When you set up IAM users and groups, you can stipulate which permissions the account has for API calls. The keys you use when you set up the adapter instance must have certain permissions activated.

For each supported AWS Service, the ReadOnlyAccess permission is enough to collect metrics. Use the permission to create a IAM Policy for all supported services and their related services.

To use resource groups tagging API operations, see Resource Groups Tagging API Reference and Services that support the Resource Groups Tagging API.

Log in to the AWS console and create a json similar to the following to get the list of privileges for the service:

{
    "Version": "2012-10-17",
    "Statement": [
       {
         "Action": [
          "autoscaling:Describe*",
          "cloudwatch:Describe*",
          "cloudwatch:Get*",
          "cloudwatch:List*",
          "logs:Get*",
          "logs:List*",
          "logs:Describe*",
          "logs:TestMetricFilter",
          "logs:FilterLogEvents",
          "sns:Get*",
          "sns:List*"
        ],
        "Effect": "Allow",
        "Resource": "*"
     }
   ]
}
Table 1. IAM Permissions
Service Required Permissions
Cloudwatch Yes. For the list of permissions, see Cloud Watch Read Only Access json.
EC2 describeRegions is required. describeInstances and describeVolumes are only required if you subscribe to the EC2 service. For more information, see EC2 Read Only Access json.
ELB (Elastic Load Balancing) Required if subscribing to the ELB service. For the list of permissions, see Elastic Load Balancing Read Only Access json.
ELB V2 Required for application load balancer service.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeTargetGroups"
            ],
            "Resource": "*"
        }
    ]
}
EMR Required if subscribing to the EMR service. describe*
{
   "Effect": "Allow",
   "Action": [
   "elasticmapreduce:Describe*",
   "elasticmapreduce:List*",
   "elasticmapreduce:ViewEventsFromAllClustersInConsole"
   "s3:GetObject",
   "s3:ListAllMyBuckets",
   "s3:ListBucket",
   "sdb:Select",
   "cloudwatch:GetMetricStatistics"
 ],
   "Resource": "*"
}
RDS Required if subscribing to RDS service. For the list of permissions, see RDS Read Only Access json.
ElasticCache Required if subscribing to ElasticCache service. For the list of permissions, see Elastic Cache Read Only Access json.
SQS Required if subscribing to SQS service. For the list of permissions, see SQS Read Only Access json.
Elastic Container Registry For the list of permissions, see Elastic Container Read Only Access json.
Elastic Container Service list*
Lambda For the list of permissions, see Lambda Read Only Access json and refer to the AWS Lambda policy.
DynamoDB For the list of permissions, see Dynamo DB Read Only Access json.
DAX describe*

list*

Redshift For the list of permissions, see Redshift Read Only Access json.
Virtual Private Cloud For the list of permissions, see VPC Read Only Access json.
Cloud Front Distribution For the list of permissions, see Cloud Front Distribution Read Only Access json.
Direct Connect For the list of permissions, see Direct Connect Read Only Access json.
VPN Connection describe*
VPC NAT Gateway describe*
Elastic IP describe*
CloudformationStack For the list of permissions, see Cloud Formation Read Only Access json.
S3 For the list of permissions, see S3 Read Only Access json.
Workspaces describe*
Hosted Zone list*
Health Checks list*
Neptune DB For the list of permissions, see Neptune Read Only Access
Personalzie

list*

describe*

Sagemaker For the list of permissions, see SageMaker Read Only
Fsx For the list of permissions, see FSx Read Only Access
Global Accelerator For the list of permissions, see Global Accelerator Read Only Access
APIGateway get*
Elastic Inference describe*
Glue get*
DocumentDB For the list of permissions, see Doc DB Read Only Access
QLDB For the list of permissions, see QLDB Read Only
Aurora DB For the list of permissions, see RDS Read Only Access
Storage Gateway Required if subscribing to the storage gateway service.

listGateways

describeGatewayInformation

listFileShares

describeSMBFileShares

describeNFSFileShares

listVolumes