Reputation: 974
policy to see cloudwatch metric of EC2 and EBS only from UI
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
],
"Condition": {
"StringEquals": {
"cloudwatch:namespace":
[
"AWS/EC2/Per-Instance Metrics",
"EBS"
]
}
}
}
]
}
I have created above policy but it is not working, its showing me error if I am using above condition. Can anyone please help how to restrict console level permission just fo EBS and EC2 metrics.
Upvotes: 0
Views: 472
Answers (2)
Reputation: 269101
Based on the information presented in Actions, resources, and condition keys for Amazon CloudWatch - Service Authorization Reference, the ListMetrics, GetMetricData and GetMetricStatistics commands do not accept any Condition keys.
Therefore, it would not be possible to restrict the data returned by these commands.
Upvotes: 2
Reputation: 154
Use ForAllValues as below. Also do check your namespace names. They are not correct namespace names. It should be AWS/EC2. Sorry for formatting issue, just typing this on phone.
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
],
"Condition": {
"ForAllValues:StringEquals": {
"cloudwatch:namespace":
[
"AWS/EC2",
"AWS/EBS"
]
}
}
}
]
Upvotes: 0
Related Questions
- How to disable AWS Cloudwatch metrics
- AWS Cloudwatch Monitoring
- AWS CloudWatch Metrics directly to S3
- Restricting AWS Cloudwatch Dashboard exclusive to some role
- AWS CloudWatch and EC2 Role + Policy
- Cloudwatch metrics by instance name or type
- aws cloudwatch metric overwrite/override
- Query metrics for multiple instances from AWS Cloudwatch
- AWS Cloudwatch: how to fetch custom metrics from AWS Elastic Beanstalk
- Custom metric in CloudWatch