Can I restrict CloudWatch Actions based on Resource or Condition?

CloudWatch does not have any resource-level permissions. To quote the AWS docs:

CloudWatch doesn't have any specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions.

Source: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

So it's not possible to create a policy that restricts the data to metrics from certain resources (VPCs, etc.)

"Conditions" don't usually apply to the data or the resource being requested (ie. your metrics). Instead, the "Condition" applies to the origin of the request, such as the VPC or IP address.


According to AWS doco, condition keys can be used to limit access to CloudWatch namespaces. https://docs.amazonaws.cn/en_us/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html

Actually, I raised a ticket to AWS for restriction on getting CloudWatch metrics and got confirmation said it's working for PutMetricData but not for GetMetricData.