Using service-linked roles for Amazon Monitron - Amazon Monitron

Using service-linked roles for Amazon Monitron

Amazon Monitron uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Monitron. Service-linked roles are predefined by Amazon Monitron and include all the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up Amazon Monitron easier because you don’t have to manually add the necessary permissions. Amazon Monitron defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Monitron can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for Amazon Monitron

Amazon Monitron uses the service-linked role named AWSServiceRoleForMonitron[_{SUFFIX}] – Amazon Monitron uses AWSServiceRoleForMonitron to access other AWS services, including Cloudwatch Logs, Kinesis Data Streams, KMS keys, and SSO.

The AWSServiceRoleForMonitron[_{SUFFIX}] service-linked role trusts the following services to assume the role:

  • monitron.amazonaws.com or core.monitron.amazonaws.com

The role permissions policy named MonitronServiceRolePolicy allows Amazon Monitron to complete the following actions on the specified resources:

  • Action: Amazon CloudWatch Logs logs:CreateLogGroup, logs:CreateLogStream and logs:PutLogEvents on the CloudWatch log group, log stream, and log events under /aws/monitron/* path

The role permissions policy named MonitronServiceDataExport-KinesisDataStreamAccess allows Amazon Monitron to complete the following actions on the specified resources:

  • Action: Amazon Kinesis kinesis:PutRecord, kinesis:PutRecords, and kinesis:DescribeStream on the Kinesis data stream specified for live data export.

  • Action: Amazon KMS kms:GenerateDataKey for the KMS key used by the specified Kinesis data stream for live data export

  • Action: Amazon IAM iam:DeleteRole to delete the service-linked role itself when not used

The role permissions policy named AWSServiceRoleForMonitronPolicy allows Amazon Monitron to complete the following actions on the specified resources:

  • Action: IAM Identity Center sso:GetManagedApplicationInstance, sso:GetProfile, sso:ListProfiles, sso:AssociateProfile, sso:ListDirectoryAssociations, sso:ListProfileAssociations, sso-directory:DescribeUsers, and sso-directory:SearchUsers to access IAM Identity Center users associated with the project

Note

Add sso:ListProfileAssociations to allow Amazon Monitron to list associations with the application instance underlying the Amazon Monitron Project.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating a service-linked role for Amazon Monitron

You don't need to manually create a service-linked role. When Amazon Monitron needs to access other AWS resources, Amazon Monitron creates the service-linked role for you.

Editing a service-linked role for Amazon Monitron

Amazon Monitron does not allow you to edit the AWSServiceRoleForMonitron[_{SUFFIX}] service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for Amazon Monitron

You don't need to manually delete the AWSServiceRoleForMonitron[_{SUFFIX}] role. When you delete a Amazon Monitron project that you created through Amazon Monitron in the AWS Management Console, Amazon Monitron cleans up the resources and deletes the service-linked role for you.

You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.

Note

If the Amazon Monitron service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To delete Amazon Monitron resources used by the AWSServiceRoleForMonitron[_{SUFFIX}]
  • Delete Amazon Monitron projects using this service-linked role.

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMonitron[_{SUFFIX}] service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported regions for Amazon Monitron service-linked roles

Amazon Monitron does not support using service-linked roles in every region where the service is available. You can use the AWSServiceRoleForMonitron[_{SUFFIX}] role in the following regions.

Region name Region identity Support in Amazon Monitron
US East (N. Virginia) us-east-1 Yes
US East (Ohio) us-east-2 No
US West (N. California) us-west-1 No
US West (Oregon) us-west-2 No
Asia Pacific (Mumbai) ap-south-1 No
Asia Pacific (Osaka) ap-northeast-3 No
Asia Pacific (Seoul) ap-northeast-2 No
Asia Pacific (Singapore) ap-southeast-1 No
Asia Pacific (Sydney) ap-southeast-2 No
Asia Pacific (Tokyo) ap-northeast-1 No
Canada (Central) ca-central-1 No
Europe (Frankfurt) eu-central-1 No
Europe (Ireland) eu-west-1 Yes
Europe (London) eu-west-2 No
Europe (Paris) eu-west-3 No
South America (São Paulo) sa-east-1 No
AWS GovCloud (US) us-gov-west-1 No