Restrict cloudwatch access by region

Question

I can't use a resource arn to restrict cloudwatch access.

But I can use conditions. Can I use a condition to only allow users to perform cloudwatch actions in a specific region? I haven't seen any examples of using conditions like this.

Answer 1

CloudWatch is very bad in terms of access control as it does not provide either resources to use in 'Resources' or condition Keys. At some point the DescribeAlarms action in particular was being performed on a US region and was causing unwanted errors when accessing through the console, but I don't see in my CloudTrail that it does now. Maybe it can be restricted to all actions now.

A policy statement to restrict cloudwatch access to the eu-central-region would be:

         {
           "Sid": "CloudWatchInFrankfurtOnly",
           "Effect": "Deny",
           "NotAction": ["cloudwatch:DescribeAlarms"],
           "Resource": ["arn:aws:cloudwatch:*:*:alarm:*","arn:aws:cloudwatch::*:dashboard/*"],
           "Condition": {"StringNotEquals": {"aws:RequestedRegion": "eu-central-1"}}
         }

Answer 2

Yes you can use conditions in your policy, for example the below policy will only allow access to cloudwatch actions in eu-central-1.

{
        "Statement": [
            {    "Sid": "Stmt1338559372809",


                 "Action": [
             "cloudwatch:GetMetricStatistics",
             "cloudwatch:ListMetrics",
             "cloudwatch:DescribeAlarms"
              ],

                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ec2:Region": "eu-central-1"
                    }
                }
            }
        ]
  }

Hope it will Help!