Amazon CloudWatch RUM introduces resource-based policy support for data ingestion access
CloudWatch RUM, which provides real-time monitoring into web application performance by tracking user interactions, now supports resource based policies that simplify access for data ingestion to RUM. With resource-based policies, you can specify which Identity and Access Management (IAM) principals have access to ingest data to your RUM app monitors— effectively which clients can write data to RUM. This would also allow you to ingest data at higher volume and gives you greater control over data ingress in RUM.
Using resource based policies allows you to manage ingestion access to your app monitor without using Amazon Cognito to assume an IAM role, and AWS Security Token Service (STS) to obtain security credentials to write data to CloudWatch RUM. This is beneficial for high throughput use cases where a high volume of requests may be subject to Cognito’s quota limits leading to throttling and potentially failure in ingesting data to RUM. With a public resource policy, no such limits apply. Anyone can send data to CloudWatch RUM including unauthenticated users and clients. In addition, you can use AWS Global context keys to use these policies to block certain IPs or disable clients sending data to RUM. You can configure these policies on the AWS console or via code using AWS CloudFormation.
These enhancements are available in all regions where CloudWatch RUM is available at no additional cost to users.
See documentation to know more about the feature, or see user guide to learn how to configure resource based policies for CloudWatch RUM.