Configuring access policies for Performance Insights
To access Performance Insights, a principal must have the appropriate permissions from AWS Identity and Access Management (IAM). You can grant access in the following ways:
-
Attach the
AmazonRDSPerformanceInsightsReadOnly
managed policy to a permission set or role to access all read-only operations of the Performance Insights API. Attach the following CloudWatch permssions:GetMetricStatistics
,ListMetrics
, andGetMetricData
. For more information about CloudWatch permissions, see Amazon CloudWatch permissions reference. -
Attach the
AmazonRDSPerformanceInsightsFullAccess
managed policy to a permission set or role to access all operations of the Performance Insights API. Attach the following CloudWatch permssions:GetMetricStatistics
,ListMetrics
, andGetMetricData
. For more information about CloudWatch permissions, see Amazon CloudWatch permissions reference. -
Create a custom IAM policy and attach it to a permission set or role.
If you specified a customer managed key when you turned on Performance Insights, make sure that users in your account have the kms:Decrypt
and
kms:GenerateDataKey
permissions on the AWS KMS key.
In the following sections, attach an AWS managed policy to an IAM principal, create a custom IAM policy, change an AWS KMS policy, and grant fine-grained access for Performance Insights.
Topics
Attaching the
AmazonRDSPerformanceInsightsReadOnly policy to an IAM principal
AmazonRDSPerformanceInsightsReadOnly
is an AWS managed
policy that grants access to all read-only operations of the Amazon RDS Performance Insights API.
If you attach AmazonRDSPerformanceInsightsReadOnly
to a permission set or
role, the recipient can use Performance Insights with other console features.
For more information, see AWS managed policy: AmazonRDSPerformanceInsightsReadOnly.
Attaching
the AmazonRDSPerformanceInsightsFullAccess policy to an IAM principal
AmazonRDSPerformanceInsightsFullAccess
is an AWS managed
policy that grants access to all operations of the Amazon RDS Performance Insights API.
If you attach AmazonRDSPerformanceInsightsFullAccess
to a permission set
or role, the recipient can use Performance Insights with other console features.
For more information, see AWS managed policy: AmazonRDSPerformanceInsightsFullAccess.