-
IAM Polices does not seem exist
updated 3 days, 4 hours ago
2 Members
·
3
Posts
-
Is the policy syntax using cloudwatch:PutMetricData correct I don’t see this policy in the list of AWS IAM policies in Console. Shouldn’t the service prefix be logs: instead of cloudwatch:?
I am talking about this questions and its answer::
An organization has a web application hosted in a fleet of EC2 instances that publishes custom metrics to Amazon CloudWatch. After a few days, the IT Operations team noticed that the metrics are no longer sent to CloudWatch. The Security Administrator noticed that there has been a recent change in the IAM policy that is used by the application. The issue must be fixed immediately without compromising security.
Which of the following is the LEAST permissive solution that the Administrator should grant in this scenario?
Answer-> Add cloudwatch:putMetricData permission in the IAM Policy. I don’t see this policy in the list of AWS IAM policies in Console
-
Hello Alak,
Thank you for posting. You’re right to double-check the IAM action, but in this case, cloudwatch:PutMetricData is the correct permission to use, not logs:. The confusion likely comes from the fact that Amazon CloudWatch includes metrics and logs, which use different prefixes—cloudwatch: for metrics and logs: for logs. Since the EC2 instances publish custom metrics, the correct service is CloudWatch Metrics, and the appropriate permission is cloudwatch:PutMetricData. This action allows the application to send metric data to CloudWatch, which is required for that functionality to work.
Additionally, cloudwatch:PutMetricData is a valid IAM action and does appear in the IAM policy editor in the AWS Console. It can be added to a custom policy or included in some broader managed policies.
Let me know if you need more assistance.
Regards,
Nikee @ Tutorials Dojo
-
Thank you for clarifying.
Cheers
Log in to reply.