AWS Automation & Scripts Permissions
Time icon

2 MIN

Tag Icon

Automation & Scripts

Tag Icon

HOME PAGE

2 min

Below you will find the necessary permissions for the AWS custom integration scripts that we offer. You will see the required permissions, followed by a JSON example of the least privileged permissions required.

Table of Contents

AWS CloudWatch Metrics

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchMetricQueries",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used in the script.

AWS Billing Metrics

Required IAM Permissions:

  • ce:GetCostAndUsage

Example Policy JSON (least privilege):


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCostExplorerQueries",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage"
      ],
      "Resource": "*"
    }
  ]
}

AWS EBS Metrics

Required IAM Permissions:

  • cloudwatch:GetMetricData

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchEBSMetricsQueries",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used in the script.

AWS EC2 Metrics

Required IAM Permissions (EC2 + attached EBS via CloudWatch):

  • cloudwatch:GetMetricData

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchMetricQueriesForEC2AndEBS",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used in the script.

AWS EC2 Volumes

Required IAM Permissions:

  • ec2:DescribeVolumes

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDescribeVolumesForAttachedEBS",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION to match the script’s region.

AWS RDS Metrics

Required IAM Permissions (RDS via CloudWatch):

  • cloudwatch:GetMetricData

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchMetricQueriesForRDS",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used by the script.

AWS RDS Instance Info

Required IAM Permissions (RDS describe):

  • rds:DescribeDBInstances

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDescribeDBInstances",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used by the script.

Share via Social Networks

Categories

You might also like…

Read more top posts in this category

Want more tips on Network Monitoring?

Ready to Get Started?

  • Uncover Network Blind Spots
  • Resolve Issues Faster and Easier
  • Exceed Service Delivery Expectations