IAM permissions and policies - Amazon Managed Service for Prometheus

IAM permissions and policies

Access to Amazon Managed Service for Prometheus actions and data requires credentials. Those credentials must have permissions to perform the actions and to access the AWS resources, such as retrieving AMP data about your cloud resources. The following sections provide details about how you can use AWS Identity and Access Management (IAM) and AMP to help secure your resources, by controlling who can access them. For more information, see Policies and permissions in IAM.

AMP permissions

The following table displays possible AMP actions and their required permissions:

Action Required permission

Create an AMP workspace. A workspace is the conceptual location where you import, store, and work with your Prometheus metrics, isolated from other AMP workspaces.


Delete an AMP workspace.


Retrieve detailed information about an AMP workspace.


Retrieve labels.


Retrieve metadata for AMP metrics.


Retrieve time series data.


Retrieve a list of the AMP workspaces that exist in the account.


Run a query on AMP metrics.


Perform a remote write operation to initiate the streaming of metrics from a Prometheus server to AMP.


Modify the aliases of existing workspaces.


Built-in AWS-managed policies

AWS provides several built-in, AWS-managed policies for AMP.


This policy provides full access to all AMP actions and resources.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:*" ], "Effect": "Allow", "Resource": "*" } ] }


This policy provides access to all AMP console actions.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:CreateWorkspace", "aps:DescribeWorkspace", "aps:UpdateWorkspaceAlias", "aps:DeleteWorkspace", "aps:ListWorkspaces" ], "Effect": "Allow", "Resource": "*" } ] }


This policy provides access to query the metrics stored in all AMP workspaces in the account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:GetLabels", "aps:GetMetricMetadata", "aps:GetSeries", "aps:QueryMetrics" ], "Effect": "Allow", "Resource": "*" } ] }


This policy provides permissiont to remote write metrics into all AMP workspaces in the account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:RemoteWrite" ], "Effect": "Allow", "Resource": "*" } ] }

Sample IAM policies

This section provides examples of other self-managed policies that you can create.

The following IAM policy grants full access to AMP and also enables a user to discover Amazon EKS clusters and see the details about them.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aps:*", "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }