# AWS managed (predefined) policies for CloudWatch
<a name="managed-policies-cloudwatch"></a>

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. 

 The following AWS managed policies, which you can attach to users in your account, are specific to CloudWatch. 

**Topics**
+ [CloudWatch updates to AWS managed policies](#security-iam-awsmanpol-updates)
+ [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2)
+ [CloudWatchFullAccess](#managed-policies-cloudwatch-CloudWatchFullAccess)
+ [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess)
+ [CloudWatchActionsEC2Access](#managed-policies-cloudwatch-CloudWatchActionsEC2Access)
+ [CloudWatch-CrossAccountAccess](#managed-policies-cloudwatch-CloudWatch-CrossAccountAccess)
+ [CloudWatchAutomaticDashboardsAccess](#managed-policies-cloudwatch-CloudWatch-CloudWatchAutomaticDashboardsAccess)
+ [CloudWatchAgentServerPolicy](#managed-policies-cloudwatch-CloudWatchAgentServerPolicy)
+ [CloudWatchAgentAdminPolicy](#managed-policies-cloudwatch-CloudWatchAgentAdminPolicy)
+ [CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](#managed-policies-cloudwatch-CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy)
+ [AWS managed (predefined) policies for CloudWatch cross-account observability](#managed-policies-cloudwatch-crossaccount)
+ [AWS managed (predefined) policies for CloudWatch investigations](#managed-policies-cloudwatch-QInvestigations)
+ [AWS managed (predefined) policies for CloudWatch Application Signals](#managed-policies-cloudwatch-ApplicationSignals)
+ [AWS managed (predefined) policies for CloudWatch Synthetics](#managed-policies-cloudwatch-canaries)
+ [AWS managed (predefined) policies for Amazon CloudWatch RUM](#managed-policies-cloudwatch-RUM)
+ [AWS managed policy for AWS Systems Manager Incident Manager](#managed-policies-cloudwatch-incident-manager)

## CloudWatch updates to AWS managed policies
<a name="security-iam-awsmanpol-updates"></a>

View details about updates to AWS managed policies for CloudWatch since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Document history page.




| Change | Description | Date | 
| --- | --- | --- | 
|   [CloudWatchSyntheticsFullAccess](#managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess) – Updated policy  |  CloudWatch updated the **CloudWatchSyntheticsFullAccess** policy. The `cloudwatch:ListMetrics` permission was added so that CloudWatch Synthetics can list available metrics. Additionally, the `apigateway:GET` permission has been changed from allowing all resources to specific API Gateway resources: REST APIs, REST API stages, REST API stage Swagger exports, and HTTP APIs.  | March 31, 2026 | 
|   [AIOpsAssistantPolicy](#managed-policies-QInvestigations-AIOpsAssistant) – Updated policy  |  CloudWatch updated the **AIOpsAssistantPolicy** IAM policy. It added permissions to enable CloudWatch investigations to assist in queries, troubleshooting, and topology mapping.  The following permissions were added: `appsync:GetGraphqlApiEnvironmentVariables`, `cloudtrail:GetEventConfiguration`, `kms:GetKeyPolicy`, and `s3:GetBucketAbac`   | February 06, 2026 | 
|   [AIOpsAssistantPolicy](#managed-policies-QInvestigations-AIOpsAssistant) – Updated policy  |  CloudWatch updated the **AIOpsAssistantPolicy** IAM policy. It added permissions to enable CloudWatch investigations to assist in queries, troubleshooting, and topology mapping.  The following permissions were added: `kms:GetKeyRotationStatus`, `kms:ListAliases`, and `kms:ListKeyRotations`   | December 17, 2025 | 
|   [ CloudWatchNetworkMonitorServiceRolePolicy](security-iam-awsmanpol-nw.md#security-iam-CloudWatchNetworkMonitorServiceRolePolicy) – Updated policy  |  CloudWatch added the `ec2:DescribeRouteTables`, `ec2:DescribeTransitGatewayAttachments`, `ec2:DescribeTransitGatewayRouteTables`, `ec2:SearchTransitGatewayRoutes` permissions to the **CloudWatchNetworkMonitorServiceRolePolicy** managed policy to grant permissions for Network Synthetic Monitor to generate the Network Health Indicator values for customers utilizing Transit Gateways.  | December 12, 2025 | 
|   [ CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](#managed-policies-cloudwatch-CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy) – Updated policy  |  CloudWatch added the `ec2:DescribeVpcEndpoints` and `ec2:DescribeVpcEndpointServiceConfigurations` permissions to the **CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy** managed policy to grant permissions for Network Flow Monitor to generate topology snapshots of VPC endpoints and vpce service config.  | December 10, 2025 | 
|   [ CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – Updated policy  |  CloudWatch added permissions to **CloudWatchFullAccessV2**. Permissions for observability administration actions were added to allow full access to telemetry pipelines and S3 table integrations.  | December 02, 2025 | 
|   [ CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Updated policy  |  CloudWatch added permissions to **CloudWatchReadOnlyAccess**. Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations.  | December 02, 2025 | 
|   [CloudWatchFullAccessV2 ](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – Updated policy   |  CloudWatch updated the **CloudWatchFullAccessV2** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals by enabling resource explorer.   | November 20th, 2025 | 
|   [CloudWatchApplicationSignalsFullAccess ](#managed-policies-cloudwatch-CloudWatchApplicationSignalsFullAccess) – Updated policy   |  CloudWatch updated the **CloudWatchApplicationSignalsFullAccess** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals by enabling resource explorer.   | November 20th, 2025 | 
|   [CloudWatchReadOnlyAccess ](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Updated policy   |  CloudWatch updated the **CloudWatchReadOnlyAccess** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals.   | November 20th, 2025 | 
|   [CloudWatchApplicationSignalsReadOnlyAccess ](#managed-policies-cloudwatch-CloudWatchApplicationSignalsReadOnlyAccess) – Updated policy   |  CloudWatch updated the **CloudWatchApplicationSignalsReadOnlyAccess** policy to include permissions to support viewing change events for a given entity and time range, and querying uninstrumented services and resources from Application Signals.   | November 20th, 2025 | 
|  [CloudWatchApplicationSignalsServiceRolePolicy](using-service-linked-roles.md#service-linked-role-signals) – Update to an existing policy  |  CloudWatch updated the policy named **CloudWatchApplicationSignalsServiceRolePolicy**. Updated the policy to include `resource-explorer-2:Search` and `cloudtrail:CreateServiceLinkedChannel` to enable new Application Signals features.  | November 20, 2025 | 
|   [AIOpsConsoleAdminPolicy – Updated policy ](https://docs.aws.amazon.com/managed-policies-QInvestigations-AIOpsConsoleAdminPolicy)   |  CloudWatch updated the **AIOpsConsoleAdminPolicy** policy to include Amazon Q integration permissions, enabling users to interact with CloudWatch investigations incident reports through Amazon Q's conversational interface.  | November 17, 2025 | 
|   [AIOpsOperatorAccess – Updated policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsOperatorAccess.html)   |  CloudWatch updated the **AIOpsOperatorAccess** policy to include Amazon Q integration permissions, enabling users to interact with CloudWatch investigations incident reports through Amazon Q's conversational interface.  | November 7, 2025 | 
|   [ CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](#managed-policies-cloudwatch-CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy) – Updated policy  |  CloudWatch added the `ec2:DescribeManagedPrefixLists` and `ec2:GetManagedPrefixListEntries` permissions to the **CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy** managed policy to grant permissions for Network Flow Monitor to generate topology snapshots of managed prefix lists.  | November 06, 2025 | 
|   [AIOpsAssistantIncidentReportPolicy – New policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsAssistantIncidentReportPolicy.html)   |  CloudWatch added the **AIOpsAssistantIncidentReportPolicy** policy to enable CloudWatch investigations to generate incident reports from investigation data, including permissions to access investigations, create reports, and manage AI-derived facts.  | October 10, 2025 | 
|   [AIOpsOperatorAccess – Updated policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsOperatorAccess.html)   |  CloudWatch updated the **AIOpsOperatorAccess** policy to include incident report generation permissions, allowing users to create and manage incident reports and work with AI-derived facts in CloudWatch investigations.  | October 10, 2025 | 
|   [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy.   |   CloudWatch added permissions to **CloudWatchReadOnlyAccess**.  Permissions for observability administration actions were added to allow read-only access to telemetry rules, centralization configurations, and resource telemetry data across AWS Organizations.   |   October 10, 2025  | 
|  [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – Updates to existing policies  |  CloudWatch updated **CloudWatchFullAccessV2** to include CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.   | October 8, 2025 | 
|  [CloudWatchReadOnlyAccess ](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Updates to existing policies  |  CloudWatch updated **CloudWatchReadOnlyAccess ** to include CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.   | October 8, 2025 | 
|   [CloudWatchApplicationSignalsReadOnlyAccess – Updated policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsReadOnlyAccess.html)   |  CloudWatch updated the **CloudWatchApplicationSignalsReadOnlyAccess** policy to view how resources and services change in your account and view top observations for service anomalies in your account.  | September 29, 2025 | 
|   [CloudWatchApplicationSignalsFullAccess – Updated policy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsFullAccess.html)   |  CloudWatch updated the **CloudWatchApplicationSignalsFullAccess** policy to view how resources and services change in your account and view top observations for service anomalies in your account.  | September 29, 2025 | 
|   [AIOpsAssistantPolicy](#managed-policies-QInvestigations-AIOpsAssistant) – Updated policy  |  CloudWatch updated the **AIOpsAssistantPolicy** to allow CloudWatch investigations access to additional resources to assist in queries, troubleshooting, and topology mapping. This policy grants CloudWatch investigations the necessary permissions for conducting investigations.   | September 24, 2025 | 
|   [AIOpsConsoleAdminPolicy](#managed-policies-QInvestigations-AIOpsConsoleAdminPolicy) – Updated policy  |  CloudWatch updated the **AIOpsConsoleAdminPolicy** policy to permit validation of investigation groups across accounts. This policy grants users access to CloudWatch investigations actions, and to additional AWS actions that are necessary for accessing investigation events.   | June 13, 2025 | 
|  [AIOpsOperatorAccess](#managed-policies-QInvestigations-AIOpsOperatorAccess) – Updated policy  |  CloudWatch updated the **AIOpsOperatorAccess** policy to permit validation of investigation groups across accounts. This policy grants users access to CloudWatch investigations actions, and to additional AWS actions that are necessary for accessing investigation events.  | June 13, 2025 | 
|  [AIOpsAssistantPolicy](#managed-policies-QInvestigations-AIOpsAssistant) – Updates to existing policy  |  CloudWatch updated the **AIOpsAssistantPolicy** IAM policy. It added permissions to enable CloudWatch Application Insights operational investigations to find information in your resources during investigations. The following permissions were added: `appsync:GetGraphqlApi`, `appsync:GetDataSource`, `iam:ListAttachedRolePolicies`, `iam:ListRolePolicies`, and `iam:ListRoles` Additionally, the `elastic-inference:Describe*` permission was removed from the policy.  | June 13, 2025 | 
| [AmazonCloudWatchRUMReadOnlyAccess](#managed-policies-CloudWatchRUMReadOnlyAccess) – Updated policy  |  CloudWatch added permissions to the **AmazonCloudWatchRUMReadOnlyAccess** policy. The `synthetics: describeCanaries` and `synthetics:describeCanariesLastRun` was added so that CloudWatch RUM can display associated Synthetics Canaries to the RUM app monitor. The `cloudwatch:GetMetricData` was added so that CloudWatch RUM can display associated CloudWatch metrics to the RUM app monitor. The `cloudwatch:DescribeAlarms` was added so that CloudWatch RUM can display associated CloudWatch alarms to the RUM app monitor. The `logs:DescribeLogGroups` was added so that CloudWatch RUM can display associated CloudWatch logs to the RUM app monitor. The `xray:GetTraceSummaries` was added so that CloudWatch RUM can display associated X-Ray Trace segments to the RUM app monitor. The `rum:ListTagsForResources` was added so that CloudWatch RUM can display associated tags to the RUM app monitor.  | June 28, 2025 | 
|  [AIOpsReadOnlyAccess](#managed-policies-QInvestigations-AIOpsReadOnlyAccess) – Updated policy  |  CloudWatch updated the **AIOpsReadOnlyAccess** policy to permit validation of investigation groups across accounts. This policy grants a user read-only permissions for Amazon AI Operations and other related services.  | June 5, 2025 | 
| [AmazonCloudWatchRUMReadOnlyAccess](#managed-policies-CloudWatchRUMReadOnlyAccess) – Updated policy  |  CloudWatch added a permission to the **AmazonCloudWatchRUMReadOnlyAccess** policy. The `rum:GetResourcePolicy` permission was added so that CloudWatch RUM can view the resource policy attached to the RUM application monitor.  | April 28, 2025 | 
|  [AIOpsConsoleAdminPolicy](#managed-policies-QInvestigations-AIOpsConsoleAdminPolicy) – New policy  |  CloudWatch created a new policy named **AIOpsConsoleAdminPolicy**. This policy grants users full administrative access for managing CloudWatch investigations, including the management of trusted identity propagation, and the management of IAM Identity Center and organizational access.  | December 3, 2024 | 
|  [AIOpsOperatorAccess](#managed-policies-QInvestigations-AIOpsOperatorAccess) – New policy  |  CloudWatch created a new policy named **AIOpsOperatorAccess**. This policy grants users access to CloudWatch investigations actions, and to additional AWS actions that are necessary for accessing investigation events.  | December 3, 2024 | 
|  [AIOpsReadOnlyAccess](#managed-policies-QInvestigations-AIOpsReadOnlyAccess) – New policy  |  CloudWatch created a new policy named **AIOpsReadOnlyAccess**. This policy grants a user read-only permissions for Amazon AI Operations and other related services.  | December 3, 2024 | 
|  [AIOpsAssistantPolicy](#managed-policies-QInvestigations-AIOpsAssistant) – New policy  |  CloudWatch created a new policy named **AIOpsAssistantPolicy**. You don't assign this policy to a user. You assign this policy to the Amazon AI Operations assistant to enable CloudWatch investigations to analyze your AWS resources during the investigation of operational events.  | December 3, 2024 | 
|  [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – Updates to existing policies  |  CloudWatch updated both **CloudWatchFullAccessV2** and **CloudWatchFullAccess**. Permissions for Amazon OpenSearch Service were added to to enable CloudWatch Logs integration with OpenSearch Service for some features.  | December 1, 2024 | 
|  [CloudWatchNetworkFlowMonitorServiceRolePolicy](using-service-linked-roles-network-flow-monitor.md) – New policy  |  CloudWatch added a new policy **CloudWatchNetworkFlowMonitorServiceRolePolicy**. The **CloudWatchNetworkFlowMonitorServiceRolePolicy** grants permissions for Network Flow Monitor to publish metrics to CloudWatch. It also allows the service to use AWS Organizations to get information for multi-account scenarios.  | December 1, 2024 | 
|  [CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](security-iam-awsmanpol-network-flow-monitor.md#security-iam-awsmanpol-CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy) – New policy  |  CloudWatch added a new policy **CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy**. The **CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy** grants permissions for Network Flow Monitor to generate topology snapshots of resources used in your account.  | December 1, 2024 | 
|  [CloudWatchNetworkFlowMonitorAgentPublishPolicy](security-iam-awsmanpol-network-flow-monitor.md#security-iam-awsmanpol-CloudWatchNetworkFlowMonitorAgentPublishPolicy) – New policy  |  CloudWatch added a new policy **CloudWatchNetworkFlowMonitorAgentPublishPolicy**. The **CloudWatchNetworkFlowMonitorAgentPublishPolicy** grants permissions for resources, such as Amazon EC2 and Amazon EKS instances, to send telemetry reports (metrics) to a Network Flow Monitor endpoint.  | December 1, 2024 | 
|  [CloudWatchSyntheticsFullAccess](#managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess) – Update to an existing policy  |  CloudWatch updated the policy named **CloudWatchSyntheticsFullAccess**. The following CloudWatch Logs actions have been added to allow CloudWatch Synthetics to get and use canary log data in Lambda log groups. The `lambda:GetFunction` permission has also been added to allow Synthetics to get information about a specific function. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch.html) Additionally, Lambda layer version actions now apply to all CloudWatch Synthetics layer ARNs.  | November 20, 2024 | 
|  [CloudWatchInternetMonitorReadOnlyAccess](CloudWatch-IM-permissions.md#security-iam-awsmanpol-CloudWatchInternetMonitorReadOnlyAccess) – New **CloudWatchInternetMonitorReadOnlyAccess**. This policy grants read only access to resources and actions available in the CloudWatch console for Internet Monitor. The scope of this policy includes `internetmonitor:` so that users can use read-only Internet Monitor actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch metrics. It includes some `logs:` policies to manage log queries.   | November 14, 2024 | 
|  [CloudWatchInternetMonitorFullAccess](CloudWatch-IM-permissions.md#security-iam-awsmanpol-CloudWatchInternetMonitorFullAccess) – New policy  |  CloudWatch created a new policy named **CloudWatchInternetMonitorFullAccess**. This policy grants full access to resources and actions available in the CloudWatch console for Internet Monitor. The scope of this policy includes `internetmonitor:` so that users can use Internet Monitor actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `logs:` policies to manage log queries. It includes some `ec2:`, `cloudfront:`, `elasticloadbalancing:`, and `workspaces:` policies to work with resources that you add to monitors so that Internet Monitor can create a traffic profile for your application. It contains some `iam:` policies to manage IAM roles.   | October 23, 2024 | 
|  [CloudWatchLambdaApplicationSignalsExecutionRolePolicy](#managed-policies-CloudWatchLambdaApplicationSignalsExecutionRolePolicy) – New **CloudWatchLambdaApplicationSignalsExecutionRolePolicy**. This policy is used when CloudWatch Application Signals is enabled for Lambda workloads. It enables write access to X-Ray and the log group used by CloudWatch Application Signals.  | October 16, 2024 | 
|  [CloudWatchSyntheticsFullAccess](#managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess) – Update to an existing policy  |  CloudWatch updated the policy named **CloudWatchSyntheticsFullAccess**. The `lambda:ListTags`, `lambda:TagResource`, and `lambda:UntagResource` permissions were added so that when you apply or change tags on a canary, you can choose to have Synthetics also apply those same tags or changes to the Lambda function that the canary uses.  | October 11, 2024 | 
|  [CloudWatchApplicationSignalsReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchApplicationSignalsReadOnlyAccess) – New policy  |  CloudWatch created a new policy named **CloudWatchApplicationSignalsReadOnlyAccess**. This policy grants read only access to resources and actions available in the CloudWatch console for Application Signals. The scope of this policy includes `application-signals:` policies so that users can use read only actions and resources available in the CloudWatch console under Application Signals. It contains an `iam:` policy to manage IAM roles. It includes some `logs:` policies to manage log queries and filters. It includes `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `synthetics:` policies to retrive information about synthetics canaries. It includes `rum:` policies to manage RUM clients and jobs. It contains an `xray:` policy to obtain trace summaries.   | June 7, 2024 | 
|  [CloudWatchApplicationSignalsFullAccess](#managed-policies-cloudwatch-CloudWatchApplicationSignalsFullAccess) – New policy  |  CloudWatch created a new policy named **CloudWatchApplicationSignalsFullAccess**. This policy grants full access to resources and actions available in the CloudWatch console for Application Signals. The scope of this policy includes `application-signals:` so that users can use Application Signals actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `logs:` policies to manage log queries. It includes some `synthetics:` policies to write and retrieve information about synthetics canaries. It includes `rum:` policies to manage RUM clients and jobs. It contains an `xray:` policy to obtain trace summaries. It includes some `cloudwatch:` policies to manage CloudWatch alarms. It contains some `iam:` policies to manage IAM roles. It includes some `sns:` policies to manage Amazon Simple Notification Service notifications.  | June 7, 2024 | 
|  [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – Update to an existing policy  |  CloudWatch updated the policy named **CloudWatchFullAccessV2**. The scope of the `CloudWatchFullAccessPermissions` policy was updated to add `application-signals:*` so that users can use CloudWatch Application Signals to view, investigate, and diagnose issues with the health of their services.  | May 20, 2024 | 
|  [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy  |  CloudWatch updated the policy named **CloudWatchReadOnlyAccess**. The scope of the `CloudWatchReadOnlyAccessPermissions` policy was updated to add `application-signals:BatchGet*`, `application-signals:List*`, and `application-signals:Get*` so that users can use CloudWatch Application Signals to view, investigate, and diagnose issues with the health of their services. The scope of `CloudWatchReadOnlyGetRolePermissions` was updated to add the `iam:GetRole` action so that users can check if CloudWatch Application Signals is set up.  | May 20, 2024 | 
|  [CloudWatchApplicationSignalsServiceRolePolicy](using-service-linked-roles.md#service-linked-role-signals) – Update to an existing policy  |  CloudWatch updated the policy named **CloudWatchApplicationSignalsServiceRolePolicy**. The scoping of the `logs:StartQuery` and `logs:GetQueryResults` permissions was changed to add the `arn:aws:logs:*:*:log-group:/aws/appsignals/*:*` and `arn:aws:logs:*:*:log-group:/aws/application-signals/data:*` ARNs to enable Application Signals on more architectures.  | April 18, 2024 | 
|  [CloudWatchApplicationSignalsServiceRolePolicy](using-service-linked-roles.md#service-linked-role-signals) – Update to an existing policy  |  CloudWatch changed the scope of a permission in **CloudWatchApplicationSignalsServiceRolePolicy**. The scope of the `cloudwatch:GetMetricData` permission was changed to `*` so that Application Signals can retrieve metrics from sources in linked accounts.  | April 08, 2024 | 
|  [CloudWatchAgentServerPolicy](#managed-policies-cloudwatch-CloudWatchAgentServerPolicy) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchAgentServerPolicy**. The `xray:PutTraceSegments`, `xray:PutTelemetryRecords`, `xray:GetSamplingRules`, `xray:GetSamplingTargets`, `xray:GetSamplingStatisticSummaries` and `logs:PutRetentionPolicy` permissions were added so that the CloudWatch agent can publish X-Ray traces and modify log group retention periods.  | February 12, 2024 | 
|  [CloudWatchAgentAdminPolicy](#managed-policies-cloudwatch-CloudWatchAgentAdminPolicy) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchAgentAdminPolicy**. The `xray:PutTraceSegments`, `xray:PutTelemetryRecords`, `xray:GetSamplingRules`, `xray:GetSamplingTargets`, `xray:GetSamplingStatisticSummaries` and `logs:PutRetentionPolicy` permissions were added so that the CloudWatch agent can publish X-Ray traces and modify log group retention periods.  | February 12, 2024 | 
|  [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchFullAccessV2**. Existing permissions for CloudWatch Synthetics, X-Ray, and CloudWatch RUM actions and new permissions for CloudWatch Application Signals were added so that users with this policy can manage CloudWatch Application Signals. The permission to create the CloudWatch Application Signals service-linked role was added to allow CloudWatch Application Signals to discover telemetry data in logs, metrics, traces, and tags.  | December 5, 2023 | 
|  [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchReadOnlyAccess**. Existing read-only permissions for CloudWatch Synthetics, X-Ray, and CloudWatch RUM actions and new read-only permissions for CloudWatch Application Signals were added so that users with this policy can triage and dignose their service health issues as reported by CloudWatch Application Signals. The `cloudwatch:GenerateQuery` permission was added so that users with this policy can generate a CloudWatch Metrics Insights query string from a natural language prompt.   | December 5, 2023 | 
|   [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy.   |   CloudWatch added a permission to **CloudWatchReadOnlyAccess**.   The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Metrics Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/query_with_cloudwatch-metrics-insights.html) query string from a natural language prompt.   |   December 01, 2023   | 
|  [CloudWatchApplicationSignalsServiceRolePolicy](using-service-linked-roles.md#service-linked-role-signals) – New policy  |  CloudWatch added a new policy **CloudWatchApplicationSignalsServiceRolePolicy**. The **CloudWatchApplicationSignalsServiceRolePolicy** grants an upcoming feature permissions to collect CloudWatch Logs data, X-Ray trace data, CloudWatch metrics data, and tagging data.  | November 9, 2023 | 
|  [AWSServiceRoleForCloudWatchMetrics\$1DbPerfInsightsServiceRolePolicy](using-service-linked-roles.md#service-linked-role-permissions-dbperfinsights) – New policy  |  CloudWatch added a new policy **AWSServiceRoleForCloudWatchMetrics\$1DbPerfInsightsServiceRolePolicy**. The **AWSServiceRoleForCloudWatchMetrics\$1DbPerfInsightsServiceRolePolicy** grants permission to CloudWatch to fetch Performance Insights metrics from databases on your behalf.  | September 20, 2023 | 
|  [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy  |  CloudWatch added a permission to **CloudWatchReadOnlyAccess**. The `application-autoscaling:DescribeScalingPolicies` permission was added so that users with this policy can access information about Application Auto Scaling policies.  | September 14, 2023 | 
|  [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) – New policy  |  CloudWatch added a new policy **CloudWatchFullAccessV2**. The **CloudWatchFullAccessV2** grants full access to CloudWatch actions and resources while better scoping the permissions granted to other services such as Amazon SNS and Amazon EC2 Auto Scaling. For more information, see [ CloudWatchFullAccessV2](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/managed-policies-cloudwatch-CloudWatchFullAccessV2.html).  | August 1, 2023 | 
|  [AWSServiceRoleForInternetMonitor](using-service-linked-roles-CWIM.md#service-linked-role-permissions-CWIM-AWSServiceRoleForInternetMonitor) – Update to an existing policy  |  Amazon CloudWatch Internet Monitor added new permissions to monitor Network Load Balancer resources. The `elasticloadbalancing:DescribeLoadBalancers` and `ec2:DescribeNetworkInterfaces` permissions are required so that Internet Monitor can monitor customers' Network Load Balancer traffic by analyzing flow logs for NLB resources. For more information, see [Using Internet Monitor](CloudWatch-InternetMonitor.md).  | July 15, 2023 | 
|  [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchReadOnlyAccess**. The `logs:StartLiveTail` and `logs:StopLiveTail` permissions were added so that users with this policy can use the console to start and stop CloudWatch Logs live tail sessions. For more information, see [ Use live tail to view logs in near real time](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_LiveTail.html).  | June 6, 2023 | 
|  [CloudWatchCrossAccountSharingConfiguration](#managed-policies-cloudwatch-CloudWatchCrossAccountSharingConfiguration) – New policy  |  CloudWatch added a new policy to enable you to manage CloudWatch cross-account observability links that share CloudWatch metrics. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).  | November 27, 2022 | 
|  [OAMFullAccess](#managed-policies-cloudwatch-OAMFullAccess) – New policy  |  CloudWatch added a new policy to enable you to fully manage CloudWatch cross-account observability links and sinks. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).  | November 27, 2022 | 
|  [OAMReadOnlyAccess](#managed-policies-cloudwatch-OAMReadOnlyAccess) – New policy  |  CloudWatch added a new policy to enable you to view information about CloudWatch cross-account observability links and sinks. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).  | November 27, 2022 | 
|  [CloudWatchFullAccess](#managed-policies-cloudwatch-CloudWatchFullAccess) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchFullAccess**. The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.  | November 27, 2022 | 
|  [CloudWatchReadOnlyAccess](#managed-policies-cloudwatch-CloudWatchReadOnlyAccess) – Update to an existing policy  |  CloudWatch added permissions to **CloudWatchReadOnlyAccess**. The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability.  | November 27, 2022 | 
|  [AmazonCloudWatchRUMServiceRolePolicy](using-service-linked-roles-RUM.md#service-linked-role-permissions-RUM) – Update to an existing policy  |  CloudWatch RUM updated a condition key in **AmazonCloudWatchRUMServiceRolePolicy**. The `"Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/RUM" } }` condition key was changed to the following so that CloudWatch RUM can send custom metrics to custom metric namespaces. <pre>"Condition": {<br />    "StringLike": {<br />		"cloudwatch:namespace": [<br />			"RUM/CustomMetrics/*",<br />			"AWS/RUM"<br />		]<br />	}<br />}<br />									<br />								</pre>  | February 2, 2023 | 
| [AmazonCloudWatchRUMReadOnlyAccess](#managed-policies-CloudWatchRUMReadOnlyAccess) – Updated policy  |  CloudWatch added permissions the **AmazonCloudWatchRUMReadOnlyAccess** policy. The `rum:ListRumMetricsDestinations` and `rum:BatchGetRumMetricsDefinitions` permissions were added so that CloudWatch RUM can send extended metrics to CloudWatch.  | October 27, 2022 | 
|  [AmazonCloudWatchRUMServiceRolePolicy](using-service-linked-roles-RUM.md#service-linked-role-permissions-RUM) – Update to an existing policy  |  CloudWatch RUM added permissions to **AmazonCloudWatchRUMServiceRolePolicy**. The `cloudwatch:PutMetricData` permission was added so that CloudWatch RUM can send extended metrics to CloudWatch.  | October 26, 2022 | 
|  [CloudWatchSyntheticsFullAccess](#managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess) – Update to an existing policy  |  CloudWatch Synthetics added permissions to **CloudWatchSyntheticsFullAccess**. The `lambda:DeleteFunction` and `lambda:DeleteLayerVersion` permissions were added so that CloudWatch Synthetics can delete related resources when a canary is deleted. The `iam:ListAttachedRolePolicies` was added so that customers can view the policies that are attached to a canary's IAM role.  | May 6, 2022 | 
|  [AmazonCloudWatchRUMFullAccess](#managed-policies-CloudWatchRUMFullAccess) – New policy  |  CloudWatch added a new policy to enable full management of CloudWatch RUM. CloudWatch RUM allows you to perform real user monitoring of your web application. For more information, see [CloudWatch RUM](CloudWatch-RUM.md).  | November 29, 2021 | 
|  [AmazonCloudWatchRUMReadOnlyAccess](#managed-policies-CloudWatchRUMReadOnlyAccess) – New policy  |  CloudWatch added a new policy to enable read-only access to CloudWatch RUM. CloudWatch RUM allows you to perform real user monitoring of your web application. For more information, see [CloudWatch RUM](CloudWatch-RUM.md).  | November 29, 2021 | 
|  [**AWSServiceRoleForCloudWatchRUM**](using-service-linked-roles-RUM.md) – New managed policy  |  CloudWatch added a policy for a new service-linked role to allow CloudWatch RUM to pubish monitoring data to other relevant AWS services.  | November 29, 2021 | 
|  [CloudWatchSyntheticsFullAccess](#managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess) – Update to an existing policy  |  CloudWatch Synthetics added permissions to **CloudWatchSyntheticsFullAccess**, and also changed the scope of one permission. The `kms:ListAliases` permission was added so that users can list available AWS KMS keys that can be used to encrypt canary artifacts. The `kms:DescribeKey` permission was added so that users can see the details of keys that will be used to encrypt for canary artifacts. And the `kms:Decrypt` permission was added to enable users to decrypt canary artifacts. This decryption ability is limited to use on resources within Amazon S3 buckets. The `Resource` scope of the `s3:GetBucketLocation` permission was changed from `*` to `arn:aws:s3:::*`.  | September 29, 2021 | 
|  [CloudWatchSyntheticsFullAccess](#managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess) – Update to an existing policy  |  CloudWatch Synthetics added a permission to **CloudWatchSyntheticsFullAccess**. The `lambda:UpdateFunctionCode` permission was added so that users with this policy can change the runtime version of canaries.  | July 20, 2021 | 
|  [ AWSCloudWatchAlarms\$1ActionSSMIncidentsServiceRolePolicy](#managed-policies-cloudwatch-incident-manager) – New managed policy  |  CloudWatch added a new managed IAM policy to allow CloudWatch to create incidents in AWS Systems Manager Incident Manager.  | May 10, 2021 | 
|  [ CloudWatchAutomaticDashboardsAccess](#managed-policies-cloudwatch-CloudWatch-CloudWatchAutomaticDashboardsAccess) – Update to an existing policy  |  CloudWatch added a permission to the **CloudWatchAutomaticDashboardsAccess** managed policy. The `synthetics:DescribeCanariesLastRun` permission was added to this policy to enable cross-account dashboard users to see details about CloudWatch Synthetics canary runs.  | April 20, 2021 | 
|  CloudWatch started tracking changes  |  CloudWatch started tracking changes for its AWS managed policies.  | April 14, 2021 | 

## CloudWatchFullAccessV2
<a name="managed-policies-cloudwatch-CloudWatchFullAccessV2"></a>

AWS recently added the **CloudWatchFullAccessV2** managed IAM policy. This policy grants full access to CloudWatch actions and resources and also more properly scopes the permissions granted for other services such as Amazon SNS and Amazon EC2 Auto Scaling. We recommend that you begin using this policy instead of using **CloudWatchFullAccess**. AWS plans to deprecate **CloudWatchFullAccess** in the near future.

It includes `application-signals:` permissions so that users can access all the functionality from the CloudWatch console under Application Signals. It includes some `autoscaling:Describe` permissions so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes some `sns` permissions so that users with this policy can retrieve create Amazon SNS topics and associate them with CloudWatch alarms. It includes IAM permissions so that users with this policy can view information about service-linked roles associated with CloudWatch. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals.

It includes Amazon OpenSearch Service permissions to support vended logs dashboards in CloudWatch Logs, which are created with Amazon OpenSearch Service analytics. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account. 

It includes `rum`, `synthetics`, and `xray` permissions so that users can have full access to CloudWatch Synthetics, AWS X-Ray, and CloudWatch RUM, all of which are under the CloudWatch service.

To see the full contents of the policy, see [CloudWatchFullAccessV2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchFullAccessV2.html) in the *AWS Managed Policy Reference Guide*.

## CloudWatchFullAccess
<a name="managed-policies-cloudwatch-CloudWatchFullAccess"></a>

The **CloudWatchFullAccess** policy is on the path to deprecation. We recommend that you stop using it, and use [CloudWatchFullAccessV2](#managed-policies-cloudwatch-CloudWatchFullAccessV2) instead.

## CloudWatchReadOnlyAccess
<a name="managed-policies-cloudwatch-CloudWatchReadOnlyAccess"></a>

 The **CloudWatchReadOnlyAccess** policy grants read-only access to CloudWatch and related observability features. 

 The policy includes some `logs:` permissions, so that users with this policy can use the console to view CloudWatch Logs information and CloudWatch Logs Insights queries. It includes `autoscaling:Describe*`, so that users with this policy can see the Auto Scaling actions that are associated with CloudWatch alarms. It includes the `application-signals:` permissions so that users can use Application Signals to monitor the health of their services. It includes `application-autoscaling:DescribeScalingPolicies`, so that users with this policy can access information about Application Auto Scaling policies. It includes `sns:Get*` and `sns:List*`, so that users with this policy can retrieve information about the Amazon SNS topics that receive notifications about CloudWatch alarms. It includes the `oam:ListSinks` and `oam:ListAttachedLinks` permissions, so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes the `iam:GetRole` permissions so that users can check if CloudWatch Application Signals have been set up. It also includes CloudTrail and Service Quotas permissions to support top observations and change indicators functionality within Application Signals. It includes observability administration permissions for viewing telemetry rules, centralization configurations, and resource telemetry data across AWS Organizations. It includes the `cloudwatch:GenerateQuery` permission, so that users with this policy can generate a [CloudWatch Metrics Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/query_with_cloudwatch-metrics-insights.html) query string from a natural language prompt. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account. 

It includes `rum`, `synthetics`, and `xray` permissions so that users can have read-only access to CloudWatch Synthetics, AWS X-Ray, and CloudWatch RUM, all of which are under the CloudWatch service.

To see the full contents of the policy, see [CloudWatchReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*. 

## CloudWatchActionsEC2Access
<a name="managed-policies-cloudwatch-CloudWatchActionsEC2Access"></a>

The **CloudWatchActionsEC2Access** policy grants read-only access to CloudWatch alarms and metrics in addition to Amazon EC2 metadata. It also grants access to the Stop, Terminate, and Reboot API actions for EC2 instances.

To see the full contents of the policy, see [CloudWatchActionsEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchActionsEC2Access.html) in the *AWS Managed Policy Reference Guide*.

## CloudWatch-CrossAccountAccess
<a name="managed-policies-cloudwatch-CloudWatch-CrossAccountAccess"></a>

The **CloudWatch-CrossAccountAccess** managed policy is used by the **CloudWatch-CrossAccountSharingRole** IAM role. This role and policy enable users of cross-account dashboards to view automatic dashboards in each account that is sharing dashboards.

To see the full contents of the policy, see [CloudWatch-CrossAccountAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatch-CrossAccountAccess.html) in the *AWS Managed Policy Reference Guide*.

## CloudWatchAutomaticDashboardsAccess
<a name="managed-policies-cloudwatch-CloudWatch-CloudWatchAutomaticDashboardsAccess"></a>

The **CloudWatchAutomaticDashboardsAccess** managed policy grants access to CloudWatch for non-CloudWatch APIs, so that resources such as Lambda functions can be displayed on CloudWatch automatic dashboards.

To see the full contents of the policy, see [CloudWatchAutomaticDashboardsAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchAutomaticDashboardsAccess.html) in the *AWS Managed Policy Reference Guide*.

## CloudWatchAgentServerPolicy
<a name="managed-policies-cloudwatch-CloudWatchAgentServerPolicy"></a>

The **CloudWatchAgentServerPolicy** policy can be used in IAM roles that are attached to Amazon EC2 instances to allow the CloudWatch agent to read information from the instance and write it to CloudWatch.

To see the full contents of the policy, see [CloudWatchAgentServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchAgentServerPolicy.html) in the *AWS Managed Policy Reference Guide*.

## CloudWatchAgentAdminPolicy
<a name="managed-policies-cloudwatch-CloudWatchAgentAdminPolicy"></a>

The **CloudWatchAgentAdminPolicy** policy can be used in IAM roles that are attached to Amazon EC2 instances. This policy allows the CloudWatch agent to read information from the instance and write it to CloudWatch, and also to write information to Parameter Store.

To see the full contents of the policy, see [CloudWatchAgentAdminPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchAgentAdminPolicy.html) in the *AWS Managed Policy Reference Guide*.

## CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy
<a name="managed-policies-cloudwatch-CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy"></a>

You can't attach ` CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role named **AWSServiceRoleForNetworkFlowMonitor\$1Topology**. Using these permissions, as well as internal meta data information gathering (for performance efficiencies), this service-linked role gathers meta data about resource network configurations, such as describing route tables and gateways, for resources that this service monitors network traffic for. This meta data enables Network Flow Monitor to generate topology snapshots of the resources. When there is network degradation, Network Flow Monitor uses the topologies to provide insights into the location of issues in the network and to help determine attribution for issues. 

To view the permissions for this policy, see [CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

For more information, see [Service-linked roles for Network Flow Monitor](using-service-linked-roles-network-flow-monitor.md).

**Note**  
You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for CloudWatch actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. 

## AWS managed (predefined) policies for CloudWatch cross-account observability
<a name="managed-policies-cloudwatch-crossaccount"></a>

The policies in this section grant permissions related to CloudWatch cross-account observability. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md). 

### CloudWatchCrossAccountSharingConfiguration
<a name="managed-policies-cloudwatch-CloudWatchCrossAccountSharingConfiguration"></a>

The **CloudWatchCrossAccountSharingConfiguration** policy grants access to create, manage, and view Observability Access Manager links for sharing CloudWatch resources between accounts. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).

To see the full contents of the policy, see [CloudWatchCrossAccountSharingConfiguration](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchCrossAccountSharingConfiguration.html) in the *AWS Managed Policy Reference Guide*.

### OAMFullAccess
<a name="managed-policies-cloudwatch-OAMFullAccess"></a>

The **OAMFullAccess** policy grants access to create, manage, and view Observability Access Manager sinks and links, which are used for CloudWatch cross-account observability. 

The **OAMFullAccess** policy by itself does not permit you to share observability data across links. To create a link to share CloudWatch metrics, you also need either **CloudWatchFullAccess** or **CloudWatchCrossAccountSharingConfiguration**. To create a link to share CloudWatch Logs log groups, you also need either **CloudWatchLogsFullAccess** or **CloudWatchLogsCrossAccountSharingConfiguration**. To create a link to share X-Ray traces, you also need either **AWSXRayFullAccess** or **AWSXRayCrossAccountSharingConfiguration**.

For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).

To see the full contents of the policy, see [OAMFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/OAMFullAccess.html) in the *AWS Managed Policy Reference Guide*.

### OAMReadOnlyAccess
<a name="managed-policies-cloudwatch-OAMReadOnlyAccess"></a>

The **OAMReadOnlyAccess** policy grants read-only access to Observability Access Manager resources, which are used for CloudWatch cross-account observability. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).

To see the full contents of the policy, see [OAMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/OAMReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed (predefined) policies for CloudWatch investigations
<a name="managed-policies-cloudwatch-QInvestigations"></a>

The policies in this section grant permissions related to CloudWatch investigations. For more information, see [CloudWatch investigations](Investigations.md). 

### AIOpsConsoleAdminPolicy
<a name="managed-policies-QInvestigations-AIOpsConsoleAdminPolicy"></a>

The **AIOpsConsoleAdminPolicy** policy grants full access to all CloudWatch investigations actions and their required permissions via the AWS console. This policy also grants limited access to other service's APIs required for CloudWatch investigations functionality.
+ The `aiops` permissions grant access to all CloudWatch investigations actions.
+ The `organizations`, `sso`, `identitystore`, and `sts` permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. 
+ The `ssm` permissions are required for SSM Ops Item integration with third-party issue management.
+ The `iam` permissions are needed so that administrators can pass IAM roles to the `aiops` and `ssm.integrations` services, and the role is later used by the assistant to analyze AWS resources
**Important**  
These permissions allow users with this policy to pass any IAM role to the `aiops` and `ssm.integrations` services.
+ It allows APIs from services outside CloudWatch investigations, which are required for investigation feature functionality. These include actions to configure Amazon Q Developer in chat applications, AWS KMS, CloudTrail trails, and SSM third-party issue management.
+ The `q` permissions enable integration with Amazon Q, allowing users to interact with and update CloudWatch investigations reports through Amazon Q's conversational interface.

To see the full contents of the policy, see [AIOpsConsoleAdminPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsConsoleAdminPolicy.html) in the *AWS Managed Policy Reference Guide*.

### AIOpsOperatorAccess
<a name="managed-policies-QInvestigations-AIOpsOperatorAccess"></a>

The **AIOpsOperatorAccess** policy grants access to a limited set of CloudWatch investigations APIs which include creating, updating, and deleting investigations, investigation events, and investigation resources.

This policy only provides access to investigations. You should be sure that IAM principals with this policy also have permissions to read CloudWatch observability data such as metrics, SLOs, and CloudWatch Logs query results.
+ The `aiops` permissions allow access to CloudWatch investigations APIs to create, update, and delete investigations. 
+ The `sso-directory`, `sso`, `identitystore`, and `sts` permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. 
+ The `ssm` permissions are required for SSM Ops Item integration with third-party issue management.
+ The `q` permissions enable integration with Amazon Q, allowing users to interact with and update CloudWatch investigations reports through Amazon Q's conversational interface.

To see the full contents of the policy, see [AIOpsOperatorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsOperatorAccess.html) in the *AWS Managed Policy Reference Guide*.

### AIOpsReadOnlyAccess
<a name="managed-policies-QInvestigations-AIOpsReadOnlyAccess"></a>

The **AIOpsReadOnlyAccess** policy grants read-only permissions for CloudWatch investigations and other related services.
+ The `aiops` permissions allow access to CloudWatch investigations APIs to get, list, and validate investigation groups. 
+ The `sso` permissions allow actions needed for IAM Identity Center management which facilitate identity-aware sessions. 
+ The `ssm` permissions are required for SSM Ops Item integration with third-party issue management.

To see the full contents of the policy, see [AIOpsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.

### AIOpsAssistantPolicy
<a name="managed-policies-QInvestigations-AIOpsAssistant"></a>

The **AIOpsAssistantPolicy** policy is the default policy recommended by AWS to assign to the Amazon AI Operations (AIOps) role used by your investigation group to enable it to analyze your AWS resources during investigations of operational events. This policy is not intended for use by human users.

You can choose to have the policy assigned automatically when you create an investigation, or you can assign the policy manually to the role being used by the investigation. This policy is scoped based on the resources that CloudWatch investigations analyzes when performing investigations, and will be updated as more resources are supported. For a complete list of services that work with CloudWatch investigations see, [AWS services where investigations are supported](Investigations-Services.md).

You can also choose to assign the general AWS [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html) to the assistant in addition to assigning it **AIOpsAssistantPolicy**. The reason to do this is that **ReadOnlyAccess** will be updated more frequently by AWS with permissions for new AWS services and actions that are released. The **AIOpsAssistantPolicy** will also be updated for new actions, but not as frequently.

To see the full contents of the policy, see [AIOpsAssistantPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsAssistantPolicy.html) in the *AWS Managed Policy Reference Guide*.

### AIOpsAssistantIncidentReportPolicy
<a name="managed-policies-QInvestigations-AIOpsAssistantIncidentReportPolicy"></a>

The **AIOpsAssistantIncidentReportPolicy** policy grants permissions required by CloudWatch investigations to generate incident reports from investigation data.

This policy is intended for use by CloudWatch investigations to enable automated incident report generation from investigation findings.
+ The `aiops` permissions allow access to CloudWatch investigations APIs to read investigation data and events, create and update incident reports, and manage AI-derived facts that form the foundation of report generation.

To see the full contents of the policy, see [AIOpsAssistantIncidentReportPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AIOpsAssistantIncidentReportPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed (predefined) policies for CloudWatch Application Signals
<a name="managed-policies-cloudwatch-ApplicationSignals"></a>

The policies in this section grant permissions related to CloudWatch Application Signals. For more information, see [Application Signals](CloudWatch-Application-Monitoring-Sections.md). 

### CloudWatchApplicationSignalsReadOnlyAccess
<a name="managed-policies-cloudwatch-CloudWatchApplicationSignalsReadOnlyAccess"></a>

AWS has added the **CloudWatchApplicationSignalsReadOnlyAccess** managed IAM policy. This policy grants read only access to actions and resources available to users in the CloudWatch console under Application Signals. It includes `application-signals:` policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It includes an `iam:GetRole` policy to allow users to retrieve information about an IAM role. It includes `logs:` policies to start and stop queries, retrieve the configuration for a metruc filter, and obtain query results. It includes `cloudwatch:` policies so that users can obtain information about a CloudWatch alarm or metrics. It includes `synthetics:` policies so that users can retrieve information about synthetics canary runs. It includes `rum:` policies to run batch operations, retrieve data, and update metrics definitions for RUM clients. It includes an `xray:` policy to retrieve trace summaries. It includes `oam:` policies so that users can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account. 

To see the full contents of the policy, see [CloudWatchApplicationSignalsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.

### CloudWatchApplicationSignalsFullAccess
<a name="managed-policies-cloudwatch-CloudWatchApplicationSignalsFullAccess"></a>

AWS has added the **CloudWatchApplicationSignalsFullAccess** managed IAM policy. This policy grants access to all actions and resources available to users in the CloudWatch console. It includes `application-signals:` policies so that users can use CloudWatch Application signals to view, investigate and monitor the health of their services. It uses `cloudwatch:` policies to retrieve data from metrics and alarms. It uses `logs:` policies to manage queries and filters. It uses `synthetics:` policies so that users can retrieve information about synthetics canary runs. It includes `rum:` policies to run batch operations, retrieve data and update metrics definitions for RUM clients. It includes an `xray:` policy to retrieve trace summaries. It includes `arn:aws:cloudwatch:*:*:alarm:` policies so that users can retrieve information about a service level objective (SLO) alarm. It includes `iam:` policies to manage IAM roles. It uses `sns:` policies to create, list, and subscribe to an Amazon SNS topic. It includes `oam:` policies so that users can use the console to view data shared from source accounts in CloudWatch cross-account observability. It includes `resource-explorer-2:` policies so that users can use the console to view unstrumented services in their account

To see the full contents of the policy, see [CloudWatchApplicationSignalsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsFullAccess.html) in the *AWS Managed Policy Reference Guide*.

### CloudWatchLambdaApplicationSignalsExecutionRolePolicy
<a name="managed-policies-CloudWatchLambdaApplicationSignalsExecutionRolePolicy"></a>

This policy is used when CloudWatch Application Signals is enabled for Lambda workloads. It enables write access to X-Ray and the log group used by CloudWatch Application Signals.

To see the full contents of the policy, see [CloudWatchLambdaApplicationSignalsExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLambdaApplicationSignalsExecutionRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed (predefined) policies for CloudWatch Synthetics
<a name="managed-policies-cloudwatch-canaries"></a>

The **CloudWatchSyntheticsFullAccess** and **CloudWatchSyntheticsReadOnlyAccess** AWS managed policies are available for you to assign to users who will manage or use CloudWatch Synthetics. The following additional policies are also relevant:
+ **AmazonS3ReadOnlyAccess** and **CloudWatchReadOnlyAccess** – These are necessary to read all Synthetics data in the CloudWatch console.
+ **AWSLambdaReadOnlyAccess** – Required to view the source code used by canaries.
+ **CloudWatchSyntheticsFullAccess** – Allows you to create canaries. Additionally, to create and delete canaries that have a new IAM role created for them, you need specific inline policy permissions.
**Important**  
Granting a user the `iam:CreateRole`, `iam:DeleteRole`, `iam:CreatePolicy`, `iam:DeletePolicy`, `iam:AttachRolePolicy`, and `iam:DetachRolePolicy` permissions gives that user full administrative access to create, attach, and delete roles and policies that have ARNs that match `arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*` and `arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*`. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role that matches that ARN pattern. Be careful to whom you grant these permissions.

  For information about attaching policies and granting permissions to users, see [Changing Permissions for an IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) and [To embed an inline policy for a user or role](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#embed-inline-policy-console).

### CloudWatchSyntheticsFullAccess
<a name="managed-policies-cloudwatch-CloudWatchSyntheticsFullAccess"></a>

To see the full contents of the policy, see [CloudWatchSyntheticsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchSyntheticsFullAccess.html) in the *AWS Managed Policy Reference Guide*.

### CloudWatchSyntheticsReadOnlyAccess
<a name="managed-policies-cloudwatch-CloudWatchSyntheticsReadOnlyAccess"></a>

To see the full contents of the policy, see [CloudWatchSyntheticsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchSyntheticsReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed (predefined) policies for Amazon CloudWatch RUM
<a name="managed-policies-cloudwatch-RUM"></a>

The **AmazonCloudWatchRUMFullAccess** and **AmazonCloudWatchRUMReadOnlyAccess** AWS managed policies are available for you to assign to users who will manage or use CloudWatch RUM.

### AmazonCloudWatchRUMFullAccess
<a name="managed-policies-CloudWatchRUMFullAccess"></a>

To see the full contents of the policy, see [AmazonCloudWatchRUMFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonCloudWatchRUMFullAccess.html) in the *AWS Managed Policy Reference Guide*.

### AmazonCloudWatchRUMReadOnlyAccess
<a name="managed-policies-CloudWatchRUMReadOnlyAccess"></a>

The **AmazonCloudWatchRUMReadOnlyAccess** allows read-only administrative access to CloudWatch RUM.
+ The `synthetics` permission allows displaying associated Synthetics Canaries to the RUM app monitor
+ The `cloudwatch` permission allows displaying associated CloudWatch metrics to the RUM app monitor
+ The `cloudwatch alarms` permission allows displaying associated CloudWatch alarms to the RUM app monitor 
+ The `cloudwatch logs` permission allows displaying associated CloudWatch logs to the RUM app monitor 
+ The `x-ray` permission allows displaying associated X-Ray Trace segments to the RUM app monitor 
+ The `rum` permission allows displaying associated tags to the RUM app monitor 

To see the full contents of the policy, see [AmazonCloudWatchRUMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonCloudWatchRUMReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.

### AmazonCloudWatchRUMServiceRolePolicy
<a name="managed-policies-AmazonCloudWatchRUMServiceRolePolicy"></a>

You can't attach **AmazonCloudWatchRUMServiceRolePolicy** to your IAM entities. This policy is attached to a service-linked role that allows CloudWatch RUM to publish monitoring data to other relevant AWS services. For more information about this service linked role, see [Using service-linked roles for CloudWatch RUM](using-service-linked-roles-RUM.md).

To see the full contents of the policy, see [AmazonCloudWatchRUMServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonCloudWatchRUMServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy for AWS Systems Manager Incident Manager
<a name="managed-policies-cloudwatch-incident-manager"></a>

The **AWSCloudWatchAlarms\$1ActionSSMIncidentsServiceRolePolicy** policy is attached to a service-linked role that allows CloudWatch to start incidents in AWS Systems Manager Incident Manager on your behalf. For more information, see [Service-linked role permissions for CloudWatch alarms Systems Manager Incident Manager actions](using-service-linked-roles.md#service-linked-role-permissions-incident-manager).

The policy has the following permission:
+ ssm-incidents:StartIncident