Required roles and permissions for CloudWatch canaries - Amazon CloudWatch

Required roles and permissions for CloudWatch canaries

To view canary details and the results of canary runs, you must be signed in as an IAM user who has either the CloudWatchSyntheticsFullAccess or the CloudWatchSyntheticsReadOnlyAccess attached. To read all Synthetics data in the console, you also need the AmazonS3ReadOnlyAccess and CloudWatchReadOnlyAccess policies. To view the source code used by canaries, you also need the AWSLambdaReadOnlyAccess policy.

To create canaries, you must be signed in as an IAM user who has the CloudWatchSyntheticsFullAccess policy or a similar set of permissions. To create IAM roles for the canaries, you also need the following inline policy statement:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*", "arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*" ] } ] }

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources and can attach that policy to any role. Be very careful about who you grant these permissions to.

For information about attaching policies and granting permissions to users, see Changing Permissions for an IAM User and To embed an inline policy for a user or role.

AWS managed policies for CloudWatch Synthetics

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally change the permissions in an AWS managed policy. This type of update affects all identities (users, groups, and roles) where the policy is attached.

CloudWatch Synthetics updates to AWS managed policies

View details about updates to AWS maanged policies for CloudWatch Synthetics since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Document history page.

Change Description Date

Redundant actions removed from CloudWatchSyntheticsFullAccess

CloudWatch Synthetics removed the s3:PutBucketEncryption and lambda:GetLayerVersionByArn actions from CloudWatchSyntheticsFullAccess policy because those actions were redundant with other permissions in the policy. The removed actions did not provide any permissions, and there’s no net change to the permissions granted by the policy.

March 12, 2021

CloudWatch Synthetics started tracking changes

CloudWatch Synthetics started tracking changes for its AWS managed policies.

March 10, 2021


Here are the contents of the CloudWatchSyntheticsFullAccess policy:

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "synthetics:*" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutEncryptionConfiguration" ], "Resource":[ "arn:aws:s3:::cw-syn-results-*" ] }, { "Effect":"Allow", "Action":[ "iam:ListRoles", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "xray:GetTraceSummaries", "xray:BatchGetTraces", "apigateway:GET" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:GetObject", "s3:ListBucket" ], "Resource":"arn:aws:s3:::cw-syn-*" }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersion" ], "Resource":"arn:aws:s3:::aws-synthetics-library-*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ], "Condition":{ "StringEquals":{ "iam:PassedToService":[ "", "" ] } } }, { "Effect":"Allow", "Action":[ "iam:GetRole" ], "Resource":[ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ] }, { "Effect":"Allow", "Action":[ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource":[ "arn:aws:cloudwatch:*:*:alarm:Synthetics-*" ] }, { "Effect":"Allow", "Action":[ "cloudwatch:DescribeAlarms" ], "Resource":[ "arn:aws:cloudwatch:*:*:alarm:*" ] }, { "Effect":"Allow", "Action":[ "lambda:CreateFunction", "lambda:AddPermission", "lambda:PublishVersion", "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration" ], "Resource":[ "arn:aws:lambda:*:*:function:cwsyn-*" ] }, { "Effect":"Allow", "Action":[ "lambda:GetLayerVersion", "lambda:PublishLayerVersion" ], "Resource":[ "arn:aws:lambda:*:*:layer:cwsyn-*", "arn:aws:lambda:*:*:layer:Synthetics:*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "sns:ListTopics" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "sns:CreateTopic", "sns:Subscribe", "sns:ListSubscriptionsByTopic" ], "Resource":[ "arn:*:sns:*:*:Synthetics-*" ] } ] }


Here are the contents of the CloudWatchSyntheticsReadOnlyAccess policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "synthetics:Describe*", "synthetics:Get*", "synthetics:List*" ], "Resource": "*" } ] }