Which permissions/policies for IAM role to be used with CloudWatch monitoring script
Solution 1:
The Amazon CloudWatch Monitoring Scripts for Linux are comprised of two Perl scripts, both using one Perl module - a short peek into the source reveals the following AWS API actions being used:
CloudWatchClient.pm- DescribeTagsmon-get-instance-stats.pl- GetMetricStatistics, ListMetricsmon-put-instance-data.pl- PutMetricData
With this information you can assemble your IAM policy, e.g. via the AWS policy generator - an all encompassing policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData",
"ec2:DescribeTags"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Of course you can drop cloudwatch:GetMetricStatistics cloudwatch:ListMetricswhen just using mon-put-instance-data.pl - please note that I haven't actually tested the code though.
Solution 2:
The above policy gives error asking for version.
The following should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426849513000",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"cloudwatch:SetAlarmState"
],
"Resource": [
"*"
]
}
]
}
Solution 3:
There's an Amazon provided IAM policy for CloudWatch. No need to build your own. CloudWatchFullAccess