
            "Resource": "arn:aws:rum:region:accountID:appmonitor/app monitor name",
            "Principal" : "*"
           
        }, 
        {
            "Effect": "Deny",
            "Action": "rum:PutRumEvents",
            "Resource": "arn:aws:rum:region:accountID:appmonitor/app monitor name",
            "Principal" : "*",
           "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "************"
                }
            }        
        }
    ]
}

Additionally, you can also choose to only accept PutRumEvents requests that are signed with a certain alias using the rum:alias service context key. In the following example, PutRumEvents will have to set the optional Alias request parameter to either alias1 or alias2 for the event to be accepted. To configure your web client to send Alias you must use version 1.20 or later of the CloudWatch RUM web client, as described in Application-specific Configurations on GitHub.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rum:PutRumEvents",
            "Resource": "arn:aws:rum:region:accountID:appmonitor/app monitor name",
            "Principal" : "*",
             "Condition": { 
             "StringEquals": { "rum:alias": [ "alias1", "alias2"] } }
        }
    ]
}