Permissions required for Application Signals - Amazon CloudWatch

Permissions required for Application Signals

Application Signals is in preview release for Amazon CloudWatch and is subject to change.

This section explains the permissions necessary for you to enable, manage, and operate Application Signals.

Permissions to enable and manage Application Signals

To manage Application Signals, and to enable Application Signals with a custom setup on architectures other than Amazon EKS, you must be signed on with the following permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsFullAccessPermissions", "Effect": "Allow", "Action": [ "cloudwatch:BatchGetServiceLevelIndicatorReport", "cloudwatch:BatchGetServiceLevelObjectiveBudgetReport", "cloudwatch:CreateServiceLevelObjective", "cloudwatch:DeleteServiceLevelObjective", "cloudwatch:EnableTopologyDiscovery", "cloudwatch:GetService", "cloudwatch:GetServiceLevelObjective", "cloudwatch:GetTopologyMap", "cloudwatch:ListServices", "cloudwatch:ListServiceLevelObjectives", "cloudwatch:UpdateServiceLevelObjective", "iam:GetRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumPermissions", "Effect": "Allow", "Action": [ "rum:BatchCreateRumMetricDefinitions", "rum:BatchDeleteRumMetricDefinitions", "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:PutRumMetricsDestination", "rum:UpdateRumMetricDefinition" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsPutMetricAlarmPermissions", "Effect": "Allow", "Action": "cloudwatch:PutMetricAlarm", "Resource": [ "arn:aws:cloudwatch:*:*:alarm:SLO-AttainmentGoalAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLO-WarningAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLI-HealthAlarm-*" ] }, { "Sid": "CloudWatchApplicationSignalsEksPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" }, { "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", "Condition": { "StringLike": { "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" } } }, { "Sid": "CloudWatchApplicationSignalsTaggingPermissions", "Effect": "Allow", "Action": [ "cloudwatch:TagResource", "cloudwatch:UntagResource", "cloudwatch:ListTagsForResource" ], "Resource": "arn:aws:cloudwatch:*:*:slo/*" }, { "Sid": "CloudWatchApplicationSignalsSnsWritePermissions", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe" ], "Resource": "arn:aws:sns:*:*:cloudwatch-application-signals-*" }, { "Sid": "CloudWatchApplicationSignalsSnsReadPermissions", "Effect": "Allow", "Action": "sns:ListTopics", "Resource": "*" } ] }

To use the console to enable Application Signals on applications in an Amazon EKS cluster, you'll also need the following permissions. These permissions are required to install and manage the Amazon CloudWatch Observability EKS add-on.

Important

These permissions include iam:PassRole with Resource "*” and eks:CreateAddon with Resource “*”. These are powerful permissions and you should use caution in granting them.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:CreateAddon", "eks:DescribeAddon", "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions", "eks:DescribeCluster", "eks:DescribeUpdate", "eks:ListAddons", "eks:ListClusters", "eks:ListUpdates", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }

To see which AWS Service Catalog AppRegistry Applications that your SLOs are associated with in the SLO pages in the Application Signals dashboard, you also need the following permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }

Operating Application Signals

Service operators who are using Application Signals to monitor services and SLOs must be signed on to an account with the following permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsReadOnlyAccessPermissions", "Effect": "Allow", "Action": [ "cloudwatch:BatchGetServiceLevelIndicatorReport", "cloudwatch:BatchGetServiceLevelObjectiveBudgetReport", "cloudwatch:GetService", "cloudwatch:GetServiceLevelObjective", "cloudwatch:GetTopologyMap", "cloudwatch:ListServices", "cloudwatch:ListServiceLevelObjectives" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsReadPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumReadPermissions", "Effect": "Allow", "Action": [ "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayReadPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:ListTagsForResource" ], "Resource": "arn:aws:cloudwatch:*:*:slo/*" }, { "Sid": "CloudWatchApplicationSignalsEksReadPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }

For an operator to be able to see which AWS Service Catalog AppRegistry Applications that your SLOs are associated with in the SLO pages in the Application Signals dashboard, they will also need the following permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }