13

With CloudWatch monitoring script (mon-put-instance-data.pl) it's possible to specify a IAM role name to provide AWS credentials (--aws-iam-role=VALUE).

I'm creating a IAM role for this purpose (to run mon-put-instance-data.pl on an AWS instance), but which permissions / policies should I give to this role??

Thank you for your help

Céline Aussourd
  • 590
  • 1
  • 5
  • 14

3 Answers3

23

The Amazon CloudWatch Monitoring Scripts for Linux are comprised of two Perl scripts, both using one Perl module - a short peek into the source reveals the following AWS API actions being used:

With this information you can assemble your IAM policy, e.g. via the AWS policy generator - an all encompassing policy would be:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricData",
        "ec2:DescribeTags"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Of course you can drop cloudwatch:GetMetricStatistics cloudwatch:ListMetricswhen just using mon-put-instance-data.pl - please note that I haven't actually tested the code though.

Community
  • 1
Steffen Opel
  • 5,560
  • 35
  • 55
  • These actions match the actions listed in the documentation at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html#mon-scripts-getstarted – htaccess Jul 02 '17 at 22:53
2

The above policy gives error asking for version.

The following should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1426849513000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:PutMetricData",
                "cloudwatch:SetAlarmState"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
BE77Y
  • 2,577
  • 3
  • 17
  • 23
Swapnil jaiswal
  • 111
  • 5
2

There's an Amazon provided IAM policy for CloudWatch. No need to build your own. CloudWatchFullAccess

jorfus
  • 715
  • 7
  • 14
  • 2
    Thanks for your answer. I didn't want to give full access to CloudWatch though... I don't want to give DeleteAlarms permission for example. – Céline Aussourd Jun 11 '15 at 08:40
  • For dynatrace service this is perfect! – holms Aug 20 '18 at 13:48
  • IMHO, for almost any 'monitoring' use-case, this is too much access. Your monitoring script doesn't need to (say) create or delete metrics or dashboards. The policy adds some fairly safe looking non-cloudwatch permissions, but then adds all of these too: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html. At a rough guess, `CloudWatchReadOnlyAccess` would be a safe 'first try', but even that may be overly generous. – Ralph Bolton Nov 29 '18 at 14:06