Identity-based policy examples for Amazon Managed Grafana - Amazon Managed Grafana

Identity-based policy examples for Amazon Managed Grafana

By default, IAM users and roles don't have permission to create or modify Grafana resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating IAM policies in the IAM User Guide.

Policy best practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Grafana resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started using AWS managed policies – To start using Grafana quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get started using permissions with AWS managed policies in the IAM User Guide.

  • Grant least privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant least privilege in the IAM User Guide.

  • Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

  • Use policy conditions for extra security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

Using the Grafana console

To access the console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy.

Sample policies for Amazon Managed Grafana

This section contains identity-based policies that are useful for several Amazon Managed Grafana scenarios.

Grafana administrator using SAML

If you use SAML for your user authentication, the administrator who creates and manages Amazon Managed Grafana needs the following policies:

  • AWSGrafanaAccountAdministrator or the equivalent permissions to create and manage Amazon Managed Grafana workspaces.

  • The AWSMarketplaceManageSubscriptions policy or equivalent permissions, if you want to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise.

Grafana administrator in a management account using AWS SSO

To grant an IAM user or an IAM role the permissions to create and manage Amazon Managed Grafana workspaces across an entire organization, and to enable dependencies such as AWS SSO, assign the AWSGrafanaAccountAdministrator, AWSSSOMasterAccountAdministrator and the AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.

If you want to use service-managed permissions when you create an Amazon Managed Grafana workspace, the user who creates the workspace must also have the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions. These are required to use AWS CloudFormation StackSets to deploy policies that enable you to read data sources in the organization's accounts.

Important

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.

To see the permissions granted to AWSGrafanaAccountAdministrator, see AWS managed policy: AWSGrafanaAccountAdministrator

Grafana administrator in a member account using AWS SSO

To grant permissions to create and manage Amazon Managed Grafana workspaces in the member account of an organization, assign the AWSGrafanaAccountAdministrator, AWSSSOMemberAccountAdministrator and the AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.

If you want to use service-managed permissions when you create an Amazon Managed Grafana workspace, the user who creates the workspace must also have the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions. These are required to enable the user to read data sources in the account.

Important

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.

To see the permissions granted to AWSGrafanaAccountAdministrator, see AWS managed policy: AWSGrafanaAccountAdministrator

Create and manage Amazon Managed Grafana workspaces and users in a single standalone account using AWS SSO

A standalone AWS account is an account that is not yet a member of an organization. For more information about organizations, see What is AWS Organizations?

To grant an IAM user or an IAM role permission to create and manage Amazon Managed Grafana workspaces and users in a standalone account, assign the AWSGrafanaAccountAdministrator, AWSSSOMasterAccountAdministrator, AWSOrganizationsFullAccess and AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.

Important

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.

To see the permissions granted to AWSGrafanaAccountAdministrator, see AWS managed policy: AWSGrafanaAccountAdministrator

Assign and unassign users access to Amazon Managed Grafana

To grant permissions to an IAM user or an IAM role to manage other users' access to Amazon Managed Grafana workspaces in the account, including granting Grafana admin permissions to those users for the workspaces,assign the AWSGrafanaWorkspacePermissionManagement policy to that user. If you are using AWS SSO to manage users in this workspace, the user also needs the AWSSSOReadOnly and AWSSSODirectoryReadOnly policies.

To see the permissions granted to AWSGrafanaWorkspacePermissionManagement, see AWS managed policy: AWSGrafanaWorkspacePermissionManagement

Amazon Managed Grafana read-only permissions

To grant an IAM user or IAM role the permissions for read actions, such as listing and viewing workspaces and opening the Grafana workspace console, assign the AWSGrafanaConsoleReadOnlyAccess, AWSSSOReadOnly and AWSSSODirectoryReadOnly policies to that IAM user or IAM role.

To see the permissions granted to AWSGrafanaConsoleReadOnlyAccess, see AWS managed policy: AWSGrafanaConsoleReadOnlyAccess .