Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon CloudWatch Events

Amazon CloudWatch Events (service prefix: events) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon CloudWatch Events

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
DeleteRule Deletes a rule. You must remove all targets from a rule using RemoveTargets before you can delete the rule.

Write

rule*

DescribeRule Describes the details of the specified rule

Read Write

rule*

DisableRule Disables a rule. A disabled rule won't match any events, and won't self-trigger if it has a schedule expression.

Write

rule*

EnableRule Enables a rule. If the rule does not exist, the operation fails

Write

rule*

ListRuleNamesByTarget Lists the names of the rules that the given target is put to

List Read Write

rule*

ListRules Lists the Amazon CloudWatch Events rules in your account

List Read Write

rule*

ListTargetsByRule Lists of targets assigned to the rule

List Read Write

rule*

PutEvents Sends custom events to Amazon CloudWatch Events so that they can be matched to rules

Write

PutRule Creates or updates a rule. Rules are enabled by default, or based on value of the State parameter

Write

events:detail.userIdentity.principalId

events:detail-type

events:source

PutTargets Adds target(s) to a rule. Targets are the resources that can be invoked when a rule is triggered

Write

events:TargetArn

RemoveTargets Removes target(s) from a rule so that when the rule is triggered, those targets will no longer be invoked

Write

rule*

TestEventPattern Tests whether an event pattern matches the provided event

Read Write

Resources Defined by CloudWatch Events

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
rule arn:${Partition}:events:${Region}:${Account}:rule/${RuleName}

Condition Keys for Amazon CloudWatch Events

Amazon CloudWatch Events defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

For information about using condition keys to provide more granular control over CloudWatch Events with IAM policies, see Condition Keys for CloudWatch Events in the Amazon CloudWatch User Guide.

Condition Keys Description Type
events:TargetArn The ARN of a target that can be put to a rule. ARN
events:detail-type Matches the literal string of the detail-type filed of the event. String
events:detail.userIdentity.principalId Matches the literal string for the detail.useridentity.principalid field of the event. string
events:source The AWS service that generated the event. Matches the literal string of the source field of the event. String