# Amazon CloudWatch 权限参考
<a name="permissions-reference-cw"></a>

下表列出每个 CloudWatch API 操作以及您可授权执行该操作的相应操作。可在策略的 `Action` 字段中指定操作，在策略的 `Resource` 字段中指定通配符 (\*) 作为资源值。

您可以在 CloudWatch 策略中使用 AWS 范围的条件键来表达条件。有关 AWS 范围的键的完整列表，请参阅 *IAM 用户指南*中的 [AWS 全局和 IAM 条件上下文键](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。

**注意**  
要指定操作，请在 API 操作名称之前使用 `cloudwatch:` 前缀。例如：`cloudwatch:GetMetricData`、`cloudwatch:ListMetrics` 或 `cloudwatch:*`（适用于所有 CloudWatch 操作）。

**Topics**
+ [CloudWatch API 操作和必需的操作权限](#cw-permissions-table)
+ [CloudWatch Application Signals API 操作和所需的操作权限](#cw-application-signals-permissions-table)
+ [CloudWatch Contributor Insights API 操作和所需的操作权限](#cw-contributor-insights-permissions-table)
+ [CloudWatch Events API 操作和所需的操作权限](#cwe-permissions-table)
+ [CloudWatch Logs API 操作和所需的操作权限](#cwl-permissions-table)
+ [Amazon EC2 API 操作和所需的操作权限](#cw-ec2-permissions-table)
+ [Amazon EC2 Auto Scaling API 操作和所需的操作权限](#cw-as-permissions-table)

## CloudWatch API 操作和必需的操作权限
<a name="cw-permissions-table"></a>


| CloudWatch API 操作 | 所需权限（API 操作） | 
| --- | --- | 
| [DeleteAlarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html) | `cloudwatch:DeleteAlarms`<br />要求删除警报。 | 
| [DeleteDashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteDashboards.html) | `cloudwatch:DeleteDashboards`<br />删除控制面板所必需。 | 
| [DeleteMetricStream](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteMetricStream.html) | `cloudwatch:DeleteMetricStream`<br />删除指标流所需。 | 
| [DescribeAlarmHistory](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeAlarmHistory.html) | `cloudwatch:DescribeAlarmHistory`<br />要求查看警报历史记录。要检索有关复合告警的信息，`cloudwatch:DescribeAlarmHistory` 权限必须具有 `*` 范围。如果您的 `cloudwatch:DescribeAlarmHistory` 权限的范围较窄，则无法返回有关复合告警的信息。 | 
| [DescribeAlarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeAlarms.html) | `cloudwatch:DescribeAlarms`<br />检索有关告警的信息所需。<br />要检索有关复合告警的信息，`cloudwatch:DescribeAlarms` 权限必须具有 `*` 范围。如果您的 `cloudwatch:DescribeAlarms` 权限的范围较窄，则无法返回有关复合告警的信息。 | 
| [DescribeAlarmsForMetric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeAlarmsForMetric.html) | `cloudwatch:DescribeAlarmsForMetric`<br />要求查看指标的警报。 | 
| [DisableAlarmActions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DisableAlarmActions.html) | `cloudwatch:DisableAlarmActions`<br />要求禁用警报操作。 | 
| [EnableAlarmActions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_EnableAlarmActions.html) | `cloudwatch:EnableAlarmActions`<br />要求启用警报操作。 | 
| [GetDashboard](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetDashboard.html) | `cloudwatch:GetDashboard`<br />若要显示有关现有控制面板的数据，则是必需的。 | 
| [GetMetricData](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html) | `cloudwatch:GetMetricData`<br />在 CloudWatch 控制台中检索大量指标数据以及对该数据执行指标数学运算所需。 | 
| [GetMetricStatistics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricStatistics.html) | `cloudwatch:GetMetricStatistics`<br />在 CloudWatch 控制台的其他部分和控制面板小部件中查看图表所需。 | 
| [GetMetricStream](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricStream.html) | `cloudwatch:GetMetricStream`<br />查看指标流信息所需。 | 
| [GetMetricWidgetImage](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricWidgetImage.html) | `cloudwatch:GetMetricWidgetImage`<br />将一个或多个 CloudWatch 指标的图表快照作为位图图像检索所需。 | 
| [GetOTelEnrichment](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetOTelEnrichment.html) | `cloudwatch:GetOTelEnrichment`<br />检索公开发布指标的 OpenTelemetry 扩充时必需。 | 
| [ListDashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListDashboards.html) | `cloudwatch:ListDashboards`<br />查看您的账户中 CloudWatch 控制面板的列表所需。 | 
| ListEntitiesForMetric<br />（CloudWatch 控制台专用权限） | `cloudwatch:ListEntitiesForMetric`<br />查找与指标关联的实体的所需权限。在 CloudWatch 控制台中探索相关遥测数据的所需权限。 | 
| [ListMetrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html) | `cloudwatch:ListMetrics`<br />在 CloudWatch 控制台和 CLI 中查看或搜索指标名称所需。要求在控制面板小部件上选择指标。 | 
| [ListMetricStreams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetricStreams.html) | `cloudwatch:ListMetricStreams`<br />查看或搜索账户中指标流列表所需。 | 
| [ListTagsForResource](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListTagsForResource.html) | `cloudwatch:ListTagsForResource`<br />列出与 CloudWatch 资源关联的标签时必需。 | 
| [PutCompositeAlarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutCompositeAlarm.html) | `cloudwatch:PutCompositeAlarm`<br />创建复合告警所需<br />要创建复合告警，`cloudwatch:PutCompositeAlarm` 权限必须具有 `*` 范围。如果您的 `cloudwatch:PutCompositeAlarm` 权限的范围较窄，则无法返回有关复合告警的信息。 | 
| [PutDashboard](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutDashboard.html) | `cloudwatch:PutDashboard`<br />创建控制面板或更新现有控制面板所必需。 | 
| [PutMetricAlarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricAlarm.html) | `cloudwatch:PutMetricAlarm`<br />要求创建或更新警报。 | 
| [PutMetricData](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html) | `cloudwatch:PutMetricData`<br />若要创建指标，则是必需的。 | 
| [PutMetricStream](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricStream.html) | `cloudwatch:PutMetricStream`<br />创建指标流所需 | 
| [SetAlarmState](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_SetAlarmState.html) | `cloudwatch:SetAlarmState`<br />要求手动设置警报的状态。 | 
| [StartMetricStreams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_StartMetricStreams.html) | `cloudwatch:StartMetricStreams`<br />开启指标流中的指标流程所需。 | 
| [StartOTelEnrichment](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_StartOTelEnrichment.html) | `cloudwatch:StartOTelEnrichment`<br />启用公开发布指标的 OpenTelemetry 扩充时必需，以便通过 PromQL 进行查询。 | 
| [StopMetricStreams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_StartMetricStreams.html) | `cloudwatch:StopMetricStreams`<br />临时停止指标流中的指标流程所需。 | 
| [StopOTelEnrichment](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_StopOTelEnrichment.html) | `cloudwatch:StopOTelEnrichment`<br />禁用公开发布指标的 OpenTelemetry 扩充时必需。 | 
| [TagResource](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_TagResource.html) | `cloudwatch:TagResource`<br />在 CloudWatch 资源（如告警和 Contributor Insights 规则）上添加或更新标签所需。 | 
| [UntagResource](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_UntagResource.html) | `cloudwatch:UntagResource`<br />从 CloudWatch 资源中移除标签所需。 | 

## CloudWatch Application Signals API 操作和所需的操作权限
<a name="cw-application-signals-permissions-table"></a>


| CloudWatch Application Signals API 操作 | 所需权限（API 操作） | 
| --- | --- | 
| [ BatchGetServiceLevelObjectiveBudgetReport](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_BatchGetServiceLevelObjectiveBudgetReport.html) | `application-signals:BatchGetServiceLevelObjectiveBudgetReport`<br />检索服务级别目标预算报告所需。 | 
| [ CreateServiceLevelObjective](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_CreateServiceLevelObjective.html) | `application-signals:CreateServiceLevelObjective`<br />创建服务级别目标（SLO）所需。 | 
| [ DeleteServiceLevelObjective](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_DeleteServiceLevelObjective.html) | `application-signals:DeleteServiceLevelObjective`<br />删除服务级别目标（SLO）所需。 | 
| [ GetService](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_GetService.html) | `application-signals:GetService`<br />检索 Application Signals 发现的服务相关信息所需。 | 
| [ GetServiceLevelObjective](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_GetServiceLevelObjective.html) | `application-signals:GetServiceLevelObjective`<br />检索服务级别目标（SLO）相关信息所需。 | 
| ListObservedEntities | `application-signals:ListObservedEntities`<br />授予权限以列出与其他实体关联的实体。 | 
| [ ListServiceDependencies](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_ListServiceDependencies.html) | `application-signals:ListServiceDependencies`<br />检索您指定服务的服务依赖项列表所需。此服务和依赖项是由 Application Signals 发现的。 | 
| [ ListServiceDependents](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_ListServiceDependents.html) | `application-signals:ListServiceDependents`<br />检索调用您指定服务的被依赖项列表所需。此服务和被依赖项是由 Application Signals 发现的。 | 
| [ ListServiceLevelObjectives](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_ListServiceLevelObjectives.html) | `application-signals:ListServiceLevelObjectives`<br />检索账户中的服务级别目标（SLO）列表所需。 | 
| [ ListServiceOperations](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_ListServiceOperations.html) | `application-signals:ListServiceOperations`<br />检索您指定服务的服务操作列表所需。此服务和依赖项是由 Application Signals 发现的。 | 
| [ ListServices](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_ListServices.html) | `application-signals:ListServices`<br />检索 Application Signals 发现的服务列表所需。 | 
| [ ListTagsForResource](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_ListTagsForResource.html) | `application-signals:ListTagsForResource`<br />检索与资源关联的标签的列表所需。 | 
| [ StartDiscovery](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_StartDiscovery.html) | `application-signals:StartDiscovery`<br />能够在账户中启用 Application Signals 并创建所需服务相关角色所需。 | 
| [ TagResource](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_TagResource.html) | `application-signals:TagResource`<br />能够为资源添加标签所需。 | 
| [ UntagResource](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_UntagResource.html) | `application-signals:UntagResource`<br />能够从资源中移除标签所需。 | 
| [ UpdateServiceLevelObjective](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/API_UpdateServiceLevelObjective.html) | `application-signals:UpdateServiceLevelObjective`<br />更新现有服务级别目标所需 | 

## CloudWatch Contributor Insights API 操作和所需的操作权限
<a name="cw-contributor-insights-permissions-table"></a>

**重要**  
当您向用户授予 `cloudwatch:PutInsightRule` 权限时，默认情况下，该用户可以创建一个规则来评估 CloudWatch Logs 中的任何日志组。您可以添加 IAM 策略条件，以限制用户的这些权限，使其包含和排除特定的日志组。有关更多信息，请参阅 [使用条件键限制 Contributor Insights 用户对日志组的访问](iam-cw-condition-keys-contributor.md)。


| CloudWatch Contributor Insights API 操作 | 所需权限（API 操作） | 
| --- | --- | 
| [DeleteInsightRules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteInsightRules.html) | `cloudwatch:DeleteInsightRules`<br />删除 Contributor Insights 规则所需。 | 
| [DescribeInsightRules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeInsightRules.html) | `cloudwatch:DescribeInsightRules`<br />查看您账户中的 Contributor Insights 规则所需。 | 
| [EnableInsightRules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_EnableInsightRules.html) | `cloudwatch:EnableInsightRules`<br />启用 Contributor Insights 规则所需。 | 
| [GetInsightRuleReport](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetInsightRuleReport.html) | `cloudwatch:GetInsightRuleReport`<br />检索 Contributor Insights 规则收集的时间序列数据和其他统计数据所需。 | 
| [PutInsightRule](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutInsightRule.html) | `cloudwatch:PutInsightRule`<br />创建 Contributor Insights 规则所需。请参阅此表开头的 **Important（重要提示）**信息。 | 

## CloudWatch Events API 操作和所需的操作权限
<a name="cwe-permissions-table"></a>


| CloudWatch Events API 操作 | 所需权限（API 操作） | 
| --- | --- | 
| [DeleteRule](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_DeleteRule.html) | `events:DeleteRule`<br />删除规则所必需的。 | 
| [DescribeRule](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_DescribeRule.html) | `events:DescribeRule`<br />列出有关规则的详细信息所必需的。 | 
| [DisableRule](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_DisableRule.html) | `events:DisableRule`<br />禁用规则所必需的。 | 
| [EnableRule](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_EnableRule.html) | `events:EnableRule`<br />启用规则所必需的。 | 
| [ListRuleNamesByTarget](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_ListRuleNamesByTarget.html) | `events:ListRuleNamesByTarget`<br />列出与目标关联的规则所必需的。 | 
| [ListRules](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_ListRules.html) | `events:ListRules`<br />列出您账户中的所有规则所必需的。 | 
| [ListTargetsByRule](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_ListTargetsByRule.html) | `events:ListTargetsByRule`<br />列出与规则关联的所有目标所必需的。 | 
| [PutEvents](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_PutEvents.html) | `events:PutEvents`<br />添加可匹配到规则的自定义活动所必需的。 | 
| [PutRule](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_PutRule.html) | `events:PutRule`<br />创建或更新规则所必需的。 | 
| [PutTargets](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_PutTargets.html) | `events:PutTargets`<br />将目标添加到规则所必需的。 | 
| [RemoveTargets](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_RemoveTargets.html) | `events:RemoveTargets`<br />从规则中删除目标所必需的。 | 
| [TestEventPattern](https://docs.aws.amazon.com/AmazonCloudWatchEvents/latest/APIReference/API_TestEventPattern.html) | `events:TestEventPattern`<br />针对给定事件测试事件模式所必需的。 | 

## CloudWatch Logs API 操作和所需的操作权限
<a name="cwl-permissions-table"></a>

**注意**  
CloudWatch Logs 权限可在《[CloudWatch Logs 用户指南](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html)》中找到。

## Amazon EC2 API 操作和所需的操作权限
<a name="cw-ec2-permissions-table"></a>


| Amazon EC2 API 操作 | 所需权限（API 操作） | 
| --- | --- | 
| [DescribeInstanceStatus](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceStatus.html) | `ec2:DescribeInstanceStatus`<br />查看 EC2 实例状态详细信息所必需的。 | 
| [DescribeInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) | `ec2:DescribeInstances`<br />查看 EC2 实例详细信息所必需的。 | 
| [RebootInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RebootInstances.html) | `ec2:RebootInstances`<br />重启 EC2 实例所必需的。 | 
| [StopInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html) | `ec2:StopInstances`<br />停止 EC2 实例所必需的。 | 
| [TerminateInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html) | `ec2:TerminateInstances`<br />终止 EC2 实例所必需的。 | 

## Amazon EC2 Auto Scaling API 操作和所需的操作权限
<a name="cw-as-permissions-table"></a>


| Amazon EC2 Auto Scaling API 操作 | 所需权限（API 操作） | 
| --- | --- | 
| 扩展 | `autoscaling:Scaling`<br />扩展 Auto Scaling 组所需。 | 
| 触发器 | `autoscaling:Trigger`<br />触发 Auto Scaling 操作所需。 |