10

I am trying to restrict CloudWatch Actions to a certain VPC or Resource. Can I do that?. Following is the policy

{
    "Sid": "AllowCloudWatchActions",
    "Effect": "Allow",
    "Action": [
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricStatistics"
    ],
    "Resource": "*"
}

Can I specify any Condition for this?

Matt Houser
  • 33,983
  • 6
  • 70
  • 88
user2814081
  • 103
  • 1
  • 4

2 Answers2

9

CloudWatch does not have any resource-level permissions. To quote the AWS docs:

CloudWatch doesn't have any specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions.

Source: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

So it's not possible to create a policy that restricts the data to metrics from certain resources (VPCs, etc.)

"Conditions" don't usually apply to the data or the resource being requested (ie. your metrics). Instead, the "Condition" applies to the origin of the request, such as the VPC or IP address.

Matt Houser
  • 33,983
  • 6
  • 70
  • 88
  • 1
    Although this may not help the questioner in restricting these CloudWatch actions to a VPC, it seems that CloudWatch Logs at least *does* now support some resource-level permissions to restrict a policy to e.g. a certain log group, so you can restrict access to `logs:PutLogEvents` to the resource `arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME:log-stream:*` - see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#resource-based-policies-cwl – ryanp Jul 08 '19 at 12:27
  • 1
    Is this still the case, 5 years later, particularly for CloudWatch Metrics? – Hendrik Wiese Jun 25 '21 at 13:33
5

According to AWS doco, condition keys can be used to limit access to CloudWatch namespaces. https://docs.amazonaws.cn/en_us/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html

Actually, I raised a ticket to AWS for restriction on getting CloudWatch metrics and got confirmation said it's working for PutMetricData but not for GetMetricData.

wei
  • 4,267
  • 2
  • 23
  • 18
  • Is this fixed for get metric data, or is there anyway to see cloudwatch metric for particular namespace? – kohi Jun 14 '21 at 09:27
  • Hi @kohi I suggest you to contact with AWS support to get latest update of whether the condition key working for GetMetricData or not. AWS support responses questions pretty fast : ) – wei Jul 04 '21 at 02:05