AWS CloudWatch (IAM)

aws monitoring

Amazon CloudWatch monitors AWS resources and applications, providing metrics, logs, and alarms.

Common permissions

cloudwatch:PutMetricDatacloudwatch:GetMetricDatacloudwatch:ListMetricscloudwatch:DescribeAlarmscloudwatch:PutMetricAlarmcloudwatch:DeleteAlarmscloudwatch:GetDashboardcloudwatch:PutDashboard

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:PutMetricData",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:PutMetricAlarm",
        "cloudwatch:DeleteAlarms",
        "cloudwatch:GetDashboard",
        "cloudwatch:PutDashboard"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid cloudwatch:* — grants full control including deletion of alarms and dashboards.
Avoid cloudwatch:PutMetricData without conditions — can cause high costs from excessive data.

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/cloudwatch/cloudwatch.json ↗

API

full doc /v1/iam/cloudwatch