Amazon DevOps Guru permissions reference - Amazon DevOps Guru

Amazon DevOps Guru permissions reference

You can use AWS-wide condition keys in your DevOps Guru policies to express conditions. For a list, see IAM JSON Policy Elements Reference in the IAM User Guide.

You specify the actions in the policy's Action field. To specify an action, use the devops-guru: prefix followed by the API operation name (for example, devops-guru:SearchInsights and devops-guru:ListAnomalies). To specify multiple actions in a single statement, separate them with commas (for example, "Action": [ "devops-guru:SearchInsights", "devops-guru:ListAnomalies" ]).

Using wildcard characters

You specify an Amazon Resource Name (ARN), with or without a wildcard character (*), as the resource value in the policy's Resource field. You can use a wildcard to specify multiple actions or resources. For example, devops-guru:* specifies all DevOps Guru actions and devops-guru:List* specifies all DevOps Guru actions that begin with the word List. The following example refers to all insights with a universally unique identifier (UUID) that begins with 12345.

arn:aws:devops-guru:us-east-2:123456789012:insight:12345*

You can use the following table as a reference when you are setting up Authenticating with identities and writing permissions policies that you can attach to an IAM identity (identity-based policies).

DevOps Guru API operations and required permissions for actions
DevOps Guru API operations Required permissions (API actions) Resources
AddNotificationChannel

devops-guru:AddNotificationChannel

Required to add a notification channel from DevOps Guru. A notification channel is used to notify you when DevOps Guru generates an insight that contains information about how to improve your operations.

*

RemoveNotificationChannel

devops-guru:RemoveNotificationChannel

Required to remove a notification channel from DevOps Guru. A notification channel is used to notify you when DevOps Guru generates an insight that contains information about how to improve your operations.

*

ListNotificationChannels

devops-guru:ListNotificationChannels

Required to return a list of notification channels configured for DevOps Guru. Each notification channel is used to notify you when DevOps Guru generates an insight that contains information about how to improve your operations. The one notification type supported is Amazon Simple Notification Service.

*

UpdateResourceCollectionFilter

devops-guru:UpdateResourceCollectionFilter

Required to update the list of AWS CloudFormation stacks that are used to specify which AWS resources in your account are analyzed by DevOps Guru. The analysis generates insights that include recommendations, operational metrics, and operational events that you can use to improve the performance of your operations. This method also creates the IAM roles required for you to use CodeGuru OpsAdvisor.

*

GetResourceCollectionFilter

devops-guru:GetResourceCollectionFilter

Required to return the list of AWS CloudFormation stacks that are used to specify which AWS resources in your account are analyzed by DevOps Guru. The analysis generates insights that include recommendations, operational metrics, and operational events that you can use to improve the performance of your operations.

*

ListInsights

devops-guru:ListInsights

Required to return a list of insights in your AWS account. You can specify which insights are returned by their start time, status (ongoing or any), and type (reactive or predictive).

*

DescribeInsight

devops-guru:DescribeInsight

Required to return details about an insight that you specify using its ID.

*

SearchInsights

devops-guru:SearchInsights

Required to return a list of insights in your AWS account. You can specify which insights are returned by their start time, filters, and type (reactive or predictive).

*

ListAnomalies

devops-guru:ListAnomalies

Required to return a list of the anomalies that belong to an insight that you specify using its ID.

*

DescribeAnomaly

devops-guru:DescribeAnomaly

Required to return details about an anomaly that you specify using its ID.

*

ListEvents

devops-guru:ListEvents

Required to return a list of the events emitted by the resources that are evaluated by DevOps Guru. You can use filters to specify which events are returned.

*

ListAnomalousLogs

devops-guru:ListAnomalousLogs

Required to return a list of Amazon CloudWatch log groups that contain log anomalies. These are used to generate insights in DevOps Guru. Administrators should ensure that only users with permissions to view CloudWatch logs have permissions to view anomalous CloudWatch logs. We recommend that you use IAM policies to allow or deny access to the ListAnomalousLogs operation.

*
ListRecommendations

devops-guru:ListRecommendations

Required to return a list of a specified insight's recommendations. Each recommendation includes a list of metrics and a list of events that are related to the recommendations.

*

DescribeAccountHealth

devops-guru:DescribeAccountHealth

Required to return the number of open reactive insights, the number of open proactive insights, and the number of metrics analyzed in your AWS account. Use these numbers to gauge the health of operations in your AWS account.

*

DescribeAccountOverview

devops-guru:DescribeAccountOverview

Required to return the following that happened during a time range: the number of open reactive insights that were created, the number of open predictive insights that were created, and the mean time to recover (MTTR) for all reactive insights that were closed.

*

DescribeResourceCollectionHealthOverview

devops-guru:DescribeResourceCollectionHealthOverview

Required to return the number of open predictive insights, open reactive insights, and mean time to recover (MTTR) for all insights for each AWS CloudFormation stack specified in DevOps Guru.

*

DescribeIntegratedService

devops-guru:DescribeIntegratedService

Required to return the integration status of services that can be integrated with DevOps Guru. The one service that can be integrated with DevOps Guru is AWS Systems Manager, which can be used to create an OpsItem for each generated insight.

*

UpdateIntegratedServiceConfig

devops-guru:UpdateIntegratedServiceConfig

Required to enable or disable integration with a service that can be integrated with DevOps Guru. The one service that can be integrated with DevOps Guru is Systems Manager, which can be used to create an OpsItem for each generated insight.

*