# CloudWatchOpenSearchDashboardsFullAccess CloudWatchOpenSearchDashboardsFullAccess **Description**: This policy provides user access to create integration with OpenSearch to create, update, delete or view dashboards on the CloudWatch Logs console. `CloudWatchOpenSearchDashboardsFullAccess` is an [AWS managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies). ## Using this policy You can attach `CloudWatchOpenSearchDashboardsFullAccess` to your users, groups, and roles. ## Policy details + **Type**: AWS managed policy + **Creation time**: December 01, 2024, 21:06 UTC + **Edited time:** February 12, 2026, 17:59 UTC + **ARN**: `arn:aws:iam::aws:policy/CloudWatchOpenSearchDashboardsFullAccess` ## Policy version **Policy version:** v3 (default) The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request. ## JSON policy document ``` { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "CloudWatchOpenSearchDashboardsIntegration", "Effect" : "Allow", "Action" : [ "logs:ListIntegrations", "logs:GetIntegration", "logs:DeleteIntegration", "logs:PutIntegration", "logs:DescribeLogGroups", "opensearch:ApplicationAccessAll", "iam:ListRoles", "iam:ListUsers" ], "Resource" : "*" }, { "Sid" : "CloudWatchLogsOpensearchReadAPIs", "Effect" : "Allow", "Action" : [ "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "es:ListApplications" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com" } } }, { "Sid" : "CloudWatchLogsOpensearchCreateServiceLinkedAccess", "Effect" : "Allow", "Action" : [ "iam:CreateServiceLinkedRole" ], "Resource" : "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", "Condition" : { "StringEquals" : { "iam:AWSServiceName" : "opensearchservice.amazonaws.com", "aws:CalledViaFirst" : "logs.amazonaws.com" } } }, { "Sid" : "CloudWatchLogsObservabilityCreateServiceLinkedAccess", "Effect" : "Allow", "Action" : [ "iam:CreateServiceLinkedRole" ], "Resource" : "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", "Condition" : { "StringEquals" : { "iam:AWSServiceName" : "observability.aoss.amazonaws.com", "aws:CalledViaFirst" : "logs.amazonaws.com" } } }, { "Sid" : "CloudWatchLogsCollectionRequestAccess", "Effect" : "Allow", "Action" : [ "aoss:CreateCollection" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration" : [ "Dashboards" ] }, "ForAllValues:StringEquals" : { "aws:TagKeys" : "CloudWatchOpenSearchIntegration" } } }, { "Sid" : "CloudWatchLogsApplicationRequestAccess", "Effect" : "Allow", "Action" : [ "es:CreateApplication" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:RequestTag/OpenSearchIntegration" : [ "Dashboards" ] }, "ForAllValues:StringEquals" : { "aws:TagKeys" : "OpenSearchIntegration" } } }, { "Sid" : "CloudWatchLogsCollectionResourceAccess", "Effect" : "Allow", "Action" : [ "aoss:DeleteCollection" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration" : [ "Dashboards" ] } } }, { "Sid" : "CloudWatchLogsApplicationResourceAccess", "Effect" : "Allow", "Action" : [ "es:UpdateApplication", "es:GetApplication" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:ResourceTag/OpenSearchIntegration" : [ "Dashboards" ] } } }, { "Sid" : "CloudWatchLogsCollectionPolicyAccess", "Effect" : "Allow", "Action" : [ "aoss:CreateSecurityPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:DeleteSecurityPolicy", "aoss:GetAccessPolicy", "aoss:GetSecurityPolicy" ], "Resource" : "*", "Condition" : { "StringLike" : { "aoss:collection" : "cloudwatch-logs-*", "aws:CalledViaFirst" : "logs.amazonaws.com" } } }, { "Sid" : "CloudWatchLogsAPIAccessAll", "Effect" : "Allow", "Action" : [ "aoss:APIAccessAll" ], "Resource" : "*", "Condition" : { "StringLike" : { "aoss:collection" : "cloudwatch-logs-*" } } }, { "Sid" : "CloudWatchLogsIndexPolicyAccess", "Effect" : "Allow", "Action" : [ "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:GetAccessPolicy", "aoss:CreateLifecyclePolicy", "aoss:DeleteLifecyclePolicy" ], "Resource" : "*", "Condition" : { "StringLike" : { "aoss:index" : "cloudwatch-logs-*", "aws:CalledViaFirst" : "logs.amazonaws.com" } } }, { "Sid" : "CloudWatchLogsDQSRequestQueryAccess", "Effect" : "Allow", "Action" : [ "es:AddDirectQueryDataSource" ], "Resource" : "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration" : [ "Dashboards" ] }, "ForAllValues:StringEquals" : { "aws:TagKeys" : "CloudWatchOpenSearchIntegration" } } }, { "Sid" : "CloudWatchLogsStartDirectQueryAccess", "Effect" : "Allow", "Action" : [ "opensearch:StartDirectQuery", "opensearch:GetDirectQuery" ], "Resource" : "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*" }, { "Sid" : "CloudWatchLogsDQSResourceQueryAccess", "Effect" : "Allow", "Action" : [ "es:GetDirectQueryDataSource", "es:DeleteDirectQueryDataSource" ], "Resource" : "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration" : [ "Dashboards" ] } } }, { "Sid" : "CloudWatchLogsPassRoleAccess", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : "*", "Condition" : { "StringLike" : { "iam:PassedToService" : "directquery.opensearchservice.amazonaws.com", "aws:CalledViaFirst" : "logs.amazonaws.com" } } }, { "Sid" : "CloudWatchLogsAossTagsAccess", "Effect" : "Allow", "Action" : [ "aoss:TagResource" ], "Resource" : "arn:aws:aoss:*:*:collection/*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration" : [ "Dashboards" ] }, "ForAllValues:StringEquals" : { "aws:TagKeys" : "CloudWatchOpenSearchIntegration" } } }, { "Sid" : "CloudWatchLogsEsApplicationTagsAccess", "Effect" : "Allow", "Action" : [ "es:AddTags" ], "Resource" : "arn:aws:opensearch:*:*:application/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/OpenSearchIntegration" : [ "Dashboards" ], "aws:CalledViaFirst" : "logs.amazonaws.com" }, "ForAllValues:StringEquals" : { "aws:TagKeys" : "OpenSearchIntegration" } } }, { "Sid" : "CloudWatchLogsEsDataSourceTagsAccess", "Effect" : "Allow", "Action" : [ "es:AddTags" ], "Resource" : "arn:aws:opensearch:*:*:datasource/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CloudWatchOpenSearchIntegration" : [ "Dashboards" ], "aws:CalledViaFirst" : "logs.amazonaws.com" }, "ForAllValues:StringEquals" : { "aws:TagKeys" : "CloudWatchOpenSearchIntegration" } } } ] } ``` ## Learn more + [Create a permission set using AWS managed policies in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html) + [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) + [Understand versioning for IAM policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html) + [Get started with AWS managed policies and move toward least-privilege permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)