# Required roles and permissions for CloudWatch canaries
Both the users who create and manage canaries, and the canaries themselves, must have certain permissions.
# Required roles and permissions for users who manage CloudWatch canaries
To view canary details and the results of canary runs, you must be signed in as a user with either the `CloudWatchSyntheticsFullAccess` or the ` CloudWatchSyntheticsReadOnlyAccess` policies attached. To read all Synthetics data in the console, you also need the `AmazonS3ReadOnlyAccess` and ` CloudWatchReadOnlyAccess` policies. To view the source code used by canaries, you also need the `AWSLambda_ReadOnlyAccess` policy.
To create canaries, you must be signed in as an user who has the ` CloudWatchSyntheticsFullAccess` policy or a similar set of permissions. To create IAM roles for the canaries, you also need the following inline policy statement:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*",
"arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*"
]
}
]
}
```
------
**Important**
Granting a user the `iam:CreateRole`, `iam:CreatePolicy`, and ` iam:AttachRolePolicy` permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources and can attach that policy to any role. Be very careful about who you grant these permissions to.
For information about attaching policies and granting permissions to users, see [Changing Permissions for an IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) and [To embed an inline policy for a user or role](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#embed-inline-policy-console).
# Required roles and permissions for canaries
Each canary must be associated with an IAM role that has certain permissions attached. When you create a canary using the CloudWatch console, you can choose for CloudWatch Synthetics to create an IAM role for the canary. If you do, the role will have the permissions needed.
If you want to create the IAM role yourself, or create an IAM role that you can use when using the AWS CLI or APIs to create a canary, the role must contain the permissions listed in this section.
All IAM roles for canaries must include the following trust policy statement.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
Additionally, the canary's IAM role needs one of the following statements.
**Basic canary that doesn't use AWS KMS or need Amazon VPC access**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::path/to/your/s3/bucket/canary/results/folder"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::name/of/the/s3/bucket/that/contains/canary/results"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"xray:PutTraceSegments"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Resource": "*",
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "CloudWatchSynthetics"
}
}
}
]
}
```
------
**Canary that uses AWS KMS to encrypt canary artifacts but does not need Amazon VPC access**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::path/to/your/S3/bucket/canary/results/folder"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"xray:PutTraceSegments"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Resource": "*",
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "CloudWatchSynthetics"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/KMS_key_id",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"s3.us-east-1.amazonaws.com"
]
}
}
}
]
}
```
------
**Canary that does not use AWS KMS but does need Amazon VPC access**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::path/to/your/S3/bucket/canary/results/folder"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"xray:PutTraceSegments"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Resource": "*",
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "CloudWatchSynthetics"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"*"
]
}
]
}
```
------
**Canary that uses AWS KMS to encrypt canary artifacts and also needs Amazon VPC access**
If you update a non-VPC canary to start using a VPC, you'll need to update the canary's role to include the network interface permissions listed in the following policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::path/to/your/S3/bucket/canary/results/folder"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"xray:PutTraceSegments"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Resource": "*",
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "CloudWatchSynthetics"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/KMS_key_id",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"s3.us-east-1.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS managed policies for CloudWatch Synthetics
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally change the permissions in an AWS managed policy. This type of update affects all identities (users, groups, and roles) where the policy is attached.
### CloudWatch Synthetics updates to AWS managed policies
View details about updates to AWS managed policies for CloudWatch Synthetics since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Document history page.
| Change | Description | Date |
| --- | --- | --- |
| Redundant actions removed from **CloudWatchSyntheticsFullAccess** | CloudWatch Synthetics removed the `s3:PutBucketEncryption` and ` lambda:GetLayerVersionByArn` actions from ** CloudWatchSyntheticsFullAccess** policy because those actions were redundant with other permissions in the policy. The removed actions did not provide any permissions, and there’s no net change to the permissions granted by the policy. | March 12, 2021 |
| CloudWatch Synthetics started tracking changes | CloudWatch Synthetics started tracking changes for its AWS managed policies. | March 10, 2021 |
**CloudWatchSyntheticsFullAccess**
Here are the contents of the `CloudWatchSyntheticsFullAccess` policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"synthetics:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::cw-syn-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"s3:ListAllMyBuckets",
"xray:GetTraceSummaries",
"xray:BatchGetTraces",
"apigateway:GET"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::cw-syn-*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::aws-synthetics-library-*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"synthetics.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:Synthetics-*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogRecord",
"logs:DescribeLogStreams",
"logs:StartQuery",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"logs:GetLogGroupFields"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/cwsyn-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:AddPermission",
"lambda:PublishVersion",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:cwsyn-*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:*:layer:cwsyn-*",
"arn:aws:lambda:*:*:layer:Synthetics:*",
"arn:aws:lambda:*:*:layer:Synthetics_Selenium:*",
"arn:aws:lambda:*:*:layer:AWS-CW-Synthetics*:*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:Subscribe",
"sns:ListSubscriptionsByTopic"
],
"Resource": [
"arn:*:sns:*:*:Synthetics-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:*:*:key/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.*.amazonaws.com"
]
}
}
}
]
}
```
------
**CloudWatchSyntheticsReadOnlyAccess**
Here are the contents of the `CloudWatchSyntheticsReadOnlyAccess` policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"synthetics:Describe*",
"synthetics:Get*",
"synthetics:List*"
],
"Resource": "*"
}
]
}
```
------
# Limiting a user to viewing specific canaries
You can limit a user's ability to view information about canaries, so that they can only see information about the canaries you specify. To do this, use an IAM policy with a ` Condition` statement similar to the following, and attach this policy to a user or an IAM role.
The following example limits the user to only viewing information about ` name-of-allowed-canary-1` and `name-of-allowed-canary-2`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "synthetics:DescribeCanaries",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"synthetics:Names": [
"name-of-allowed-canary-1",
"name-of-allowed-canary-2"
]
}
}
}
]
}
```
------
CloudWatch Synthetics supports listing as many as five items in the `synthetics:Names` array.
You can also create a policy that uses a \$1** as a wildcard in canary names that are to be allowed, as in the following example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "synthetics:DescribeCanaries",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"synthetics:Names": [
"my-team-canary-*"
]
}
}
}
]
}
```
------
Any user signed in with one of these policies attached can't use the CloudWatch console to view any canary information. They can view canary information only for the canaries authorized by the policy and only by using the [DescribeCanaries](https://docs.aws.amazon.com/AmazonSynthetics/latest/APIReference/API_DescribeCanaries.html) API or the [describe-canaries](https://docs.aws.amazon.com/cli/latest/reference/synthetics/describe-canaries.html) AWS CLI command.