Login Start Free Trial

AWS Automation & Scripts Permissions
Time icon

2 MIN

Tag Icon

Automation & Scripts

Tag Icon

HOME PAGE

2 min

Below you will find the necessary permissions for the AWS custom integration scripts that we offer. You will see the required permissions, followed by a JSON example of the least privileged permissions required.

Table of Contents

AWS CloudWatch Metrics

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchMetricQueries",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used in the script.

AWS Billing Metrics

Required IAM Permissions:

  • ce:GetCostAndUsage

Example Policy JSON (least privilege):


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCostExplorerQueries",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage"
      ],
      "Resource": "*"
    }
  ]
}

AWS EBS Metrics

Required IAM Permissions:

  • cloudwatch:GetMetricData

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchEBSMetricsQueries",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used in the script.

AWS EC2 Metrics

Required IAM Permissions (EC2 + attached EBS via CloudWatch):

  • cloudwatch:GetMetricData

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchMetricQueriesForEC2AndEBS",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used in the script.

AWS EC2 Volumes

Required IAM Permissions:

  • ec2:DescribeVolumes

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDescribeVolumesForAttachedEBS",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION to match the script’s region.

AWS RDS Metrics

Required IAM Permissions (RDS via CloudWatch):

  • cloudwatch:GetMetricData

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchMetricQueriesForRDS",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used by the script.

AWS RDS Instance Info

Required IAM Permissions (RDS describe):

  • rds:DescribeDBInstances

Example Policy JSON (least privilege):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDescribeDBInstances",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ADD_REGION"
        }
      }
    }
  ]
}

Replace ADD_REGION with the region used by the script.

Share via Social Networks

Categories

You might also like…

Read more top posts in this category

Ready to Get Started?

  • Uncover Network Blind Spots
  • Resolve Issues Faster and Easier
  • Exceed Service Delivery Expectations