Below you will find the necessary permissions for the AWS custom integration scripts that we offer. You will see the required permissions, followed by a JSON example of the least privileged permissions required.
AWS CloudWatch Metrics

Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudWatchMetricQueries",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ADD_REGION"
}
}
}
]
}
Replace ADD_REGION with the region used in the script.
AWS Billing Metrics

Required IAM Permissions:
- ce:GetCostAndUsage
Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCostExplorerQueries",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage"
],
"Resource": "*"
}
]
}
AWS EBS Metrics

Required IAM Permissions:
- cloudwatch:GetMetricData
Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudWatchEBSMetricsQueries",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ADD_REGION"
}
}
}
]
}
Replace ADD_REGION with the region used in the script.
AWS EC2 Metrics

Required IAM Permissions (EC2 + attached EBS via CloudWatch):
- cloudwatch:GetMetricData
Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudWatchMetricQueriesForEC2AndEBS",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ADD_REGION"
}
}
}
]
}
Replace ADD_REGION with the region used in the script.
AWS EC2 Volumes

Required IAM Permissions:
- ec2:DescribeVolumes
Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribeVolumesForAttachedEBS",
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ADD_REGION"
}
}
}
]
}
Replace ADD_REGION to match the script’s region.
AWS RDS Metrics

Required IAM Permissions (RDS via CloudWatch):
- cloudwatch:GetMetricData
Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudWatchMetricQueriesForRDS",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ADD_REGION"
}
}
}
]
}
Replace ADD_REGION with the region used by the script.
AWS RDS Instance Info

Required IAM Permissions (RDS describe):
- rds:DescribeDBInstances
Example Policy JSON (least privilege):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribeDBInstances",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ADD_REGION"
}
}
}
]
}
Replace ADD_REGION with the region used by the script.