AWS managed policies for Amazon Managed Service for Prometheus - Amazon Managed Service for Prometheus

AWS managed policies for Amazon Managed Service for Prometheus

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AmazonPrometheusFullAccess

You can attach the AmazonPrometheusFullAccess policy to your IAM identities.

Permissions details

This policy includes the following permissions.

  • aps – Allows full access to Amazon Managed Service for Prometheus

  • eks – Allows the Amazon Managed Service for Prometheus service to read information about your Amazon EKS clusters. This is required to allow creating managed scrapers and discover metrics in your cluster.

  • ec2 – Allows the Amazon Managed Service for Prometheus service to read information about your Amazon EC2 networks. This is required to allow creating managed scrapers with access to your Amazon EKS metrics.

  • iam – Allows principals to create a service-linked role for managed metric scrapers.

The contents of AmazonPrometheusFullAccess are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllPrometheusActions", "Effect": "Allow", "Action": [ "aps:*" ], "Resource": "*" }, { "Sid": "DescribeCluster", "Effect": "Allow", "Action": [ "eks:DescribeCluster", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "aps.amazonaws.com" ] } }, "Resource": "*" }, { "Sid": "CreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*", "Condition": { "StringEquals": { "iam:AWSServiceName": "scraper.aps.amazonaws.com" } } } ] }

AmazonPrometheusConsoleFullAccess

You can attach the AmazonPrometheusConsoleFullAccess policy to your IAM identities.

Permissions details

This policy includes the following permissions.

  • aps – Allows full access to Amazon Managed Service for Prometheus

  • tag – Allows principals to see tag suggestions in the Amazon Managed Service for Prometheus console.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "TagSuggestions", "Effect": "Allow", "Action": [ "tag:GetTagValues", "tag:GetTagKeys" ], "Resource": "*" }, { "Sid": "PrometheusConsoleActions", "Effect": "Allow", "Action": [ "aps:CreateWorkspace", "aps:DescribeWorkspace", "aps:UpdateWorkspaceAlias", "aps:DeleteWorkspace", "aps:ListWorkspaces", "aps:DescribeAlertManagerDefinition", "aps:DescribeRuleGroupsNamespace", "aps:CreateAlertManagerDefinition", "aps:CreateRuleGroupsNamespace", "aps:DeleteAlertManagerDefinition", "aps:DeleteRuleGroupsNamespace", "aps:ListRuleGroupsNamespaces", "aps:PutAlertManagerDefinition", "aps:PutRuleGroupsNamespace", "aps:TagResource", "aps:UntagResource", "aps:CreateLoggingConfiguration", "aps:UpdateLoggingConfiguration", "aps:DeleteLoggingConfiguration", "aps:DescribeLoggingConfiguration" ], "Resource": "*" } ] }

AmazonPrometheusRemoteWriteAccess

The contents of AmazonPrometheusRemoteWriteAccess are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:RemoteWrite" ], "Effect": "Allow", "Resource": "*" } ] }

AmazonPrometheusQueryAccess

The contents of AmazonPrometheusQueryAccess are as follows:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:GetLabels", "aps:GetMetricMetadata", "aps:GetSeries", "aps:QueryMetrics" ], "Effect": "Allow", "Resource": "*" } ] }

AWS managed policy: AmazonPrometheusScraperServiceLinkedRolePolicy

You can't attach AmazonPrometheusScraperServiceLinkedRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Managed Service for Prometheus to perform actions on your behalf. For more information, see Using roles for scraping metrics from EKS.

This policy grants contributor permissions that allow reading from your Amazon EKS cluster and writing to your Amazon Managed Service for Prometheus workspace.

Permissions details

This policy includes the following permissions.

  • aps – Allows the service principal to write metrics to your Amazon Managed Service for Prometheus workspaces.

  • ec2 – Allows the service principal to read and modify network configuration to connect to the network that contains your Amazon EKS clusters.

  • eks – Allows the service principal to access your Amazon EKS clusters. This is required so that it can automatically scrape metrics.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DeleteSLR", "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*" }, { "Sid": "NetworkDiscovery", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "ENIManagement", "Effect": "Allow", "Action": "ec2:CreateNetworkInterface", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AMPAgentlessScraper" ] } } }, { "Sid": "TagManagement", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:*:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" }, "Null": { "aws:RequestTag/AMPAgentlessScraper": "false" } } }, { "Sid": "ENIUpdating", "Effect": "Allow", "Action": [ "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*", "Condition": { "Null": { "ec2:ResourceTag/AMPAgentlessScraper": "false" } } }, { "Sid": "EKSAccess", "Effect": "Allow", "Action": "eks:DescribeCluster", "Resource": "arn:*:eks:*:*:cluster/*" }, { "Sid": "APSWriting", "Effect": "Allow", "Action": "aps:RemoteWrite", "Resource": "arn:*:aps:*:*:workspace/*", "Condition": { "StringEquals": { "aws:PrincipalAccount": "${aws:ResourceAccount}" } } } ] }

Amazon Managed Service for Prometheus updates to AWS managed policies

View details about updates to AWS managed policies for Amazon Managed Service for Prometheus since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Managed Service for Prometheus Document history page.

Change Description Date

AmazonPrometheusFullAccess – Update to an existing policy

Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusFullAccess to support creating managed scrapers for metrics in Amazon EKS clusters.

Includes permissions for connecting to Amazon EKS clusters, reading Amazon EC2 networks, and creating a service-linked role for scrapers.

November 26, 2023

AmazonPrometheusScraperServiceLinkedRolePolicy – New policy

Amazon Managed Service for Prometheus added a new service-linked role policy to read from Amazon EKS containers, to allow automatic scraping of metrics.

Includes permissions for connecting to Amazon EKS clusters, reading Amazon EC2 networks, and creating and deleting networks tagged as AMPAgentlessScraper, as well as for writing to Amazon Managed Service for Prometheus workspaces.

November 26, 2023

AmazonPrometheusConsoleFullAccess – Update to an existing policy

Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusConsoleFullAccess to support logging alert manager and ruler events in CloudWatch Logs.

The aps:CreateLoggingConfiguration, aps:UpdateLoggingConfiguration, aps:DeleteLoggingConfiguration, aps:DescribeLoggingConfiguration permissions were added.

October 24, 2022

AmazonPrometheusConsoleFullAccess – Update to an existing policy

Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusConsoleFullAccess to support new Amazon Managed Service for Prometheus features and so that users with this policy can see a list of tag suggestions when they apply tags to Amazon Managed Service for Prometheus resources.

The tag:GetTagKeys, tag:GetTagValues, aps:CreateAlertManagerDefinition, aps:CreateRuleGroupsNamespace, aps:DeleteAlertManagerDefinition, aps:DeleteRuleGroupsNamespace, aps:DescribeAlertManagerDefinition, aps:DescribeRuleGroupsNamespace, aps:ListRuleGroupsNamespaces, aps:PutAlertManagerDefinition, aps:PutRuleGroupsNamespace, aps:TagResource, and aps:UntagResource permissions were added.

September 29, 2021

Amazon Managed Service for Prometheus started tracking changes

Amazon Managed Service for Prometheus started tracking changes for its AWS managed policies.

September 15, 2021