Reputation: 399
Aws IAM user permission to specific region for cloudwatch
Here is what i want. I have a IAM user for whom i want to give read only access to a us-east-1 and that too only read metrics for particular ec2 instance. I have 3 instances runnning in us-east-1 but i want this user to have access to metrics of only 1 ec2 server.
I have written policy like below. which is giving access to all the metrics in all the region. I tried putting that instanceid in below code but it didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}I dont understand what i am missing here.
Upvotes: 1
Views: 2792
Answers (1)
Reputation: 6352
In short, this is not possible, according to the Cloudwatch docs:
You can't use IAM to control access to CloudWatch data for specific resources. For example, you can't give a user access to CloudWatch data for only a specific set of instances or a specific LoadBalancer. Permissions granted using IAM cover all the cloud resources you use with CloudWatch.
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html
Upvotes: 4
Related Questions
- "Unable to determine aws-region" when running on-premises Cloudwatch agent
- restrict aws iam user to a specific region (eu-west-1)
- Restricting access to AWS resources to one specific region
- AWS CloudWatch and EC2 Role + Policy
- AWS IAM PowerUser Scoped to Specific Region
- Getting Cloud Watch Logs according to the region in which I work
- Restrict cloudwatch access by region
- Cloudwatch permissions to running instance with no IAM role
- Aws IAM user permission to specific region and to a particular server
- AWS IAM Permissions for EC2 – Controlling Access on Specific Instances with particular region