AmazonPrometheusFullAccess AmazonPrometheusConsoleFullAccess AmazonPrometheusRemoteWriteAccess AmazonPrometheusQueryAccess AmazonPrometheusScraperServiceRolePolicy Policy updates

AWS managed policies for Amazon Managed Service for Prometheus

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AmazonPrometheusFullAccess

You can attach the AmazonPrometheusFullAccess policy to your IAM identities.

Permissions details

This policy includes the following permissions.

aps – Allows full access to Amazon Managed Service for Prometheus
eks – Allows the Amazon Managed Service for Prometheus service to read information about your Amazon EKS clusters. This is required to allow creating managed scrapers and discover metrics in your cluster.
ec2 – Allows the Amazon Managed Service for Prometheus service to read information about your Amazon EC2 networks. This is required to allow creating managed scrapers with access to your Amazon EKS metrics.
iam – Allows principals to create a service-linked role for managed metric scrapers.

The contents of AmazonPrometheusFullAccess are as follows:


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllPrometheusActions",
			"Effect": "Allow",
			"Action": [
				"aps:*"
			],
			"Resource": "*"
		},
		{
			"Sid": "DescribeCluster",
			"Effect": "Allow",
			"Action": [
				"eks:DescribeCluster",
				"ec2:DescribeSubnets",
				"ec2:DescribeSecurityGroups"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"aps.amazonaws.com"
					]
				}
			},
			"Resource": "*"
		},
		{
			"Sid": "CreateServiceLinkedRole",
			"Effect": "Allow",
			"Action": "iam:CreateServiceLinkedRole",
			"Resource": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*",
			"Condition": {
				"StringEquals": {
					"iam:AWSServiceName": "scraper.aps.amazonaws.com"
				}
			}
		}
	]
}

AmazonPrometheusConsoleFullAccess

You can attach the AmazonPrometheusConsoleFullAccess policy to your IAM identities.

Permissions details

This policy includes the following permissions.

aps – Allows full access to Amazon Managed Service for Prometheus
tag – Allows principals to see tag suggestions in the Amazon Managed Service for Prometheus console.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "TagSuggestions",
			"Effect": "Allow",
			"Action": [
				"tag:GetTagValues",
				"tag:GetTagKeys"
			],
			"Resource": "*"
		},
		{
			"Sid": "PrometheusConsoleActions",
			"Effect": "Allow",
			"Action": [
				"aps:CreateWorkspace",
				"aps:DescribeWorkspace",
				"aps:UpdateWorkspaceAlias",
				"aps:DeleteWorkspace",
				"aps:ListWorkspaces",
				"aps:DescribeAlertManagerDefinition",
				"aps:DescribeRuleGroupsNamespace",
				"aps:CreateAlertManagerDefinition",
				"aps:CreateRuleGroupsNamespace",
				"aps:DeleteAlertManagerDefinition",
				"aps:DeleteRuleGroupsNamespace",
				"aps:ListRuleGroupsNamespaces",
				"aps:PutAlertManagerDefinition",
				"aps:PutRuleGroupsNamespace",
				"aps:TagResource",
				"aps:UntagResource",
				"aps:CreateLoggingConfiguration",
				"aps:UpdateLoggingConfiguration",
				"aps:DeleteLoggingConfiguration",
				"aps:DescribeLoggingConfiguration"
			],
			"Resource": "*"
		}
	]
}

AmazonPrometheusRemoteWriteAccess

The contents of AmazonPrometheusRemoteWriteAccess are as follows:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aps:RemoteWrite"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AmazonPrometheusQueryAccess

The contents of AmazonPrometheusQueryAccess are as follows:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aps:GetLabels",
                "aps:GetMetricMetadata",
                "aps:GetSeries",
                "aps:QueryMetrics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS managed policy: AmazonPrometheusScraperServiceRolePolicy

You can't attach AmazonPrometheusScraperServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Managed Service for Prometheus to perform actions on your behalf. For more information, see Using roles for scraping metrics from EKS.

This policy grants contributor permissions that allow reading from your Amazon EKS cluster and writing to your Amazon Managed Service for Prometheus workspace.

Note

This user guide previously erroneously called this policy AmazonPrometheusScraperServiceLinkedRolePolicy

Permissions details

This policy includes the following permissions.

aps – Allows the service principal to write metrics to your Amazon Managed Service for Prometheus workspaces.
ec2 – Allows the service principal to read and modify network configuration to connect to the network that contains your Amazon EKS clusters.
eks – Allows the service principal to access your Amazon EKS clusters. This is required so that it can automatically scrape metrics. Also allows the principal to clean up Amazon EKS resources when a scraper is removed.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DeleteSLR",
			"Effect": "Allow",
			"Action": [
				"iam:DeleteRole"
			],
			"Resource": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*"
		},
		{
			"Sid": "NetworkDiscovery",
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribeSubnets",
				"ec2:DescribeSecurityGroups"
			],
			"Resource": "*"
		},
		{
			"Sid": "ENIManagement",
			"Effect": "Allow",
			"Action": "ec2:CreateNetworkInterface",
			"Resource": "*",
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"AMPAgentlessScraper"
					]
				}
			}
		},
		{
			"Sid": "TagManagement",
			"Effect": "Allow",
			"Action": "ec2:CreateTags",
			"Resource": "arn:aws:ec2:*:*:network-interface/*",
			"Condition": {
				"StringEquals": {
					"ec2:CreateAction": "CreateNetworkInterface"
				},
				"Null": {
					"aws:RequestTag/AMPAgentlessScraper": "false"
				}
			}
		},
		{
			"Sid": "ENIUpdating",
			"Effect": "Allow",
			"Action": [
				"ec2:DeleteNetworkInterface",
				"ec2:ModifyNetworkInterfaceAttribute"
			],
			"Resource": "*",
			"Condition": {
				"Null": {
					"ec2:ResourceTag/AMPAgentlessScraper": "false"
				}
			}
		},
		{
			"Sid": "EKSAccess",
			"Effect": "Allow",
			"Action": "eks:DescribeCluster",
			"Resource": "arn:aws:eks:*:*:cluster/*"
		},
		{
			"Sid": "DeleteEKSAccessEntry",
			"Effect": "Allow",
			"Action": "eks:DeleteAccessEntry",
			"Resource": "arn:aws:eks:*:*:access-entry/*/role/*",
			"Condition": {
				"StringEquals": {
					"aws:PrincipalAccount": "${aws:ResourceAccount}"
				},
				"ArnLike": {
					"eks:principalArn": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*"
				}
			}
		},
		{
			"Sid": "APSWriting",
			"Effect": "Allow",
			"Action": "aps:RemoteWrite",
			"Resource": "arn:aws:aps:*:*:workspace/*",
			"Condition": {
				"StringEquals": {
					"aws:PrincipalAccount": "${aws:ResourceAccount}"
				}
			}
		}
	]
}

Amazon Managed Service for Prometheus updates to AWS managed policies

View details about updates to AWS managed policies for Amazon Managed Service for Prometheus since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Managed Service for Prometheus Document history page.

Change	Description	Date
AmazonPrometheusScraperServiceRolePolicy – Update to an existing policy	Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusScraperServiceRolePolicy to support using access entries in Amazon EKS. Includes permissions for managing Amazon EKS access entries to allow cleaning up resources when scrapers are deleted. Note The user guide previously erroneously called this policy `AmazonPrometheusScraperServiceLinkedRolePolicy`	May 2, 2024
AmazonPrometheusFullAccess – Update to an existing policy	Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusFullAccess to support creating managed scrapers for metrics in Amazon EKS clusters. Includes permissions for connecting to Amazon EKS clusters, reading Amazon EC2 networks, and creating a service-linked role for scrapers.	November 26, 2023
AmazonPrometheusScraperServiceLinkedRolePolicy – New policy	Amazon Managed Service for Prometheus added a new service-linked role policy to read from Amazon EKS containers, to allow automatic scraping of metrics. Includes permissions for connecting to Amazon EKS clusters, reading Amazon EC2 networks, and creating and deleting networks tagged as `AMPAgentlessScraper`, as well as for writing to Amazon Managed Service for Prometheus workspaces.	November 26, 2023
AmazonPrometheusConsoleFullAccess – Update to an existing policy	Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusConsoleFullAccess to support logging alert manager and ruler events in CloudWatch Logs. The `aps:CreateLoggingConfiguration`, `aps:UpdateLoggingConfiguration`, `aps:DeleteLoggingConfiguration`, `aps:DescribeLoggingConfiguration` permissions were added.	October 24, 2022
AmazonPrometheusConsoleFullAccess – Update to an existing policy	Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusConsoleFullAccess to support new Amazon Managed Service for Prometheus features and so that users with this policy can see a list of tag suggestions when they apply tags to Amazon Managed Service for Prometheus resources. The `tag:GetTagKeys`, `tag:GetTagValues`, `aps:CreateAlertManagerDefinition`, `aps:CreateRuleGroupsNamespace`, `aps:DeleteAlertManagerDefinition`, `aps:DeleteRuleGroupsNamespace`, `aps:DescribeAlertManagerDefinition`, `aps:DescribeRuleGroupsNamespace`, `aps:ListRuleGroupsNamespaces`, `aps:PutAlertManagerDefinition`, `aps:PutRuleGroupsNamespace`, `aps:TagResource`, and `aps:UntagResource` permissions were added.	September 29, 2021
Amazon Managed Service for Prometheus started tracking changes	Amazon Managed Service for Prometheus started tracking changes for its AWS managed policies.	September 15, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

Troubleshooting