Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using condition keys to limit access to CloudWatch namespaces

0

Hi,

I am having an issue (AccessDenied) restricting the access to only the AWS/Bedrock using the condition below. Is this condition valid for GetMetricStatistics, ListDashboards and ListMetrics? or is it only valid for PutMetricData as shown in https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html ?

{
        "Sid": "BedrockCloudWatchMetrics",
        "Effect": "Allow",
        "Action": [
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:ListDashboards",
            "cloudwatch:ListMetrics"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "cloudwatch:namespace": "AWS/Bedrock"
            }
        }
    }

Could you help me clarify this point?

Topics
Management & GovernanceSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CloudWatchAWS Identity and Access ManagementIAM Policies
Language
English
asked 9 months ago243 views
2 Answers
0

Hello.

As stated in the following documentation, "cloudwatch:namespace" is not supported as a condition key for "GetMetricStatistics", "ListDashboards", and "ListMetrics".
It can only be used for actions that have "cloudwatch:namespace" in the Condition keys column in the table in the following documentation.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html

Therefore, as you may know, as of June 2025, only "PutMetricData" can use "cloudwatch:namespace" as a condition key.

EXPERT
answered 9 months ago
-1

The cloudwatch:namespace condition key is indeed valid for restricting access to CloudWatch namespaces, but it doesn't apply to all CloudWatch actions in the same way.

Based on the available documentation, the cloudwatch:namespace condition key is primarily designed to work with the cloudwatch:PutMetricData action, which is used for publishing metrics to CloudWatch. The examples in the documentation specifically demonstrate using this condition key to allow or deny publishing metrics in specific namespaces.

For the actions in your policy (GetMetricStatistics, ListDashboards, and ListMetrics), the behavior is different:

  1. For ListMetrics - The condition may work to filter metrics by namespace, but it might not behave exactly as expected since this action lists metrics across namespaces.

  2. For GetMetricStatistics - Similar to ListMetrics, the condition may work but might not provide the precise control you're looking for.

  3. For ListDashboards - This action is unlikely to be affected by the namespace condition key since dashboards can contain widgets from multiple namespaces.

This is likely why you're experiencing an AccessDenied error. To properly restrict access to only AWS/Bedrock metrics, you might need to use a different approach or modify your policy to include the cloudwatch:PutMetricData action if you need to publish metrics, while potentially removing the condition for the read-only actions if you need those to work broadly.
Sources
Using condition keys to limit access to CloudWatch namespaces - Amazon CloudWatch
Actions, resources, and condition keys for Amazon CloudWatch - Service Authorization Reference
How Amazon CloudWatch works with IAM - Amazon CloudWatch

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content