View a markdown version of this page

Actions, resources, and condition keys for Amazon CloudWatch Application Signals - Service Authorization Reference

Actions, resources, and condition keys for Amazon CloudWatch Application Signals

Amazon CloudWatch Application Signals (service prefix: application-signals) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon CloudWatch Application Signals

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

BatchDeleteInstrumentationConfigurations

application-signals:BatchDeleteInstrumentationConfigurations

Write

BatchGetServiceLevelObjectiveBudgetReport

application-signals:BatchGetServiceLevelObjectiveBudgetReport

Read

BatchUpdateExclusionWindows

application-signals:BatchUpdateExclusionWindows

Write

CreateInstrumentationConfiguration

application-signals:CreateInstrumentationConfiguration

Write

CreateServiceLevelObjective

application-signals:CreateServiceLevelObjective

Write

application-signals:TagResource

Tagging, Write

DeleteGroupingConfiguration

application-signals:DeleteGroupingConfiguration

Write

DeleteInstrumentationConfiguration

application-signals:DeleteInstrumentationConfiguration

Write

DeleteServiceLevelObjective

application-signals:DeleteServiceLevelObjective

Write

GetInstrumentationConfiguration

application-signals:GetInstrumentationConfiguration

Read

GetInstrumentationConfigurationStatus

application-signals:GetInstrumentationConfigurationStatus

Read

GetService

application-signals:GetService

Read

GetServiceLevelObjective

application-signals:GetServiceLevelObjective

Read

ListAuditFindings

application-signals:GetServiceLevelObjective

Read

application-signals:ListAuditFindings

List

application-signals:ListServiceLevelObjectives

List

ListEntityEvents

application-signals:ListEntityEvents

List

ListGroupingAttributeDefinitions

application-signals:ListGroupingAttributeDefinitions

List

ListInstrumentationConfigurations

application-signals:ListInstrumentationConfigurations

List

ListServiceDependencies

application-signals:ListServiceDependencies

Read

ListServiceDependents

application-signals:ListServiceDependents

Read

ListServiceLevelObjectiveExclusionWindows

application-signals:ListServiceLevelObjectiveExclusionWindows

List

ListServiceLevelObjectives

application-signals:ListServiceLevelObjectives

List

ListServiceOperations

application-signals:ListServiceOperations

Read

ListServiceStates

application-signals:ListServiceStates

List

ListServices

application-signals:ListServices

List

ListTagsForResource

application-signals:ListTagsForResource

Read

PutGroupingConfiguration

application-signals:PutGroupingConfiguration

Write

ReportInstrumentationConfigurationStatus

application-signals:ReportInstrumentationConfigurationStatus

Write

StartDiscovery

application-signals:StartDiscovery

Write

TagResource

application-signals:TagResource

Tagging, Write

UntagResource

application-signals:UntagResource

Tagging, Write

UpdateServiceLevelObjective

application-signals:UpdateServiceLevelObjective

Write

Actions defined by Amazon CloudWatch Application Signals

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

BatchDeleteInstrumentationConfigurations

Grants permission to batch delete instrumentation configurations

instrumentationConfig*

aws:ResourceTag/${TagKey}

Write

BatchGetServiceLevelObjectiveBudgetReport

Grants permission to batch retrieve a service level objective budget report

slo*

aws:ResourceTag/${TagKey}

Read

BatchUpdateExclusionWindows

Grants permission to add or remove exclusion windows from Amazon CloudWatch SLOs

slo*

aws:ResourceTag/${TagKey}

Write

CreateInstrumentationConfiguration

Grants permission to create an instrumentation configuration for dynamic instrumentation

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateServiceLevelObjective

Grants permission to create a service level objective

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteGroupingConfiguration

Grants permission to delete a grouping configuration

Write

DeleteInstrumentationConfiguration

Grants permission to delete an instrumentation configuration

instrumentationConfig*

aws:ResourceTag/${TagKey}

Write

DeleteServiceLevelObjective

Grants permission to delete a service level objective

slo*

aws:ResourceTag/${TagKey}

Write

GetInstrumentationConfiguration

Grants permission to retrieve an instrumentation configuration

instrumentationConfig*

aws:ResourceTag/${TagKey}

Read

GetInstrumentationConfigurationStatus

Grants permission to retrieve the status history of an instrumentation configuration

instrumentationConfig*

aws:ResourceTag/${TagKey}

Read

GetService

Grants permission to retrieve information about a service

Read

GetServiceLevelObjective

Grants permission to retrieve information about service level objective

slo*

aws:ResourceTag/${TagKey}

Read

ListAuditFindings

Grants permission to list service auditing results

List

ListEntityEvents

Grants permission to list events for an entity

List

ListGroupingAttributeDefinitions

Grants permission to list grouping attribute configurations

List

ListInstrumentationConfigurations

Grants permission to list instrumentation configurations

List

ListObservedEntities

Grants permission to list entities associated with other entities

List

ListServiceDependencies

Grants permission to list service dependencies

Read

ListServiceDependents

Grants permission to list service dependents

Read

ListServiceLevelObjectiveExclusionWindows

Grants permission to list exclusion windows for an Amazon CloudWatch SLO

slo*

aws:ResourceTag/${TagKey}

List

ListServiceLevelObjectives

Grants permission to list service level objectives

List

ListServiceOperations

Grants permission to list service operations

Read

ListServiceStates

Grants permission to list service states

List

ListServices

Grants permission to list services

List

ListTagsForResource

Grants permission to list tags for an Amazon CloudWatch Application Signals resource

instrumentationConfig

aws:ResourceTag/${TagKey}

Read

slo

aws:ResourceTag/${TagKey}

PutGroupingConfiguration

Grants permission to create or update a grouping configuration

Write

ReportInstrumentationConfigurationStatus

Grants permission to report the status of instrumentation configurations

instrumentationConfig*

aws:ResourceTag/${TagKey}

Write

StartDiscovery

Grants permission to enable CloudWatch discovery

Write

TagResource

Grants permission to add tags to an Amazon CloudWatch Application Signals resource

instrumentationConfig

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

slo

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove tags from an Amazon CloudWatch Application Signals resource

instrumentationConfig

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

slo

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateServiceLevelObjective

Grants permission to update a service level objective

slo*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon CloudWatch Application Signals

The following actions are defined by Amazon CloudWatch Application Signals but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

Link

Grants permission to share Application Signals resources with a monitoring account

Write

Resource types defined by Amazon CloudWatch Application Signals

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

instrumentationConfig

arn:${Partition}:application-signals:${Region}:${Account}:instrumentationConfig/${Service}/${Environment}/${SignalType}/${LocationHash}

aws:ResourceTag/${TagKey}

slo

arn:${Partition}:application-signals:${Region}:${Account}:slo/${SloName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon CloudWatch Application Signals

Amazon CloudWatch Application Signals defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the allowed set of values for each of the tags

String

aws:ResourceTag/${TagKey}

Filters access by tag-value associated with the resource

String

aws:TagKeys

Filters access by the presence of mandatory tags in the request

ArrayOfString