You can now use resource level policies for Amazon CloudWatch Alarms

Posted on: Apr 1, 2019

You can now create tags in CloudWatch alarms that let you define policy controls for your AWS resources. This enables you to specify fine grained permissions, improving security for monitoring resources and cost allocation.


You can add tags to CloudWatch alarms to create groups of resources and categorize them by purpose, owner, or environment. You can also view of your resources organized by common tags. And finally, you can define IAM policies in your AWS account that when attached to a resource, grants or denies access based on a tag. For example, you can create a PROD tag for your alarms in production environment, and attach an IAM policy so that only specific users can delete your alarms in that environment. For cost management, you can allocate and track costs by tagging groups of resources, get detailed billing reports across your groups, as well as define IAM permissions on these tagged groups.


Resource level policies for CloudWatch alarms is now available at no extra cost in all AWS public regions, including AWS GovCloud. You can learn more about how to create tags on your resources and use them to define permissions using the CloudWatch CLI and SDK.