Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Attempting to wildcard the resource element in an IAM policy to restrict permissions to only a subset of CloudWatch alarms

0

As the title states I am attempting to restrict the permissions for an IAM role to only allow various modify actions to a subset of CloudWatch alarms in our environment by utilizing the resource element with wildcards. I have tried multiple different things and none of them seem to work. This is my latest attempt.

        "Resource": [
            "arn:aws:cloudwatch:::alarm:GEMSPROD-cw-alarm-rds-pg/*",
            "arn:aws:cloudwatch:::alarm:cw-alarm-rds-pg/*",
            "arn:aws:cloudwatch:::alarm:GEMSPROD-cw-alarm-rds-mysql/*",
            "arn:aws:cloudwatch:::alarm:cw-alarm-rds-mysql/*"
        ],

I have also tried just the asterisk at the end of the arn:

        "Resource": [
            "arn:aws:cloudwatch:::alarm:GEMSPROD-cw-alarm-rds-pg*",
            "arn:aws:cloudwatch:::alarm:cw-alarm-rds-pg*",
            "arn:aws:cloudwatch:::alarm:GEMSPROD-cw-alarm-rds-mysql*",
            "arn:aws:cloudwatch:::alarm:cw-alarm-rds-mysql*"
        ],

Here is a sample arn: arn:aws:cloudwatch:<my region>:<my account>:alarm:GEMSPROD-cw-alarm-rds-mysql-readlatency:mysql-rds-dba-poc-001a

Thank you

Topics
Management & GovernanceSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CloudWatchAmazon CloudWatch AlarmsAWS Identity and Access ManagementIAM Policies
Language
English
asked a year ago1.3K views
1 Answer
1
Accepted Answer

I understand you're trying to restrict permissions for an IAM role to allow modify actions only on a subset of CloudWatch alarms using wildcards in the resource element. However, there are a few issues with the approach you've taken.

First, the ARN format you're using for CloudWatch alarms is incorrect. The correct format for a CloudWatch alarm ARN is:

arn:aws:cloudwatch:[region]:[account-id]:alarm:[alarm-name]

You're missing the region and account ID in your ARNs, which are required fields. The three colons (:::) in your ARN are incorrect.

To correctly use wildcards for CloudWatch alarm resources, you should structure your resource element like this:

"Resource": [
    "arn:aws:cloudwatch:*:*:alarm:GEMSPROD-cw-alarm-rds-pg*",
    "arn:aws:cloudwatch:*:*:alarm:cw-alarm-rds-pg*",
    "arn:aws:cloudwatch:*:*:alarm:GEMSPROD-cw-alarm-rds-mysql*",
    "arn:aws:cloudwatch:*:*:alarm:cw-alarm-rds-mysql*"
]

This format uses wildcards (*) for the region and account ID, allowing the policy to work across different regions and accounts if needed. The asterisk at the end of each alarm name will match any characters that follow, allowing you to capture all alarms that start with the specified prefixes.

Remember that when using wildcards in resource ARNs, you're allowing access to all resources that match the pattern. Be sure this aligns with your intended access control.

Also, ensure that the actions you've specified in your policy's Action element are appropriate for CloudWatch alarms. For example, you might include actions like cloudwatch:DisableAlarmActions, cloudwatch:EnableAlarmActions, and cloudwatch:PutMetricAlarm.

You can take a look at "Actions, resources, and condition keys for Amazon CloudWatch" document referenced below, to confirm if a specific action which you have added in policy statement supports ARN of CloudWatch Alarm as "Resource" element. Based on the support level you need to modify the policy.

If you're still experiencing issues after making these corrections, you may need to review other elements of your policy or check for any conflicting policies that might be overriding these permissions.

References

Identify AWS resources with Amazon Resource Names (ARNs) - AWS Identity and Access Management

IAM JSON policy elements: Resource - AWS Identity and Access Management

Actions, resources, and condition keys for Amazon CloudWatch

answered a year ago
AWS
SUPPORT ENGINEER
reviewed a year ago
AWS
SUPPORT ENGINEER
revised a year ago
AWS
SUPPORT ENGINEER
revised a year ago
  • ErikS
    a year ago

    I will attempt with using the wildcards for region and account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content