Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Configuring access policies for Performance Insights - Amazon Aurora

Configuring access policies for Performance Insights

To access Performance Insights, a principal must have the appropriate permissions from AWS Identity and Access Management (IAM). You can grant access in the following ways:

  • Attach the AmazonRDSPerformanceInsightsReadOnly managed policy to a permission set or role to access all read-only operations of the Performance Insights API. Attach the following CloudWatch permssions: GetMetricStatistics, ListMetrics, and GetMetricData. For more information about CloudWatch permissions, see Amazon CloudWatch permissions reference.

  • Attach the AmazonRDSPerformanceInsightsFullAccess managed policy to a permission set or role to access all operations of the Performance Insights API. Attach the following CloudWatch permssions: GetMetricStatistics, ListMetrics, and GetMetricData. For more information about CloudWatch permissions, see Amazon CloudWatch permissions reference.

  • Create a custom IAM policy and attach it to a permission set or role.

If you specified a customer managed key when you turned on Performance Insights, make sure that users in your account have the kms:Decrypt and kms:GenerateDataKey permissions on the AWS KMS key.

In the following sections, attach an AWS managed policy to an IAM principal, create a custom IAM policy, change an AWS KMS policy, and grant fine-grained access for Performance Insights.

Attaching the AmazonRDSPerformanceInsightsReadOnly policy to an IAM principal

AmazonRDSPerformanceInsightsReadOnly is an AWS managed policy that grants access to all read-only operations of the Amazon RDS Performance Insights API.

If you attach AmazonRDSPerformanceInsightsReadOnly to a permission set or role, the recipient can use Performance Insights with other console features.

For more information, see AWS managed policy: AmazonRDSPerformanceInsightsReadOnly.

Attaching the AmazonRDSPerformanceInsightsFullAccess policy to an IAM principal

AmazonRDSPerformanceInsightsFullAccess is an AWS managed policy that grants access to all operations of the Amazon RDS Performance Insights API.

If you attach AmazonRDSPerformanceInsightsFullAccess to a permission set or role, the recipient can use Performance Insights with other console features.

For more information, see AWS managed policy: AmazonRDSPerformanceInsightsFullAccess.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.