AWS Health
User Guide

Controlling Access to the AWS Personal Health Dashboard and AWS Health

You can use IAM to create identities (users, groups, or roles), and then give those identities permissions to access the Personal Health Dashboard and AWS Health API.

By default, IAM users do not have access to the Personal Health Dashboard or AWS Health. You give users access to your account's AWS Health information by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies.

After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view AWS Health information by using an account-specific sign-in page. For more information, see How Users Sign In to Your Account.

Important

An IAM user with permissions to view Personal Health Dashboard has read-only access to health information across all AWS services on the account, which can include, but is not limited to, AWS resource IDs such as Amazon EC2 instance IDs, EC2 instance IP addresses, and general security notifications. For example, if an IAM policy grants access only to Personal Health Dashboard and AWS Health API, then the user or role that the policy applies to can access all information posted about AWS services and related resources, even if other IAM policies do not allow that access.

To allow access to the Personal Health Dashboard and AWS Health, set the Action element of an IAM policy to health:Describe*. AWS Health supports access control to Events based on the eventTypeCode and service. See Resource- and Action-based Conditions. To allow access to all events, set the Resource element to *.

Note

Although the Personal Health Dashboard is available for all AWS accounts, the AWS Health API is available only to accounts with a Business or Enterprise support plan. For more information, see AWS Support.

For example, this policy statement grants access to Personal Health Dashboard and AWS Health:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "health:Describe*" ], "Resource": "*" }] }

This policy statement denies access to Personal Health Dashboard and AWS Health:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "health:*" ], "Resource": "*" }] }

If the user or group that you want to give permissions to already has a policy, you can add the AWS Health-specific policy statement illustrated here to that policy.

Resource- and Action-based Conditions

AWS Health supports IAM conditions for DescribeAffectedEntities and DescribeEventDetails. This allows you to restrict Events vended by AWS Health API on a per user, group, or role basis. You can achieve this by populating the conditions block of the IAM Policy or by setting the Resource element. You can use String Conditions to restrict access based on certain Health Event fields. The following fields are supported:

  • eventTypeCode

  • service

For example, this policy statement grants access to Personal Health Dashboard and AWS Health, but denies access to any Health Events relating to EC2:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "health:Describe*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "health:DescribeAffectedEntities", "health:DescribeEventDetails" ], "Resource": "*", "Condition": { "StringEquals": { "health:service": "EC2" } } } ] }

The following policy has the same effect, but makes use of the Resource element:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "health:Describe*" ], "Resource": "*", }, { "Effect": "Deny", "Action": [ "health:DescribeEventDetails", "health:DescribeAffectedEntities" ], "Resource": "arn:aws:health:*::event/EC2/*/*", }] }

This policy statement grants access to Personal Health Dashboard and AWS Health, but denies access to any Health Events with type AWS_EC2_*:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "health:Describe*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "health:DescribeAffectedEntities", "health:DescribeEventDetails" ], "Resource": "*", "Condition": { "StringLike": { "health:eventTypeCode": "AWS_EC2_*" } } } ] }

Important

An AccessDeniedException will be produced when a user attempts to access an event that is denied by the associated user, group, or role. This applies only to DescribeAffectedEntities and DescribeEventDetails.