Posted On: Jun 10, 2019

You can now create tags in CloudWatch alarms that let you define policy controls for your Amazon Web Services resources. This enables you to specify fine grained permissions, improving security for monitoring resources and cost allocation. 

You can add tags to CloudWatch alarms to create groups of resources and categorize them by purpose, owner, or environment. You can also view of your resources organized by common tags. And finally, you can define IAM policies in your Amazon Web Services account that when attached to a resource, grants or denies access based on a tag. For example, you can create a PROD tag for your alarms in production environment, and attach an IAM policy so that only specific users can delete your alarms in that environment. For cost management, you can allocate and track costs by tagging groups of resources, get detailed billing reports across your groups, as well as define IAM permissions on these tagged groups. 

Resource level policies for CloudWatch alarms is now available at no extra cost in Amazon Web Services China (Beijing) Region and Amazon Web Services China (Ningxia) Region. You can learn more about how to create tags on your resources and use them to define permissions using the CloudWatch CLI and SDK.