Menu
I am trying to restrict CloudWatch Actions to a certain VPC or Resource. Can I do that?. Following is the policy
{
"Sid": "AllowCloudWatchActions",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
Can I specify any Condition for this?
930
asked Jun 27 '16 10:06
You can create metric and composite alarms in Amazon CloudWatch. A metric alarm watches a single CloudWatch metric or the result of a math expression based on CloudWatch metrics. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.
To create a rule that triggers on an event:Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ . In the navigation pane, choose Events, Create rule. For Event source, do the following: Choose Event Pattern, Build event pattern to match events by service.
CloudWatch Logs supports resource-based policies for destinations, which you can use to enable cross account subscriptions. For more information, see Create a destination. Destinations can be created using the PutDestination API, and you can add a resource policy to the destination using the PutDestination API.
CloudWatch enables you to monitor your complete stack (applications, infrastructure, and services) and use alarms, logs, and events data to take automated actions and reduce mean time to resolution (MTTR). This frees up important resources and allows you to focus on building applications and business value.
CloudWatch does not have any resource-level permissions. To quote the AWS docs:
CloudWatch doesn't have any specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions.
Source: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html
So it's not possible to create a policy that restricts the data to metrics from certain resources (VPCs, etc.)
"Conditions" don't usually apply to the data or the resource being requested (ie. your metrics). Instead, the "Condition" applies to the origin of the request, such as the VPC or IP address.
193
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
