IAM permissions and policies - Amazon Managed Service for Prometheus

IAM permissions and policies

Access to Amazon Managed Service for Prometheus actions and data requires credentials. Those credentials must have permissions to perform the actions and to access the AWS resources, such as retrieving AMP data about your cloud resources. The following sections provide details about how you can use AWS Identity and Access Management (IAM) and AMP to help secure your resources, by controlling who can access them. For more information, see Policies and permissions in IAM.

AMP permissions

The following table displays possible AMP actions and their required permissions:

Action Required permission

Create an AMP workspace. A workspace is the conceptual location where you import, store, and work with your Prometheus metrics, isolated from other AMP workspaces.

aps:CreateWorkspace

Delete an AMP workspace.

aps:DeleteWorkspace

Retrieve detailed information about an AMP workspace.

aps:DescribeWorkspace

Retrieve labels.

aps:GetLabels

Retrieve metadata for AMP metrics.

aps:GetMetricMetadata

Retrieve time series data.

aps:GetSeries

Retrieve a list of the AMP workspaces that exist in the account.

aps:ListWorkspaces

Run a query on AMP metrics.

aps:QueryMetrics

Perform a remote write operation to initiate the streaming of metrics from a Prometheus server to AMP.

aps:RemoteWrite

Modify the aliases of existing workspaces.

aps:UpdateWorkspaceAlias

Built-in AWS-managed policies

AWS provides several built-in, AWS-managed policies for AMP.

AmazonPrometheusFullAccess

This policy provides full access to all AMP actions and resources.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:*" ], "Effect": "Allow", "Resource": "*" } ] }

AmazonPrometheusConsoleFullAccess

This policy provides access to all AMP console actions.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:CreateWorkspace", "aps:DescribeWorkspace", "aps:UpdateWorkspaceAlias", "aps:DeleteWorkspace", "aps:ListWorkspaces" ], "Effect": "Allow", "Resource": "*" } ] }

AmazonPrometheusQueryAccess

This policy provides access to query the metrics stored in all AMP workspaces in the account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:GetLabels", "aps:GetMetricMetadata", "aps:GetSeries", "aps:QueryMetrics" ], "Effect": "Allow", "Resource": "*" } ] }

AmazonPrometheusRemoteWriteAccess

This policy provides permissiont to remote write metrics into all AMP workspaces in the account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:RemoteWrite" ], "Effect": "Allow", "Resource": "*" } ] }

Sample IAM policies

This section provides examples of other self-managed policies that you can create.

The following IAM policy grants full access to AMP and also enables a user to discover Amazon EKS clusters and see the details about them.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aps:*", "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }