Using a service-linked role for CloudWatch Network Monitor
Amazon CloudWatch Network Monitor uses the following service-linked role for the permissions that it requires to call other AWS services on your behalf:
AWSServiceRoleForNetworkMonitor
CloudWatch Network Monitoring uses the service-linked role named
AWSServiceRoleForNetworkMonitor to update and manage CloudWatch network monitors.
The AWSServiceRoleForNetworkMonitor service-linked role trusts the
following service to assume the role:
-
networkmonitor.amazonaws.com
The CloudWatchNetworkMonitorServiceRolePolicy is attached to the service
linked role and grants access for the service to access VPC and EC2 resources in your account,
as well as manage the network monitors that were created.
Permission groupings
The policy is grouped into the following sets of permissions:
-
cloudwatch- This allows the service principal to publish network monitoring metrics to CloudWatch resources. -
ec2- This allows the service principal to describe VPCs and subnets in your account to create or update monitors and probes. This also allows the service principal to create, modify, and delete security groups, network interfaces, and their associated permissions to configure the monitor or probe to send monitoring traffic to your endpoints.
For more information about the policy, see AWS managed policies for CloudWatch Network Monitor.
The following shows the CloudWatchNetworkMonitorServiceRolePolicy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublishCw", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/NetworkMonitor" } } }, { "Sid": "DescribeAny", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeVpcs", "ec2:DescribeNetworkInterfacePermissions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "DeleteModifyEc2Resources", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:RevokeSecurityGroupEgress", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ManagedByCloudWatchNetworkMonitor": "true" } } } ] }
Create the service-linked role
AWSServiceRoleForNetworkMonitor
You don't need to manually create the or AWSServiceRoleForNetworkMonitor
role.
-
CloudWatch Network Monitor creates the
AWSServiceRoleForNetworkMonitorrole when you create your first network monitor. This role will apply to any subsequent monitors you create.
To create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-Linked Role Permissions in the IAM User Guide.
Edit the service-linked role
You can edit the AWSServiceRoleForNetworkMonitor descriptions using IAM. For more
information, see Editing
a Service-Linked Role in the IAM User Guide.
Delete the service-linked role
If you no longer need to use CloudWatch Network Monitor, we recommend that you delete the
AWSServiceRoleForNetworkMonitor role.
You can delete these service-linked roles only after you delete your network monitor. For information about deleting your network monitor, see Delete a network monitor.
You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.
After you delete AWSServiceRoleForNetworkMonitor CloudWatch Network Monitor will create the role again when you
create a new monitor.
Supported Regions for the CloudWatch Network Monitor service-linked role
CloudWatch Network Monitor supports the service-linked role in all of AWS Regions where the service is available. For more information, see AWS endpoints in the AWS General Reference.
