Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon CloudWatch

Amazon CloudWatch (service prefix: cloudwatch) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon CloudWatch

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
DeleteAlarms Deletes all specified alarms. In the event of an error, no alarms are deleted

Write

DeleteDashboards Deletes all CloudWatch dashboards that you specify

Write

DescribeAlarmHistory Retrieves history for the specified alarm

Read Write

DescribeAlarms Retrieves alarms with the specified names

Read Write

DescribeAlarmsForMetric Retrieves all alarms for a single metric

Read Write

DisableAlarmActions Disables actions for the specified alarms

Write

EnableAlarmActions Enables actions for the specified alarms

Write

GetDashboard Displays the details of the CloudWatch dashboard you specify

Read Write

GetMetricData Required to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data

Read Write

GetMetricStatistics Gets statistics for the specified metric

Read Write

ListDashboards Returns a list of all CloudWatch dashboards in your account

List Read Write

ListMetrics Returns a list of valid metrics stored for the AWS account owner

List Read Write

PutDashboard Creates a CloudWatch dashboard, or updates an existing dashboard if it already exists

Write

PutMetricAlarm Creates or updates an alarm and associates it with the specified Amazon CloudWatch metric

Write

PutMetricData Publishes metric data points to Amazon CloudWatch

Write

SetAlarmState Temporarily sets the state of an alarm for testing purposes

Write

Resources Defined by CloudWatch

CloudWatch has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for Amazon CloudWatch

CloudWatch has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.