Amazon Managed Grafana permissions and policies for AWS data sources and notification channels - Amazon Managed Grafana

Amazon Managed Grafana permissions and policies for AWS data sources and notification channels

Amazon Managed Grafana offers three permission modes:

  • Service-managed permissions for current account

  • Service-managed permissions for organizations

  • Customer-managed permissions

When you create a workspace, you choose which permission mode to use. You can also change this later if you want.

In either of the service-managed permission modes, Amazon Managed Grafana creates roles and policies that are needed to access and discover AWS data sources in your account or organization. You can then edit these policies in the IAM console if you choose.

Service-managed permissions for a single account

In this mode, Amazon Managed Grafana creates a role called AmazonGrafanaServiceRole-random-id. Amazon Managed Grafana then attaches a policy to this role for each AWS service that you select to access from the Amazon Managed Grafana workspace.

CloudWatch

Amazon Managed Grafana creates a customer-managed policy with the name AmazonGrafanaCloudWatchPolicy-random-id. The contents of the policy are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingMetricsFromCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Sid": "AllowReadingLogsFromCloudWatch", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:GetLogGroupFields", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogEvents" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }
Amazon OpenSearch Service

Amazon Managed Grafana creates a customer-managed policy with the name AmazonGrafanaOpenSearchPolicy-random-id. The Get/Post permissions are needed for data source access. The List/Describe permissions are used by Amazon Managed Grafana for data source discovery, but they aren’t required for the data source plugin to work. The contents of the policy are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpGet", "es:DescribeElasticsearchDomains", "es:ListDomainNames" ], "Resource": "*" }, { "Effect": "Allow", "Action": "es:ESHttpPost", "Resource": [ "arn:aws:es:*:*:domain/*/_msearch*", "arn:aws:es:*:*:domain/*/_opendistro/_ppl" ] } ] }
AWS IoT SiteWise

Amazon Managed Grafana attaches the AWS managed policy AWSIoTSiteWiseReadOnlyAccess.

Amazon Managed Service for Prometheus

Amazon Managed Grafana creates a customer-managed policy with the name AmazonGrafanaPrometheusPolicy-random-id. The List/Describe permissions are used by Amazon Managed Grafana for data source discovery, they aren’t required for the plugin to work. The contents of the policy are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aps:ListWorkspaces", "aps:DescribeWorkspace", "aps:QueryMetrics", "aps:GetLabels", "aps:GetSeries", "aps:GetMetricMetadata" ], "Resource": "*" } ] }
Amazon SNS

Amazon Managed Grafana creates a customer-managed policy with the name AmazonGrafanaSNSPolicy-random-id. The policy restricts you to only using SNS topics in your account that start with the string grafana. This is not necessary if you create your own policy. The contents of the policy are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": [ "arn:aws:sns:*:accountId:grafana*" ] } ] }
Timestream

Amazon Managed Grafana attaches the AWS managed policy AmazonTimestreamReadOnlyAccess.

X-Ray

Amazon Managed Grafana attaches the AWS managed policy AmazonXrayReadOnlyAccess.

Service-managed permissions for an organization

This mode is supported only for workspaces created in management accounts or delegated administrator accounts in an organization. For more information about delegated administrator accounts, see Register a delegated administrator.

Note

Creating resources such as Amazon Managed Grafana workspaces in the management account of an organization is against AWS security best practices.

In this mode, Amazon Managed Grafana creates all the IAM roles that are necessary to access AWS resources in other accounts in your AWS organization. In each account in the Organizational Units that you select, Amazon Managed Grafana creates a role called AmazonGrafanaOrgMemberRole-random-id. This role creation is performed through an integration with AWS CloudFormation StackSets.

This role will have a policy attached for each AWS data source that you select to use in the workspace. For the contents of these data policies, see Service-managed permissions for a single account .

Amazon Managed Grafana also creates a role called AmazonGrafanaOrgAdminRole-random-id in the organization's management account. This role allows the Amazon Managed Grafana workspace permission to access other accounts in the organization. AWS service notification channel policies will also get attached to this role. Use the AWS Data Source menu in your workspace to quickly provision data sources for each account that your workspace can access

To use this mode, you must enable AWS CloudFormation Stacksets as a trusted service in your AWS organization. For more information, see Enable trusted access with AWS Organizations.

Here is the content of the AmazonGrafanaStackSet-random-id stack set:

Parameters: IncludePrometheusPolicy: Description: Whether to include Amazon Prometheus access in the role Type: String AllowedValues: - true - false Default: false IncludeAESPolicy: Description: Whether to include Amazon Elasticsearch access in the role Type: String AllowedValues: - true - false Default: false IncludeCloudWatchPolicy: Description: Whether to include CloudWatch access in the role Type: String AllowedValues: - true - false Default: false IncludeTimestreamPolicy: Description: Whether to include Amazon Timestream access in the role Type: String AllowedValues: - true - false Default: false IncludeXrayPolicy: Description: Whether to include AWS X-Ray access in the role Type: String AllowedValues: - true - false Default: false IncludeSitewisePolicy: Description: Whether to include AWS IoT SiteWise access in the role Type: String AllowedValues: - true - false Default: false RoleName: Description: Name of the role to create Type: String AdminAccountId: Description: Account ID of the Amazon Grafana org admin Type: String Conditions: addPrometheus: !Equals [!Ref IncludePrometheusPolicy, true] addAES: !Equals [!Ref IncludeAESPolicy, true] addCloudWatch: !Equals [!Ref IncludeCloudWatchPolicy, true] addTimestream: !Equals [!Ref IncludeTimestreamPolicy, true] addXray: !Equals [!Ref IncludeXrayPolicy, true] addSitewise: !Equals [!Ref IncludeSitewisePolicy, true] Resources: PrometheusPolicy: Type: AWS::IAM::Policy Condition: addPrometheus Properties: Roles: - !Ref GrafanaMemberServiceRole PolicyName: AmazonGrafanaPrometheusPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - aps:QueryMetrics - aps:GetLabels - aps:GetSeries - aps:GetMetricMetadata - aps:ListWorkspaces - aps:DescribeWorkspace Resource: '*' AESPolicy: Type: AWS::IAM::Policy Condition: addAES Properties: Roles: - !Ref GrafanaMemberServiceRole PolicyName: AmazonGrafanaElasticsearchPolicy PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowReadingESDomains Effect: Allow Action: - es:ESHttpGet - es:ESHttpPost - es:ListDomainNames - es:DescribeElasticsearchDomains Resource: '*' CloudWatchPolicy: Type: AWS::IAM::Policy Condition: addCloudWatch Properties: Roles: - !Ref GrafanaMemberServiceRole PolicyName: AmazonGrafanaCloudWatchPolicy PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowReadingMetricsFromCloudWatch Effect: Allow Action: - cloudwatch:DescribeAlarmsForMetric - cloudwatch:DescribeAlarmHistory - cloudwatch:DescribeAlarms - cloudwatch:ListMetrics - cloudwatch:GetMetricStatistics - cloudwatch:GetMetricData Resource: "*" - Sid: AllowReadingLogsFromCloudWatch Effect: Allow Action: - logs:DescribeLogGroups - logs:GetLogGroupFields - logs:StartQuery - logs:StopQuery - logs:GetQueryResults - logs:GetLogEvents Resource: "*" - Sid: AllowReadingTagsInstancesRegionsFromEC2 Effect: Allow Action: - ec2:DescribeTags - ec2:DescribeInstances - ec2:DescribeRegions Resource: "*" - Sid: AllowReadingResourcesForTags Effect: Allow Action: - tag:GetResources Resource: "*" GrafanaMemberServiceRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref RoleName AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AdminAccountId}:root Action: - 'sts:AssumeRole' Path: /service-role/ ManagedPolicyArns: - !If [addTimestream, arn:aws:iam::aws:policy/AmazonTimestreamReadOnlyAccess, !Ref AWS::NoValue] - !If [addXray, arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess, !Ref AWS::NoValue] - !If [addSitewise, arn:aws:iam::aws:policy/AWSIoTSiteWiseReadOnlyAccess, !Ref AWS::NoValue]

Here is the content of AmazonGrafanaOrgAdminPolicy-random-id.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent" ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-organizationId" } } }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonGrafanaOrgMemberRole-random-Id" }] }

Customer-managed permissions

If you choose to use customer-managed permissions, you specify an existing IAM role in your account when you create an Amazon Managed Grafana workspace. The role must have a trust policy which trusts grafana.amazonaws.com.

The following is an example of such a policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "grafana.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

For that role to access AWS data sources or notification channels in that account, it must have the permissions in the policies listed earlier in this section. For example, to use the CloudWatch data source, it must have the permissions in the CloudWatch policy listed in Service-managed permissions for a single account .

The List and Describe permissions in the policies for Amazon OpenSearch Service and Amazon Managed Service for Prometheus shown in Service-managed permissions for a single account are only needed for the data source discovery and provisioning to work correctly. They aren’t needed if you just want to set up these data sources manually.

Cross-account access

When a workspace is created in account 111111111111, a role in account 1111111111111 must be supplied. For this example, we will call this role WorkspaceRole. To access data in account 999999999999, you must create a role in account 999999999999, which we will call DataSourceRole. You must then establish a trust relationship between WorkspaceRole and DataSourceRole. For more information about establishing trust between two roles, see IAM Tutorial: Delegate access across AWS accounts using IAM roles.

DataSourceRole needs to contain the policy statements listed earlier in this section for each data source that you want to use. After the trust relationship is established, you can specify the ARN of DataSourceRole (arn:aws:iam::999999999999:role:DataSourceRole) in the Assume Role ARN field on the data source configuration page of any AWS data source in your workspace. The data source will then access account 999999999999 with the permissions that are defined in DataSourceRole.