Permissions required for Application Signals - Amazon CloudWatch

Permissions required for Application Signals

This section explains the permissions necessary for you to enable, manage, and operate Application Signals.

Permissions to enable and manage Application Signals

To manage Application Signals, you must be signed on with the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsFullAccessPermissions", "Effect": "Allow", "Action": "application-signals:*", "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:DescribeMetricFilters" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" }, { "Sid": "CloudWatchApplicationSignalsLogsPermissions", "Effect": "Allow", "Action": [ "logs:GetQueryResults", "logs:StopQuery" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumPermissions", "Effect": "Allow", "Action": [ "rum:BatchCreateRumMetricDefinitions", "rum:BatchDeleteRumMetricDefinitions", "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:PutRumMetricsDestination", "rum:UpdateRumMetricDefinition" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsPutMetricAlarmPermissions", "Effect": "Allow", "Action": "cloudwatch:PutMetricAlarm", "Resource": [ "arn:aws:cloudwatch:*:*:alarm:SLO-AttainmentGoalAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLO-WarningAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLI-HealthAlarm-*" ] }, { "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", "Condition": { "StringLike": { "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" } } }, { "Sid": "CloudWatchApplicationSignalsGetRolePermissions", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "CloudWatchApplicationSignalsSnsWritePermissions", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe" ], "Resource": "arn:aws:sns:*:*:cloudwatch-application-signals-*" }, { "Sid": "CloudWatchApplicationSignalsSnsReadPermissions", "Effect": "Allow", "Action": "sns:ListTopics", "Resource": "*" } ] }

To enable Application Signals on Amazon EC2, Kubernetes, or custom architectures, see Enable Application Signals on other platforms with a custom setup. To enable and manage Application Signals on Amazon EKS using the Amazon CloudWatch Observability EKS add-on, you need the following permissions.

Important

These permissions include iam:PassRole with Resource "*” and eks:CreateAddon with Resource “*”. These are powerful permissions and you should use caution in granting them.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:AccessKubernetesApi", "eks:CreateAddon", "eks:DescribeAddon", "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions", "eks:DescribeCluster", "eks:DescribeUpdate", "eks:ListAddons", "eks:ListClusters", "eks:ListUpdates", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }

The Application Signals dashboard shows the AWS Service Catalog AppRegistry applications that your SLOs are associated with. To see these applications in the SLO pages, you must have the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }

Operating Application Signals

Service operators who are using Application Signals to monitor services and SLOs must be signed on to an account with the following read only permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsReadOnlyAccessPermissions", "Effect": "Allow", "Action": [ "application-signals:BatchGet*", "application-signals:Get*", "application-signals:List*" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsGetRolePermissions", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:DescribeMetricFilters" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" }, { "Sid": "CloudWatchApplicationSignalsLogsPermissions", "Effect": "Allow", "Action": [ "logs:GetQueryResults", "logs:StopQuery" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsReadPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumReadPermissions", "Effect": "Allow", "Action": [ "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayReadPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" } ] }

To see which AWS Service Catalog AppRegistry Applications that your SLOs are associated within the Application Signals dashboard, you must have the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }

To check if Application Signals on Amazon EKS using the Amazon CloudWatch Observability EKS add-on is enabled, you need to have the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksReadPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }