AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon CloudWatch

Amazon CloudWatch (service prefix: cloudwatch) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.


Actions Defined by Amazon CloudWatch

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
DeleteAlarms Deletes all specified alarms. In the event of an error, no alarms are deleted Write
DeleteDashboards Deletes all CloudWatch dashboards that you specify Write
DescribeAlarmHistory Retrieves history for the specified alarm Read
DescribeAlarms Retrieves alarms with the specified names Read
DescribeAlarmsForMetric Retrieves all alarms for a single metric Read
DisableAlarmActions Disables actions for the specified alarms Write
EnableAlarmActions Enables actions for the specified alarms Write
GetDashboard Displays the details of the CloudWatch dashboard you specify Read
GetMetricData Required to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data Read
GetMetricStatistics Gets statistics for the specified metric Read
GetMetricWidgetImage Required to retrieve snapshots of metric widgets Read
ListDashboards Returns a list of all CloudWatch dashboards in your account List
ListMetrics Returns a list of valid metrics stored for the AWS account owner List
PutDashboard Creates a CloudWatch dashboard, or updates an existing dashboard if it already exists Write
PutMetricAlarm Creates or updates an alarm and associates it with the specified Amazon CloudWatch metric Write
PutMetricData Publishes metric data points to Amazon CloudWatch Write
SetAlarmState Temporarily sets the state of an alarm for testing purposes Write

Resources Defined by CloudWatch

Amazon CloudWatch has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for Amazon CloudWatch

CloudWatch has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.