# Using condition keys to limit access to CloudWatch See the following topics to learn about the service-specific condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. + [Using condition keys to limit access to CloudWatch namespaces](iam-cw-condition-keys-namespace.md) + [Using condition keys to limit Contributor Insights users' access to log groups](iam-cw-condition-keys-contributor.md) + [Using condition keys to limit alarm actions](iam-cw-condition-keys-alarm-actions.md) + [Condition keys for CloudWatch Observability Admin](condition-keys-observabilityadmin.md) To see the global condition keys that are available to all services, see [Available global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). # Using condition keys to limit access to CloudWatch namespaces Use IAM condition keys to limit users to publishing metrics only in the CloudWatch namespaces that you specify. This section provides examples that describe how to allow and exclude users from publishing metrics in a namespace. **Allowing publishing in one namespace only** The following policy limits the user to publishing metrics only in the namespace named `MyCustomNamespace`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "MyCustomNamespace" } } } } ``` ------ **Excluding publishing from a namespace** The following policy allows the user to publish metrics in any namespace except for `CustomNamespace2`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData" }, { "Effect": "Deny", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CustomNamespace2" } } } ] } ``` ------ **Controlling OTLP ingest** The following policy allows the user to publish metrics using the OTLP API: ------ #### [ JSON ] ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData" } ] } ``` ------ For disabling dual ingest, that is, only using PutMetricData and deny any OTLP ingest, you can use the following policy. It limits the user to publishing metrics using PutMetricData in the namespace `MyCustomNamespace` and at the same time implicitly denies any OTLP ingest due to the `StringEquals` condition: ------ #### [ JSON ] ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "MyCustomNamespace" } } } ] } ``` ------ For enabling dual ingest, that is, to allow both PutMetricData and OTLP ingest, you can use the following policy. It limits the user to publishing metrics using PutMetricData in the namespace named `MyCustomNamespace` and at the same time allows OTLP ingest due to the `StringEqualsIfExists` condition: ------ #### [ JSON ] ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEqualsIfExists": { "cloudwatch:namespace": "MyCustomNamespace" } } } ] } ``` ------ # Using condition keys to limit Contributor Insights users' access to log groups To create a rule in Contributor Insights and see its results, a user must have the `cloudwatch:PutInsightRule` permission. By default, a user with this permission can create a Contributor Insights rule that evaluates any log group in CloudWatch Logs and then see the results. The results can contain contributor data for those log groups. You can create IAM policies with condition keys to grant users the permission to write Contributor Insights rules for some log groups while preventing them from writing rules for and seeing this data from other log groups. For more information about the `Condition` element in IAM policies, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html). **Allow access to write rules and view results for only certain log groups** The following policy allows the user access to write rules and view results for the log group named `AllowedLogGroup` and all log groups that have names that start with `AllowedWildCard`. It does not grant access to write rules or view rule results for any other log groups. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCertainLogGroups", "Effect": "Allow", "Action": "cloudwatch:PutInsightRule", "Resource": "arn:aws:cloudwatch:*:*:insight-rule/*", "Condition": { "ForAllValues:StringEqualsIgnoreCase": { "cloudwatch:requestInsightRuleLogGroups": [ "AllowedLogGroup", "AllowedWildcard*" ] } } } ] } ``` ------ **Deny writing rules for specific log groups but allow writing rules for all other log groups** The following policy explicitly denies the user access to write rules and view rule results for the log group named `ExplicitlyDeniedLogGroup`, but allows writing rules and viewing rule results for all other log groups. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowInsightRulesOnLogGroupsByDefault", "Effect": "Allow", "Action": "cloudwatch:PutInsightRule", "Resource": "arn:aws:cloudwatch:*:*:insight-rule/*" }, { "Sid": "ExplicitDenySomeLogGroups", "Effect": "Deny", "Action": "cloudwatch:PutInsightRule", "Resource": "arn:aws:cloudwatch:*:*:insight-rule/*", "Condition": { "ForAllValues:StringEqualsIgnoreCase": { "cloudwatch:requestInsightRuleLogGroups": [ "/test/alpine/ExplicitlyDeniedLogGroup" ] } } } ] } ``` ------ # Using condition keys to limit alarm actions When CloudWatch alarms change state, they can perform different actions such as stopping and terminating EC2 instances and performing Systems Manager actions. These actions can be initiated when the alarm changes to any state, including ALARM, OK, or INSUFFICIENT\$1DATA. Use the `cloudwatch:AlarmActions` condition key to allow a user to create alarms that can only perform the actions you specify when the alarm state changes. For example, you can allow a user to create alarms that can only perform actions which are not EC2 actions. **Allow a user to create alarms that can only send Amazon SNS notifications or perform Systems Manager actions** The following policy limits the user to creating alarms that can only send Amazon SNS notifications and perform Systems Manager actions. The user can't create alarms that perform EC2 actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateAlarmsThatCanPerformOnlySNSandSSMActions", "Effect": "Allow", "Action": "cloudwatch:PutMetricAlarm", "Resource": "*", "Condition": { "ForAllValues:StringLike": { "cloudwatch:AlarmActions": [ "arn:aws:sns:*", "arn:aws:ssm:*" ] } } } ] } ``` ------ # Condition keys for CloudWatch Observability Admin You can use IAM policies to control access to Amazon CloudWatch Observability Admin resources and actions by using condition keys. Observability Admin has the following condition keys: | Condition Key | Description | Type | | --- | --- | --- | | CentralizationSourceRegions | ArrayOfString | Filters access by the source Regions that are passed in the request | | CentralizationDestinationRegion | String | Filters access by the destination Region that is passed in the request | | CentralizationBackupRegion | String | Filters access by the backup Region that is passed in the request | ## CentralizationSourceRegions Filters access by the backup region specified for centralization rules. + *Availability* – This key is available for the following resource types: organization-centralization-rule + *Value type* – String **Example JSON policy with observabilityadmin:CentralizationBackupRegion** **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-1" } } } ] } ``` ## CentralizationDestinationRegion Filters access by the destination region specified for centralization rules. + *Availability* – This key is available for the following resource types: organization-centralization-rule + *Value type* – String **Example JSON policy with observabilityadmin:CentralizationDestinationRegion** **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-1" } } } ] } ``` ## CentralizationBackupRegion Filters access by the source regions specified for centralization rules. + *Availability* – This key is available for the following resource types: organization-centralization-rule + *Value type* – List of strings **Example JSON policy with observabilityadmin:CentralizationSourceRegions** **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": ["us-east-1", "us-east-1"] } } } ] } ```