Which permissions/policies for IAM role to be used with CloudWatch monitoring script
The Amazon CloudWatch Monitoring Scripts for Linux are comprised of two Perl scripts, both using one Perl module - a short peek into the source reveals the following AWS API actions being used:
-
CloudWatchClient.pm
- DescribeTags -
mon-get-instance-stats.pl
- GetMetricStatistics, ListMetrics -
mon-put-instance-data.pl
- PutMetricData
With this information you can assemble your IAM policy, e.g. via the AWS policy generator - an all encompassing policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData",
"ec2:DescribeTags"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Of course you can drop cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
when just using mon-put-instance-data.pl
- please note that I haven't actually tested the code though.
The above policy gives error asking for version.
The following should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426849513000",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"cloudwatch:SetAlarmState"
],
"Resource": [
"*"
]
}
]
}