When you set up IAM users and groups, you can stipulate which permissions the account has for API calls. The keys you use when you set up the adapter instance must have certain permissions enabled.
For each supported AWS Service, the ReadOnlyAccess
permission is enough to collect metrics. Use the permission to create a IAM Policy for all supported services and their related services.
To use resource groups tagging API operations, see Resource Groups Tagging API Reference and Services that support the Resource Groups Tagging API.
Log in to the AWS console and create a json similar to the following to get the list of privileges for the service:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" } ] }
Service | Required | Permissions |
---|---|---|
Cloudwatch | Yes. | For the list of permissions, see Cloud Watch Read Only Access json. |
EC2 | describeRegions is required. describeInstances and describeVolumes are only required if you subscribe to the EC2 service. | For more information, see EC2 Read Only Access json. |
ELB (Elastic Load Balancing) | Required if subscribing to the ELB service. | For the list of permissions, see Elastic Load Balancing Read Only Access json. |
EMR | Required if subscribing to the EMR service. | describe*
{ "Effect": "Allow", "Action": [ "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elasticmapreduce:ViewEventsFromAllClustersInConsole" "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sdb:Select", "cloudwatch:GetMetricStatistics" ], "Resource": "*" } |
RDS | Required if subscribing to RDS service. | For the list of permissions, see RDS Read Only Access json. |
ElasticCache | Required if subscribing to ElasticCache service. | For the list of permissions, see Elastic Cache Read Only Access json. |
SQS | Required if subscribing to SQS service. | For the list of permissions, see SQS Read Only Access json. |
Elastic Container Registry | For the list of permissions, see Elastic Container Read Only Access json. | |
Elastic Container Service | list* | |
Lambda | For the list of permissions, see Lambda Read Only Access json and refer to the AWS Lambda policy. | |
DynamoDB | For the list of permissions, see Dynamo DB Read Only Access json. | |
DAX | describe* list* |
|
Redshift | For the list of permissions, see Redshift Read Only Access json. | |
Virtual Private Cloud | For the list of permissions, see VPC Read Only Access json. | |
Cloud Front Distribution | For the list of permissions, see Cloud Front Distribution Read Only Access json. | |
Direct Connect | For the list of permissions, see Direct Connect Read Only Access json. | |
VPN Connection | describe* | |
VPC NAT Gateway | describe* | |
Elastic IP | describe* | |
CloudformationStack | For the list of permissions, see Cloud Formation Read Only Access json. | |
S3 | For the list of permissions, see S3 Read Only Access json. | |
Workspaces | describe* | |
Hosted Zone | list* | |
Health Checks | list* | |
Neptune DB | For the list of permissions, see Neptune Read Only Access | |
Personalzie | list* describe* |
|
Sagemaker | For the list of permissions, see SageMaker Read Only | |
Fsx | For the list of permissions, see FSx Read Only Access | |
Global Accelerator | For the list of permissions, see Global Accelerator Read Only Access | |
APIGateway | get* | |
Elastic Inference | describe* | |
Glue | get* | |
DocumentDB | For the list of permissions, see Doc DB Read Only Access | |
QLDB | For the list of permissions, see QLDB Read Only | |
Aurora DB | For the list of permissions, see RDS Read Only Access |