AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon CloudWatch Events

Amazon CloudWatch Events (service prefix: events) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.


Actions Defined by Amazon CloudWatch Events

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
DeleteRule Deletes a rule. You must remove all targets from a rule using RemoveTargets before you can delete the rule. Write


DescribeEventBus Displays the external AWS accounts that are permitted to write events to your account using your account's event bus, and the associated policy. Read
DescribeRule Describes the details of the specified rule Read


DisableRule Disables a rule. A disabled rule won't match any events, and won't self-trigger if it has a schedule expression. Write


EnableRule Enables a rule. If the rule does not exist, the operation fails Write


ListRuleNamesByTarget Lists the names of the rules that the given target is put to List


ListRules Lists the Amazon CloudWatch Events rules in your account List


ListTargetsByRule Lists of targets assigned to the rule List


PutEvents Sends custom events to Amazon CloudWatch Events so that they can be matched to rules Write
PutPermission Running PutPermission permits the specified AWS account to put events to your account's default event bus. Write
PutRule Creates or updates a rule. Rules are enabled by default, or based on value of the State parameter Write







PutTargets Adds target(s) to a rule. Targets are the resources that can be invoked when a rule is triggered Write



RemovePermission Revokes the permission of another AWS account to be able to put events to your default event bus. Write
RemoveTargets Removes target(s) from a rule so that when the rule is triggered, those targets will no longer be invoked Write


TestEventPattern Tests whether an event pattern matches the provided event Read

Resources Defined by CloudWatch Events

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
rule arn:${Partition}:events:${Region}:${Account}:rule/${RuleName}

Condition Keys for Amazon CloudWatch Events

Amazon CloudWatch Events defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

For information about using condition keys to provide more granular control over CloudWatch Events with IAM policies, see Condition Keys for CloudWatch Events in the Amazon CloudWatch User Guide.

Condition Keys Description Type
events:TargetArn The ARN of a target that can be put to a rule. ARN
events:detail-type Matches the literal string of the detail-type filed of the event. String
events:detail.eventTypeCode Matches the literal string for the detail.eventTypeCode field of the event. String
events:detail.service Matches the literal string for the detail.service field of the event. String
events:detail.userIdentity.principalId Matches the literal string for the detail.useridentity.principalid field of the event. String
events:source The AWS service that generated the event. Matches the literal string of the source field of the event. String