How Infrastructure Performance works with IAM
The following sections describe how Infrastructure Performance works with IAM.
Infrastructure Performance identity-based policies
With IAM identity-based policies, you can specify allowed or denied actions and
resources as well as the conditions under which actions are allowed or denied. Infrastructure Performance
supports specific actions and resources. There are no Infrastructure Performance service-specific condition
keys that can be used in the Condition element of policy statements. To learn
about all of the elements that you use in a JSON policy, see IAM JSON policy elements
reference in the IAM User Guide.
Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Action element of a JSON policy describes the
actions that you can use to allow or deny access in a policy. Policy
actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only
actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy.
These additional actions are called dependent actions.
Include actions in a policy to grant permissions to perform the associated operation.
Infrastructure Performance shares its API namespace with Amazon EC2. Policy actions in Infrastructure Performance use the following
prefix before the action: ec2:. For example, to grant someone permission to
create a path with the GetAwsNetworkPerformanceData API operation, you
include the ec2:GetAwsNetworkPerformanceData action in their policy. Policy
statements must include either an Action or NotAction element.
To specify multiple actions in a single statement, separate them with commas as shown in the following example.
"Action": [ "ec2:action1", "ec2:action2" ]
You can specify multiple actions using wildcards (*). For example, to specify all
actions that begin with the word Describe, include the following
action.
"Action": "ec2:Describe*"
The following actions are supported by Infrastructure Performance:
-
DescribeAwsNetworkPerformanceMetricSubscriptions -
DisableAwsNetworkPerformanceMetricSubscription -
EnableAwsNetworkPerformanceMetricSubscription -
GetAwsNetworkPerformanceData
Resources
Infrastructure Performance does not support resource-level permissions.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.
"Resource": "*"
Condition keys
The Condition element (or Condition
block) lets you specify conditions in which a statement
is in effect. For example, you might want a policy to be applied only after a specific
date. To express conditions, use predefined condition keys.
Infrastructure Performance does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.
All Amazon EC2 actions support the aws:RequestedRegion and
ec2:Region condition keys. For more information, see Example: Restricting
Access to a Specific Region.
The Condition element is optional.
Infrastructure Performance IAM roles
An IAM role is an entity within your AWS account that has specific permissions.
Using temporary credentials with Infrastructure Performance
You can use temporary credentials to sign in with federation, to assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.
Infrastructure Performance supports using temporary credentials.
Service-linked roles
Infrastructure Performance has no service-linked roles.
Service roles
Infrastructure Performance has no service roles.
