Configuring IAM Permissions

When you set up IAM users and groups, you can stipulate which permissions the account has for API calls. The keys you use when you set up the adapter instance must have certain permissions activated.

For each supported

AWS

Service, the

ReadOnlyAccess

permission is enough to collect metrics. Use the permission to create a IAM Policy for all supported services and their related services.

To use resource groups tagging API operations, see Resource Groups Tagging API Reference and Services that support the Resource Groups Tagging API.

AWS

console and create a json similar to the following to get the list of privileges for the service:

{
    "Version": "2012-10-17",
    "Statement": [
       {
         "Action": [
          "autoscaling:Describe*",
          "cloudwatch:Describe*",
          "cloudwatch:Get*",
          "cloudwatch:List*",
          "logs:Get*",
          "logs:List*",
          "logs:Describe*",
          "logs:TestMetricFilter",
          "logs:FilterLogEvents",
          "sns:Get*",
          "sns:List*"
        ],
        "Effect": "Allow",
        "Resource": "*"
     }
   ]
}

IAM Permissions
Service	Required	Permissions
Cloudwatch	Yes.	For the list of permissions, see Cloud Watch Read Only Access json.
EC2	describeRegions is required. describeInstances and describeVolumes are only required if you subscribe to the EC2 service.	For more information, see EC2 Read Only Access json.
ELB (Elastic Load Balancing)	Required if subscribing to the ELB service.	For the list of permissions, see Elastic Load Balancing Read Only Access json.
ELB V2	Required for application load balancer service.	{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups" ], "Resource": "*" } ] }
EMR	Required if subscribing to the EMR service.	describe* { "Effect": "Allow", "Action": [ "elasticmapreduce:Describe", "elasticmapreduce:List", "elasticmapreduce:ViewEventsFromAllClustersInConsole" "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sdb:Select", "cloudwatch:GetMetricStatistics" ], "Resource": "*" }
RDS	Required if subscribing to RDS service.	For the list of permissions, see RDS Read Only Access json.
ElasticCache	Required if subscribing to ElasticCache service.	For the list of permissions, see Elastic Cache Read Only Access json.
SQS	Required if subscribing to SQS service.	For the list of permissions, see SQS Read Only Access json.
Elastic Container Registry		For the list of permissions, see Elastic Container Read Only Access json.
Elastic Container Service		list*
Lambda		For the list of permissions, see Lambda Read Only Access json and refer to the AWS Lambda policy.
DynamoDB		For the list of permissions, see Dynamo DB Read Only Access json.
DAX		describe* list*
Redshift		For the list of permissions, see Redshift Read Only Access json.
Virtual Private Cloud		For the list of permissions, see VPC Read Only Access json.
Cloud Front Distribution		For the list of permissions, see Cloud Front Distribution Read Only Access json.
Direct Connect		For the list of permissions, see Direct Connect Read Only Access json.
VPN Connection		describe*
VPC NAT Gateway		describe*
Elastic IP		describe*
CloudformationStack		For the list of permissions, see Cloud Formation Read Only Access json.
S3		For the list of permissions, see S3 Read Only Access json.
Workspaces		describe*
Hosted Zone		list*
Health Checks		list*
Neptune DB		For the list of permissions, see Neptune Read Only Access
Personalzie		list* describe*
Sagemaker		For the list of permissions, see SageMaker Read Only
Fsx		For the list of permissions, see FSx Read Only Access
Global Accelerator		For the list of permissions, see Global Accelerator Read Only Access
APIGateway		get*
Elastic Inference		describe*
Glue		get*
DocumentDB		For the list of permissions, see Doc DB Read Only Access
QLDB		For the list of permissions, see QLDB Read Only
Aurora DB		For the list of permissions, see RDS Read Only Access
Storage Gateway	Required if subscribing to the storage gateway service.	listGateways describeGatewayInformation listFileShares describeSMBFileShares describeNFSFileShares listVolumes

Configuring AWS

Content feedback and comments

VMware Aria Operations 8.17.1

Configuring IAM Permissions