When you set up IAM users and groups, you can stipulate which permissions the account has for API calls. The keys you use when you set up the adapter instance must have certain permissions enabled.

For each supported AWS Service, the ReadOnlyAccess permission is enough to collect metrics. Use the permission to create a IAM Policy for all supported services and their related services.

Log in to the AWS console and create a json similar to the following to get the list of privileges for the service:

{
    "Version": "2012-10-17",
    "Statement": [
       {
         "Action": [
          "autoscaling:Describe*",
          "cloudwatch:Describe*",
          "cloudwatch:Get*",
          "cloudwatch:List*",
          "logs:Get*",
          "logs:List*",
          "logs:Describe*",
          "logs:TestMetricFilter",
          "logs:FilterLogEvents",
          "sns:Get*",
          "sns:List*"
        ],
        "Effect": "Allow",
        "Resource": "*"
     }
   ]
}
Table 1. IAM Permissions
Service Required Permissions
Cloudwatch Yes. For the list of permissions, see Cloud Watch Read Only Access json.
EC2 describeRegions is required. describeInstances and describeVolumes are only required if you subscribe to the EC2 service. For more information, see EC2 Read Only Access json.
ELB (Elastic Load Balancing) Required if subscribing to the ELB service. For the list of permissions, see Elastic Load Balancing Read Only Access json.
EMR Required if subscribing to the EMR service. describe*
{
   "Effect": "Allow",
   "Action": [
   "elasticmapreduce:Describe*",
   "elasticmapreduce:List*",
   "elasticmapreduce:ViewEventsFromAllClustersInConsole"
   "s3:GetObject",
   "s3:ListAllMyBuckets",
   "s3:ListBucket",
   "sdb:Select",
   "cloudwatch:GetMetricStatistics"
 ],
   "Resource": "*"
}
RDS Required if subscribing to RDS service. For the list of permissions, see RDS Read Only Access json.
ElasticCache Required if subscribing to ElasticCache service. For the list of permissions, see Elastic Cache Read Only Access json.
SQS Required if subscribing to SQS service. For the list of permissions, see SQS Read Only Access json.
Elastic Container Registry For the list of permissions, see Elastic Container Read Only Access json.
Elastic Container Service list*
Lambda For the list of permissions, see Lambda Read Only Access json and refer to the AWS Lambda policy.
DynamoDB For the list of permissions, see Dynamo DB Read Only Access json.
DAX describe*

list*

Redshift For the list of permissions, see Redshift Read Only Access json.
Virtual Private Cloud For the list of permissions, see VPC Read Only Access json.
Cloud Front Distribution For the list of permissions, see Cloud Front Distribution Read Only Access json.
Direct Connect For the list of permissions, see Direct Connect Read Only Access json.
VPN Connection describe*
VPC NAT Gateway describe*
Elastic IP describe*
CloudformationStack For the list of permissions, see Cloud Formation Read Only Access json.
S3 For the list of permissions, see S3 Read Only Access json.
Workspaces describe*
Hosted Zone list*
Health Checks list*