AWS managed policies for Amazon Managed Grafana - Amazon Managed Grafana

AWS managed policies for Amazon Managed Grafana

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AWSGrafanaAccountAdministrator

AWSGrafanaAccountAdministrator policy provides access within Amazon Managed Grafana to create and manage accounts and workspaces for the entire organization.

You can attach AWSGrafanaAccountAdministrator to your IAM entities.

Permissions details

This policy includes the following permissions.

  • iam – Allows principals to list and get IAM roles so that the administrator can associate a role with a workspace as well as pass roles to the Amazon Managed Grafana service.

  • Amazon Managed Grafana – Allows principals read and write access to all Amazon Managed Grafana APIs.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSGrafanaOrganizationAdmin", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GrafanaIAMGetRolePermission", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "AWSGrafanaPermissions", "Effect": "Allow", "Action": [ "grafana:*" ], "Resource": "*" }, { "Sid": "GrafanaIAMPassRolePermission", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringLike": { "iam:PassedToService": "grafana.amazonaws.com" } } } ] }

AWS managed policy: AWSGrafanaWorkspacePermissionManagement

AWSGrafanaWorkspacePermissionManagement policy provides only the ability to update user and group permissions for Amazon Managed Grafana workspaces.

You can attach AWSGrafanaWorkspacePermissionManagement to your IAM entities.

Permissions details

This policy includes the following permission.

  • Amazon Managed Grafana – Allows principals to read and update user and group permissions for Amazon Managed Grafana workspaces.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSGrafanaPermissions", "Effect": "Allow", "Action": [ "grafana:DescribeWorkspace", "grafana:DescribeWorkspaceAuthentication", "grafana:UpdatePermissions", "grafana:ListPermissions", "grafana:ListWorkspaces" ], "Resource": "arn:aws:grafana:*:*:/workspaces*" } ] }

AWS managed policy: AWSGrafanaConsoleReadOnlyAccess

AWSGrafanaConsoleReadOnlyAccess policy grants access to read-only operations in Amazon Managed Grafana.

You can attach AWSGrafanaConsoleReadOnlyAccess to your IAM entities.

Permissions details

This policy includes the following permission.

  • Amazon Managed Grafana – Allows principals read-only access to Amazon Managed Grafana APIs

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSGrafanaConsoleReadOnlyAccess", "Effect": "Allow", "Action": ["grafana:Describe*", "grafana:List*"], "Resource": "*" } ] }

AWS managed policy: AmazonGrafanaRedshiftAccess

This policy grants scoped access to Amazon Redshift and the dependencies needed to use the Amazon Redshift plugin in Amazon Managed Grafana. AmazonGrafanaRedshiftAccess policy allows an IAM user or an IAM role to use the Amazon Redshift data source plugin in Grafana. Temporary credentials for Amazon Redshift databases are scoped to the database user redshift_data_api_user and credentials from Secrets Manager can be retrieved if the secret is tagged with the key RedshiftQueryOwner. This policy allows access to Amazon Redshift clusters tagged with GrafanaDataSource: true. When creating a customer managed policy, the tag-based authentication is optional.

You can attach AmazonGrafanaRedshiftAccess to your IAM entities. Amazon Managed Grafana also attaches this policy to a service role that allows Amazon Managed Grafana to perform actions on your behalf.

Permissions details

This policy includes the following permission.

  • Amazon Redshift – Allows principals to describe clusters and obtain temporary credentials for a database user named redshift_data_api_user.

  • Amazon Redshift–data – Allows principals to execute queries on clusters tagged as GrafanaDataSource.

  • Secrets Manager – Allows principals to list secrets and read secret values for secrets tagged as RedshiftQueryOwner.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift:DescribeClusters", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "secretsmanager:ListSecrets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "redshift-data:DescribeTable", "redshift-data:ExecuteStatement", "redshift-data:ListTables", "redshift-data:ListSchemas" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/GrafanaDataSource": "false" } } }, { "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbname:*/*", "arn:aws:redshift:*:*:dbuser:*/redshift_data_api_user" ] }, { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "Null": { "secretsmanager:ResourceTag/RedshiftQueryOwner": "false" } } } ] }

AWS managed policy: AmazonGrafanaAthenaAccess

This policy grants access to Athena and the dependencies needed to enable querying and writing results to Amazon S3 from the Athena plugin in Amazon Managed Grafana. AmazonGrafanaAthenaAccess policy allows an IAM user or an IAM role to use the Athena data source plugin in Grafana. Athena workgroups must be tagged with GrafanaDataSource: true to be accessible. This policy contains permissions for writing query results in an Amazon S3 bucket with a name prefixed with grafana-athena-query-results-. Amazon S3 permissions for accessing the underlying data source of an Athena query are not included in this policy.

You can attach AWSGrafanaAthenaAccess policy to your IAM entities. Amazon Managed Grafana also attaches this policy to a service role that allows Amazon Managed Grafana to perform actions on your behalf.

Permissions details

This policy includes the following permission.

  • Athena – Allows principals to run queries on Athena resources in workgroups tagged as GrafanaDataSource.

  • Amazon S3 – Allows principals to read and write query results to a bucket prefixed with grafana-athena-query-results-.

  • AWS Glue – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetTableMetadata", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListTableMetadata", "athena:ListWorkGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetWorkGroup", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ], "Condition": { "Null": { "aws:ResourceTag/GrafanaDataSource": "false" } } }, { "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:CreateBucket", "s3:PutObject", "s3:PutBucketPublicAccessBlock" ], "Resource": [ "arn:aws:s3:::grafana-athena-query-results-*" ] } ] }

Amazon Managed Grafana updates to AWS managed policies

View details about updates to AWS managed policies for Amazon Managed Grafana since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Managed Grafana document history page.

Change Description Date

AmazonGrafanaServiceLinkedRolePolicy – New SLR policy

Amazon Managed Grafana added a new policy for the Grafana service-linked role, AmazonGrafanaServiceLinkedRolePolicy.

November 18, 2022

AWSGrafanaAccountAdministrator, AWSGrafanaConsoleReadOnlyAccess

Allow access to all Amazon Managed Grafana resources February 17, 2022

AmazonGrafanaRedshiftAccess – New policy

Amazon Managed Grafana added a new policy AmazonGrafanaRedshiftAccess.

November 26, 2021

AmazonGrafanaAthenaAccess – New policy

Amazon Managed Grafana added a new policy AmazonGrafanaAthenaAccess.

November 22, 2021

AWSGrafanaAccountAdministrator – Update to an existing policy

Grafana removed permissions from AWSGrafanaAccountAdministrator.

The iam:CreateServiceLinkedRole permission scoped to the sso.amazonaws.com service was removed, and instead we recommend that you attach the AWSSSOMasterAccountAdministrator policy to grant this permission to a user.

October 13, 2021

AWSGrafanaWorkspacePermissionManagement – Update to an existing policy

Grafana added new permissions to AWSGrafanaWorkspacePermissionManagement so that users with this policy can see the authentication methods associated with workspaces.

The grafana:DescribeWorkspaceAuthentication permission was added.

September 21, 2021

AWSGrafanaConsoleReadOnlyAccess – Update to an existing policy

Grafana added new permissions to AWSGrafanaConsoleReadOnlyAccess so that users with this policy can see the authentication methods associated with workspaces.

The grafana:Describe* and grafana:List* permissions were added to the policy, and they replace the previous narrower permissions grafana:DescribeWorkspace, grafana:ListPermissions, and grafana:ListWorkspaces.

September 21, 2021

Amazon Managed Grafana started tracking changes

Amazon Managed Grafana started tracking changes for its AWS managed policies.

September 9, 2021