Which permissions/policies for IAM role to be used with CloudWatch monitoring script

Solution 1:

The Amazon CloudWatch Monitoring Scripts for Linux are comprised of two Perl scripts, both using one Perl module - a short peek into the source reveals the following AWS API actions being used:

  • CloudWatchClient.pm - DescribeTags
  • mon-get-instance-stats.pl - GetMetricStatistics, ListMetrics
  • mon-put-instance-data.pl - PutMetricData

With this information you can assemble your IAM policy, e.g. via the AWS policy generator - an all encompassing policy would be:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricData",
        "ec2:DescribeTags"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Of course you can drop cloudwatch:GetMetricStatistics cloudwatch:ListMetricswhen just using mon-put-instance-data.pl - please note that I haven't actually tested the code though.

Solution 2:

The above policy gives error asking for version.

The following should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1426849513000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:PutMetricData",
                "cloudwatch:SetAlarmState"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Solution 3:

There's an Amazon provided IAM policy for CloudWatch. No need to build your own. CloudWatchFullAccess