Shailesh Sutar
Shailesh Sutar

Reputation: 399

Aws IAM user permission to specific region for cloudwatch

Here is what i want. I have a IAM user for whom i want to give read only access to a us-east-1 and that too only read metrics for particular ec2 instance. I have 3 instances runnning in us-east-1 but i want this user to have access to metrics of only 1 ec2 server.

I have written policy like below. which is giving access to all the metrics in all the region. I tried putting that instanceid in below code but it didn't work.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*"
                   ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

I dont understand what i am missing here.

Upvotes: 1

Views: 2792

Answers (1)

Jaap Haagmans
Jaap Haagmans

Reputation: 6352

In short, this is not possible, according to the Cloudwatch docs:

You can't use IAM to control access to CloudWatch data for specific resources. For example, you can't give a user access to CloudWatch data for only a specific set of instances or a specific LoadBalancer. Permissions granted using IAM cover all the cloud resources you use with CloudWatch.

http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

Upvotes: 4

Related Questions