Service-linked role permissions for AWS IoT SiteWise - AWS IoT SiteWise

Service-linked role permissions for AWS IoT SiteWise

AWS IoT SiteWise uses the service-linked role named AWSServiceRoleForIoTSiteWise. AWS IoT SiteWise uses this service-linked role to deploy SiteWise Edge gateways (which run on AWS IoT Greengrass) and perform logging.

The AWSServiceRoleForIoTSiteWise service-linked role uses the AWSServiceRoleForIoTSiteWise policy with the following permissions. This policy:

  • Allows AWS IoT SiteWise to deploy SiteWise Edge gateways (which run on AWS IoT Greengrass).

  • Allows AWS IoT SiteWise to perform logging.

  • Allows AWS IoT SiteWise to run a metadata search query, against the AWS IoT TwinMaker database.

For more information on the allowed actions in AWSServiceRoleForIoTSiteWise, see AWS managed policies for AWS IoT SiteWise.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowSiteWiseReadGreenGrass",
			"Effect": "Allow",
			"Action": [
				"greengrass:GetAssociatedRole",
				"greengrass:GetCoreDefinition",
				"greengrass:GetCoreDefinitionVersion",
				"greengrass:GetGroup",
				"greengrass:GetGroupVersion"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowSiteWiseAccessLogGroup",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:DescribeLogGroups"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*"
		},
		{
			"Sid": "AllowSiteWiseAccessLog",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogStream",
				"logs:DescribeLogStreams",
				"logs:PutLogEvents"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
		},
		{
			"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
			"Effect": "Allow",
			"Action": [
				"iottwinmaker:GetWorkspace",
				"iottwinmaker:ExecuteQuery"
			],
			"Resource": "arn:aws:iottwinmaker:*:*:workspace/*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"iottwinmaker:linkedServices": [
						"IOTSITEWISE"
					]
				}
			}
		}
	]
}

You can use the logs to monitor and troubleshoot your SiteWise Edge gateways. For more information, see Monitoring SiteWise Edge gateway logs.

To allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role, first configure permissions. For more information, see Service-linked role permissions in the IAM User Guide.