AWS managed policies for Amazon Managed Service for Prometheus
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AmazonPrometheusFullAccess
You can attach the AmazonPrometheusFullAccess
policy to your IAM identities.
Permissions details
This policy includes the following permissions.
-
aps
– Allows full access to Amazon Managed Service for Prometheus -
eks
– Allows the Amazon Managed Service for Prometheus service to read information about your Amazon EKS clusters. This is required to allow creating managed scrapers and discover metrics in your cluster. -
ec2
– Allows the Amazon Managed Service for Prometheus service to read information about your Amazon EC2 networks. This is required to allow creating managed scrapers with access to your Amazon EKS metrics. -
iam
– Allows principals to create a service-linked role for managed metric scrapers.
The contents of AmazonPrometheusFullAccess are as follows:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllPrometheusActions", "Effect": "Allow", "Action": [ "aps:*" ], "Resource": "*" }, { "Sid": "DescribeCluster", "Effect": "Allow", "Action": [ "eks:DescribeCluster", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "aps.amazonaws.com" ] } }, "Resource": "*" }, { "Sid": "CreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*", "Condition": { "StringEquals": { "iam:AWSServiceName": "scraper.aps.amazonaws.com" } } } ] }
AmazonPrometheusConsoleFullAccess
You can attach the AmazonPrometheusConsoleFullAccess
policy to
your IAM identities.
Permissions details
This policy includes the following permissions.
-
aps
– Allows full access to Amazon Managed Service for Prometheus -
tag
– Allows principals to see tag suggestions in the Amazon Managed Service for Prometheus console.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "TagSuggestions", "Effect": "Allow", "Action": [ "tag:GetTagValues", "tag:GetTagKeys" ], "Resource": "*" }, { "Sid": "PrometheusConsoleActions", "Effect": "Allow", "Action": [ "aps:CreateWorkspace", "aps:DescribeWorkspace", "aps:UpdateWorkspaceAlias", "aps:DeleteWorkspace", "aps:ListWorkspaces", "aps:DescribeAlertManagerDefinition", "aps:DescribeRuleGroupsNamespace", "aps:CreateAlertManagerDefinition", "aps:CreateRuleGroupsNamespace", "aps:DeleteAlertManagerDefinition", "aps:DeleteRuleGroupsNamespace", "aps:ListRuleGroupsNamespaces", "aps:PutAlertManagerDefinition", "aps:PutRuleGroupsNamespace", "aps:TagResource", "aps:UntagResource", "aps:CreateLoggingConfiguration", "aps:UpdateLoggingConfiguration", "aps:DeleteLoggingConfiguration", "aps:DescribeLoggingConfiguration" ], "Resource": "*" } ] }
AmazonPrometheusRemoteWriteAccess
The contents of AmazonPrometheusRemoteWriteAccess are as follows:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:RemoteWrite" ], "Effect": "Allow", "Resource": "*" } ] }
AmazonPrometheusQueryAccess
The contents of AmazonPrometheusQueryAccess are as follows:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aps:GetLabels", "aps:GetMetricMetadata", "aps:GetSeries", "aps:QueryMetrics" ], "Effect": "Allow", "Resource": "*" } ] }
AWS managed policy: AmazonPrometheusScraperServiceRolePolicy
You can't attach AmazonPrometheusScraperServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Managed Service for Prometheus to perform actions on your behalf. For more information, see Using roles for scraping metrics from EKS.
This policy grants contributor permissions that allow reading from your Amazon EKS cluster and writing to your Amazon Managed Service for Prometheus workspace.
Note
This user guide previously erroneously called this policy
AmazonPrometheusScraperServiceLinkedRolePolicy
Permissions details
This policy includes the following permissions.
-
aps
– Allows the service principal to write metrics to your Amazon Managed Service for Prometheus workspaces. -
ec2
– Allows the service principal to read and modify network configuration to connect to the network that contains your Amazon EKS clusters. -
eks
– Allows the service principal to access your Amazon EKS clusters. This is required so that it can automatically scrape metrics. Also allows the principal to clean up Amazon EKS resources when a scraper is removed.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DeleteSLR", "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*" }, { "Sid": "NetworkDiscovery", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "ENIManagement", "Effect": "Allow", "Action": "ec2:CreateNetworkInterface", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AMPAgentlessScraper" ] } } }, { "Sid": "TagManagement", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" }, "Null": { "aws:RequestTag/AMPAgentlessScraper": "false" } } }, { "Sid": "ENIUpdating", "Effect": "Allow", "Action": [ "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*", "Condition": { "Null": { "ec2:ResourceTag/AMPAgentlessScraper": "false" } } }, { "Sid": "EKSAccess", "Effect": "Allow", "Action": "eks:DescribeCluster", "Resource": "arn:aws:eks:*:*:cluster/*" }, { "Sid": "DeleteEKSAccessEntry", "Effect": "Allow", "Action": "eks:DeleteAccessEntry", "Resource": "arn:aws:eks:*:*:access-entry/*/role/*", "Condition": { "StringEquals": { "aws:PrincipalAccount": "${aws:ResourceAccount}" }, "ArnLike": { "eks:principalArn": "arn:aws:iam::*:role/aws-service-role/scraper.aps.amazonaws.com/AWSServiceRoleForAmazonPrometheusScraper*" } } }, { "Sid": "APSWriting", "Effect": "Allow", "Action": "aps:RemoteWrite", "Resource": "arn:aws:aps:*:*:workspace/*", "Condition": { "StringEquals": { "aws:PrincipalAccount": "${aws:ResourceAccount}" } } } ] }
Amazon Managed Service for Prometheus updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Managed Service for Prometheus since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Managed Service for Prometheus Document history page.
Change | Description | Date |
---|---|---|
AmazonPrometheusScraperServiceRolePolicy – Update to an existing policy |
Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusScraperServiceRolePolicy to support using access entries in Amazon EKS. Includes permissions for managing Amazon EKS access entries to allow cleaning up resources when scrapers are deleted. NoteThe user guide previously erroneously called this policy
|
May 2, 2024 |
AmazonPrometheusFullAccess – Update to an existing policy |
Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusFullAccess to support creating managed scrapers for metrics in Amazon EKS clusters. Includes permissions for connecting to Amazon EKS clusters, reading Amazon EC2 networks, and creating a service-linked role for scrapers. |
November 26, 2023 |
AmazonPrometheusScraperServiceLinkedRolePolicy – New policy |
Amazon Managed Service for Prometheus added a new service-linked role policy to read from Amazon EKS containers, to allow automatic scraping of metrics. Includes permissions for connecting to Amazon EKS clusters, reading
Amazon EC2 networks, and creating and deleting networks tagged as
|
November 26, 2023 |
AmazonPrometheusConsoleFullAccess – Update to an existing policy |
Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusConsoleFullAccess to support logging alert manager and ruler events in CloudWatch Logs. The |
October 24, 2022 |
AmazonPrometheusConsoleFullAccess – Update to an existing policy |
Amazon Managed Service for Prometheus added new permissions to AmazonPrometheusConsoleFullAccess to support new Amazon Managed Service for Prometheus features and so that users with this policy can see a list of tag suggestions when they apply tags to Amazon Managed Service for Prometheus resources. The |
September 29, 2021 |
Amazon Managed Service for Prometheus started tracking changes |
Amazon Managed Service for Prometheus started tracking changes for its AWS managed policies. |
September 15, 2021 |