Posted On: Dec 18, 2017

Today, Amazon CloudWatch added support for using Service-Linked Roles to setup CloudWatch Alarms with EC2 actions. A service-linked role is a unique type of IAM role that is linked directly to CloudWatch. Service-linked roles are predefined by CloudWatch and include all the permissions that the service requires to call other AWS services on your behalf. 

The service-linked role in CloudWatch makes setting up CloudWatch alarms that can terminate, stop, or reboot Amazon EC2 instance easier because you don’t have to manually add the necessary permissions. CloudWatch uses the service-linked role named AWSServiceRoleForCloudWatchEvents to perform EC2 alarm actions. The AWSServiceRoleForCloudWatchEvents service-linked role trusts the CloudWatch Events service to assume the role and allows to invoke the terminate, stop, or reboot instance actions when called upon by the alarm. You can delete the roles only after first deleting their related resources. This protects your CloudWatch resources because you can't inadvertently remove permission to access the resources.  

To be able to start using service-linked role with CloudWatch Alarms, new permissions are required when calling PutMetricAlarm API. If your IAM users or roles are using CloudWatchFullAccess managed policy, no action is required at your end. If you have custom IAM Policies attached to your Users or Roles, please add the following statement to your policy 

    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "arn:aws:iam::*:role/aws-service-role/*",
    "Condition": {
        "StringLike": {
            "iam:AWSServiceName": ""

To know more about using EC2 Alarms Actions in CloudWatch Alarms, please visit here. To know more about service-linked role being used by CloudWatch Alarms, please visit here. To know more about creating your CloudWatch Alarms through the PutMetricAlarm API, please visit here.