Add Amazon Monitor with Required IAM Permissions
This article explains how to add Amazon monitors using only the required APIs (Custom IAM Policy - second method ↓)
Methods to Configure IAM Permissions for Amazon Monitoring
Read Only Access (AWS Managed Policy - Recommended)
- This predefined policy is maintained and updated by the AWS team, ensuring automatic updates when new AWS services are introduced.
- For full monitoring capabilities, assign the default ReadOnlyAccess policy document to the IAM user or role. For setup details, refer to the prerequisites page.
Custom IAM Policy (Granular Control)
- If your organization restricts default policies or requires more control, create a custom IAM policy with only the necessary permissions.
- The policy must be updated when new AWS services are added to Applications Manager.
📝
Key Notes
• As Applications Manager adds support for new AWS services, update the policy accordingly.
• Always use the latest version of the policy for compatibility. Ensure the policy is updated as needed when Applications Manager is upgraded.
• As Applications Manager adds support for new AWS services, update the policy accordingly.
• Always use the latest version of the policy for compatibility. Ensure the policy is updated as needed when Applications Manager is upgraded.
Step-by-Step Procedure to Add Amazon Monitor Using Custom IAM Policy
To enable AWS monitoring in Applications Manager, you need AWS Access Keys for authentication and retrieval of key performance metrics. Follow the steps below:
Step 1: Create User
- Go to AWS IAM Console → Click on 'Users' under Access Management → Click on 'Create User'.
- Provide a username (e.g., AppManagerUser) and proceed with the user creation steps.
Step 2: Attach Permissions
Attach the required IAM policy to the newly created user:
- Select the user in the IAM console.
- Go to the Permissions tab.
- Click Add Permission and choose Create inline policy.
- Switch to the JSON tab in the policy editor.
- Choose a JSON policy from the options below based on your requirement, copy and paste it, then click Next to finalize..Policy with Read Only Actions
Policy content in JSON Format:
Last updated on 02 July, 2025{"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "eks:DescribeFargateProfile", "ec2:DescribeInstances", "cloudwatch:GetMetricData", "dynamodb:ListTables", "ec2:DescribeRegions", "sns:ListTopics", "ce:GetCostAndUsage", "s3:ListBucket", "ecs:ListServices", "elasticbeanstalk:DescribeEnvironmentResources", "elasticloadbalancing:DescribeLoadBalancers", "eks:DescribeNodegroup", "elasticbeanstalk:DescribeEnvironments", "dynamodb:DescribeTable", "ecs:ListTasks", "autoscaling:DescribeAutoScalingGroups", "ec2:DescribeVolumes", "rds:DescribeDBInstances", "ecs:DescribeServices", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "dynamodb:DescribeLimits", "ecs:ListClusters", "sqs:ListQueues", "eks:ListNodegroups", "sns:ListSubscriptionsByTopic", "lambda:ListFunctions", "lambda:GetFunction", "sqs:GetQueueAttributes", "dynamodb:DescribeStream", "cloudwatch:GetMetricStatistics", "ecs:DescribeClusters", "ce:GetCostForecast", "eks:ListFargateProfiles", "s3:ListAllMyBuckets", "elasticbeanstalk:DescribeEvents", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:DescribeCluster", "ecs:ListContainerInstances", "eks:ListClusters", "sts:GetCallerIdentity", "s3:GetBucketLocation", "rds:DescribeDBClusters", "ec2:DescribeInstanceAttribute", "cloudwatch:ListMetrics", "ec2:GetConsoleOutput", "cloudformation:ListStackResources", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListInvalidations", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "elasticloadbalancing:DescribeLoadBalancerAttributes", "directconnect:DescribeConnections", "ecr:DescribeRepositories", "ecr:DescribeImages", "ec2:DescribeNatGateways", "fsx:DescribeFileCaches", "route53:ListHealthChecks", "route53:GetHealthCheck", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason", "transfer:DescribeServer", "transfer:ListServers", "transfer:ListUsers", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeVpnConnections", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcEndpoints"], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis" ] } ] }Policy with Read and EC2 (Start, Stop & Reboot) ActionsPolicy content in JSON Format:
Last updated on 24 Feb, 2025{"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "eks:DescribeFargateProfile", "ec2:DescribeInstances", "cloudwatch:GetMetricData", "dynamodb:ListTables", "ec2:DescribeRegions", "sns:ListTopics", "ce:GetCostAndUsage", "s3:ListBucket", "ecs:ListServices", "elasticbeanstalk:DescribeEnvironmentResources", "elasticloadbalancing:DescribeLoadBalancers", "eks:DescribeNodegroup", "elasticbeanstalk:DescribeEnvironments", "dynamodb:DescribeTable", "ecs:ListTasks", "autoscaling:DescribeAutoScalingGroups", "ec2:DescribeVolumes", "rds:DescribeDBInstances", "ecs:DescribeServices", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "dynamodb:DescribeLimits", "ecs:ListClusters", "sqs:ListQueues", "eks:ListNodegroups", "sns:ListSubscriptionsByTopic", "lambda:ListFunctions", "lambda:GetFunction", "sqs:GetQueueAttributes", "dynamodb:DescribeStream", "cloudwatch:GetMetricStatistics", "ecs:DescribeClusters", "ce:GetCostForecast", "eks:ListFargateProfiles", "s3:ListAllMyBuckets", "elasticbeanstalk:DescribeEvents", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:DescribeCluster", "ecs:ListContainerInstances", "eks:ListClusters", "sts:GetCallerIdentity", "s3:GetBucketLocation", "rds:DescribeDBClusters", "ec2:DescribeInstanceAttribute", "cloudwatch:ListMetrics", "ec2:GetConsoleOutput", "cloudformation:ListStackResources", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListInvalidations", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "elasticloadbalancing:DescribeLoadBalancerAttributes", "directconnect:DescribeConnections", "ecr:DescribeRepositories", "ecr:DescribeImages", "ec2:DescribeNatGateways", "fsx:DescribeFileCaches", "route53:ListHealthChecks", "route53:GetHealthCheck", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason", "transfer:DescribeServer", "transfer:ListServers", "transfer:ListUsers" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis" ] } ] }
Step 3: Create Access Key and Secret Access Key
- Select the user and go to the Security Credentials tab.
- In the Access Keys section, click Create Access Key.
- Choose 'Third party service' as the use case, check the confirmation box, and click Next.
- Optionally, add a tag and click Create Access Key.
- Download the .csv file containing the Access Key and Secret Access Key.
By following these steps, IAM policies will be tailored to your organization's needs, ensuring optimal AWS resource monitoring.
New to ADSelfService Plus?
Related Articles
Mail Server Monitor - Troubleshooting
Common Mail Server Monitor Errors and Troubleshooting Guide 1. Unknown Host Error Description: This error occurs when the mail client cannot resolve the hostname of the mail server to an IP address. The issue typically arises from DNS resolution ...Real User Monitor (RUM) - Troubleshooting
If the monitor has not polled data for a long time, follow the below steps for troubleshooting. Step 1: Check the RUM Agent configuration Real User Monitor requires the RUM Agent to be installed and mapped to the Applications Manager. Refer this help ...Permissions required for Non-Admin user to monitor Microsoft Monitors
1) To enable WMI permissions for the non admin account follow the steps mentioned in the below link. https://pitstop.manageengine.com/portal/en/kb/articles/configuring-non-admin-user-account-for-wmi-monitoring As an alternative to Steps 1-6 in the ...Configuring non-admin user account for WMI monitoring
By default, Windows allows only members of the Administrators or Domain Admin groups to read WMI class information. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be ...Troubleshooting URL Monitor
When configuring a URL monitor in Applications Manager, you might encounter several errors related to accessibility, configuration, or server-side issues. Below are common errors along with step-by-step troubleshooting instructions to help you ...