By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I restrict access to the CloudWatch console?

2 minute read
1

I want to restrict access to the Amazon CloudWatch console so that only specific users can perform specific actions on CloudWatch resources.

Short description

If you're the administrator of your AWS account, then use identity-based policies to attach permissions to AWS Identity and Access Management (IAM) entities. Identity-based policies give your IAM entities the necessary permissions to perform operations on CloudWatch resources.

To view all the permissions that you can use with CloudWatch, see Permissions required to use the CloudWatch console.

Resolution

Create a custom policy for CloudWatch resources

Complete the following steps:

  1. Open the IAM console.
  2. Choose Policies.
  3. Choose Create Policy.
  4. Choose JSON.
  5. Create a custom policy.
    Example policy: 
    {    
    "Version": "2012-10-17",  
    "Statement": [  
        {  
            "Sid": "Description_1",   
            "Effect": "Allow",  
            "Action": [permissions required],  
            "Resource": "*"  
        },  
        {  
            "Sid": "Description_2",   
            "Effect": "Allow",  
            "Action": [permissions required],  
            "Resource": "*"  
        },  
        .  
        .  
        .  
        .  
        {  
            "Sid": "Description_n",   
            "Effect": "Allow",  
            "Action": [permissions required],  
            "Resource": "*"  
        }  
    ]  
}
    Note: Because CloudWatch doesn't support resource-based policies, you can't use CloudWatch ARNs in an IAM policy. When you write a policy to control access to CloudWatch actions, use "*" as the resource.
  6. (Optional) Add a tag to your policy.
  7. Choose review the policy.
  8. Enter a name and description for your policy, for example CWPermissions.
  9. Choose Create Policy.

Attach a custom policy to an IAM user

Complete the following steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Users.
  3. Select the user that you want to add permissions to.
  4. Choose Add permissions.
  5. Choose Attach existing policies directly.
  6. Select the custom CloudWatch policy.
  7. Choose Next: Review.
  8. Choose Add permissions.

The following example policy allows users to create and visualize alerts in CloudWatch:

{  
    "Version": "2012-10-17",  
    "Statement": [  
        {  
            "Sid": "CreateAlarms",  
            "Effect": "Allow",  
            "Action": [  
                "cloudwatch:PutMetricAlarm",  
                "cloudwatch:DescribeAlarmHistory",  
                "cloudwatch:EnableAlarmActions",  
                "cloudwatch:DeleteAlarms",  
                "cloudwatch:DisableAlarmActions",  
                "cloudwatch:DescribeAlarms",  
                "cloudwatch:SetAlarmState"  
            ],  
            "Resource": "*"  
        },  
        {  
            "Sid": "visualizeAlarms",  
            "Effect": "Allow",  
            "Action": [  
                "cloudwatch:DescribeAlarmsForMetric",  
                "cloudwatch:ListMetrics"  
                "cloudwatch:GetMetricData"  
            ],  
            "Resource": "*"  
        }  
    ]  
}

Note:

  • To limit access to CloudWatch namespaces, use condition keys.
  • To restrict user access to CloudWatch metrics, use PutMetricData instead of GetPutMetricData.
Topics
Management & GovernanceNetworking & Content Delivery
Tags
Amazon CloudWatch
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
No comments

Relevant content