Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I restrict CloudWatch Actions based on Resource or Condition?

Tags:

amazon-web-services

amazon-iam

amazon-cloudwatch

I am trying to restrict CloudWatch Actions to a certain VPC or Resource. Can I do that?. Following is the policy

{
    "Sid": "AllowCloudWatchActions",
    "Effect": "Allow",
    "Action": [
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricStatistics"
    ],
    "Resource": "*"
}

Can I specify any Condition for this?

like image 930
user2814081 Avatar asked Jun 27 '16 10:06

user2814081

People also ask

How are CloudWatch actions configured?

You can create metric and composite alarms in Amazon CloudWatch. A metric alarm watches a single CloudWatch metric or the result of a math expression based on CloudWatch metrics. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.

How do you create a rule in CloudWatch?

To create a rule that triggers on an event:Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ . In the navigation pane, choose Events, Create rule. For Event source, do the following: Choose Event Pattern, Build event pattern to match events by service.

What is CloudWatch log resource policy?

CloudWatch Logs supports resource-based policies for destinations, which you can use to enable cross account subscriptions. For more information, see Create a destination. Destinations can be created using the PutDestination API, and you can add a resource policy to the destination using the PutDestination API.

Which actions can you perform using Amazon CloudWatch select two?

CloudWatch enables you to monitor your complete stack (applications, infrastructure, and services) and use alarms, logs, and events data to take automated actions and reduce mean time to resolution (MTTR). This frees up important resources and allows you to focus on building applications and business value.

1 Answers

CloudWatch does not have any resource-level permissions. To quote the AWS docs:

CloudWatch doesn't have any specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions.

Source: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

So it's not possible to create a policy that restricts the data to metrics from certain resources (VPCs, etc.)

"Conditions" don't usually apply to the data or the resource being requested (ie. your metrics). Instead, the "Condition" applies to the origin of the request, such as the VPC or IP address.

like image 193
Matt Houser Avatar answered Sep 28 '22 19:09

Matt Houser
Sign in to Comment

Related questions

How to keep a java program running 24/7?
DynamoDB: mapper and transactions using java SDK
Serve static files on heroku using AWS S3 for django?
Using Ansible to automatically configure AWS autoscaling group instances
Using AWS SQS with Ruby on Rails
do I need route53 to bind domain to ec2?
How to change image permission (AMI) for AWS using boto/python?
Could not initialize class com.amazonaws.services.sqs.AmazonSQSClient
Subscribing to AWS SQS Messages
mobile apps: restful api or sdk dynamodb
How To Set Folder Permissions in Elastic Beanstalk Using YAML File?
Uploading Large File to S3 with Ruby Fails with Out of Memory Error, How to Read and Upload in Chunks?
Amazon SQS, Is it possible to fetch messages from SQS on basis of Sender ID
am getting error after i created amazon coginto in android
How to Download entire Folder located on S3 Bucket?
Importing Swagger API to AWS API Gateway using command line tool
SQS ExpiredToken: The security token included in the request is expired status code: 403
How can I install a recent version of GDAL on Amazon Linux?
Maximum no.of connections that can be held by s3
Connect to ElastiCache cluster using Api Gateway

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!