Add Amazon Monitor with Required IAM Permissions
This article explains how to add Amazon monitors using only the required APIs (Custom IAM Policy - second method ↓)
Methods to Configure IAM Permissions for Amazon Monitoring
Read Only Access (AWS Managed Policy - Recommended)
- This predefined policy is maintained and updated by the AWS team, ensuring automatic updates when new AWS services are introduced.
- For full monitoring capabilities, assign the default ReadOnlyAccess policy document to the IAM user or role. For setup details, refer to the prerequisites page.
Custom IAM Policy (Granular Control)
- If your organization restricts default policies or requires more control, create a custom IAM policy with only the necessary permissions.
- The policy must be updated when new AWS services are added to Applications Manager.
📝
Key Notes
• As Applications Manager adds support for new AWS services, update the policy accordingly.
• Always use the latest version of the policy for compatibility. Ensure the policy is updated as needed when Applications Manager is upgraded.
• As Applications Manager adds support for new AWS services, update the policy accordingly.
• Always use the latest version of the policy for compatibility. Ensure the policy is updated as needed when Applications Manager is upgraded.
Step-by-Step Procedure to Add Amazon Monitor Using Custom IAM Policy
To enable AWS monitoring in Applications Manager, you need AWS Access Keys for authentication and retrieval of key performance metrics. Follow the steps below:
Step 1: Create User
- Go to AWS IAM Console → Click on 'Users' under Access Management → Click on 'Create User'.
- Provide a username (e.g., AppManagerUser) and proceed with the user creation steps.
Step 2: Attach Permissions
Attach the required IAM policy to the newly created user:
- Select the user in the IAM console.
- Go to the Permissions tab.
- Click Add Permission and choose Create inline policy.
- Switch to the JSON tab in the policy editor.
- Choose a JSON policy from the options below based on your requirement, copy and paste it, then click Next to finalize..Policy with Read Only Actions
Policy content in JSON Format:
Last updated on Sep, 2025{"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "eks:DescribeFargateProfile", "ec2:DescribeInstances", "cloudwatch:GetMetricData", "dynamodb:ListTables", "ec2:DescribeRegions", "sns:ListTopics", "ce:GetCostAndUsage", "s3:ListBucket", "ecs:ListServices", "elasticbeanstalk:DescribeEnvironmentResources", "elasticloadbalancing:DescribeLoadBalancers", "eks:DescribeNodegroup", "elasticbeanstalk:DescribeEnvironments", "dynamodb:DescribeTable", "ecs:ListTasks", "autoscaling:DescribeAutoScalingGroups", "ec2:DescribeVolumes", "rds:DescribeDBInstances", "ecs:DescribeServices", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "dynamodb:DescribeLimits", "ecs:ListClusters", "sqs:ListQueues", "eks:ListNodegroups", "sns:ListSubscriptionsByTopic", "lambda:ListFunctions", "lambda:GetFunction", "sqs:GetQueueAttributes", "dynamodb:DescribeStream", "cloudwatch:GetMetricStatistics", "ecs:DescribeClusters", "ce:GetCostForecast", "eks:ListFargateProfiles", "s3:ListAllMyBuckets", "elasticbeanstalk:DescribeEvents", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:DescribeCluster", "ecs:ListContainerInstances", "eks:ListClusters", "sts:GetCallerIdentity", "s3:GetBucketLocation", "rds:DescribeDBClusters", "ec2:DescribeInstanceAttribute", "cloudwatch:ListMetrics", "ec2:GetConsoleOutput", "cloudformation:ListStackResources", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListInvalidations", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "elasticloadbalancing:DescribeLoadBalancerAttributes", "directconnect:DescribeConnections", "ecr:DescribeRepositories", "ecr:DescribeImages", "ec2:DescribeNatGateways", "fsx:DescribeFileCaches", "route53:ListHealthChecks", "route53:GetHealthCheck", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason", "transfer:DescribeServer", "transfer:ListServers", "transfer:ListUsers", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeVpnConnections", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcEndpoints", "ec2:DescribeRegions", "ec2:DescribeAddresses", "directconnect:DescribeVirtualInterfaces", "states:ListStateMachines", "states:DescribeStateMachine", "states:ListExecutions", "network-firewall:ListFirewalls", "network-firewall:DescribeFirewall", "route53resolver:ListResolverEndpoints", "route53resolver:GetResolverEndpoint", "route53resolver:ListResolverEndpointIpAddresses", "vpc-lattice:ListServices", "vpc-lattice:GetService"], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis" ] } ] }Policy with Read and EC2 (Start, Stop & Reboot) ActionsPolicy content in JSON Format:
Last updated on 24 Feb, 2025{"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "eks:DescribeFargateProfile", "ec2:DescribeInstances", "cloudwatch:GetMetricData", "dynamodb:ListTables", "ec2:DescribeRegions", "sns:ListTopics", "ce:GetCostAndUsage", "s3:ListBucket", "ecs:ListServices", "elasticbeanstalk:DescribeEnvironmentResources", "elasticloadbalancing:DescribeLoadBalancers", "eks:DescribeNodegroup", "elasticbeanstalk:DescribeEnvironments", "dynamodb:DescribeTable", "ecs:ListTasks", "autoscaling:DescribeAutoScalingGroups", "ec2:DescribeVolumes", "rds:DescribeDBInstances", "ecs:DescribeServices", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "dynamodb:DescribeLimits", "ecs:ListClusters", "sqs:ListQueues", "eks:ListNodegroups", "sns:ListSubscriptionsByTopic", "lambda:ListFunctions", "lambda:GetFunction", "sqs:GetQueueAttributes", "dynamodb:DescribeStream", "cloudwatch:GetMetricStatistics", "ecs:DescribeClusters", "ce:GetCostForecast", "eks:ListFargateProfiles", "s3:ListAllMyBuckets", "elasticbeanstalk:DescribeEvents", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:DescribeCluster", "ecs:ListContainerInstances", "eks:ListClusters", "sts:GetCallerIdentity", "s3:GetBucketLocation", "rds:DescribeDBClusters", "ec2:DescribeInstanceAttribute", "cloudwatch:ListMetrics", "ec2:GetConsoleOutput", "cloudformation:ListStackResources", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListInvalidations", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "elasticloadbalancing:DescribeLoadBalancerAttributes", "directconnect:DescribeConnections", "ecr:DescribeRepositories", "ecr:DescribeImages", "ec2:DescribeNatGateways", "fsx:DescribeFileCaches", "route53:ListHealthChecks", "route53:GetHealthCheck", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason", "transfer:DescribeServer", "transfer:ListServers", "transfer:ListUsers" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis" ] } ] }
Step 3: Create Access Key and Secret Access Key
- Select the user and go to the Security Credentials tab.
- In the Access Keys section, click Create Access Key.
- Choose 'Third party service' as the use case, check the confirmation box, and click Next.
- Optionally, add a tag and click Create Access Key.
- Download the .csv file containing the Access Key and Secret Access Key.
By following these steps, IAM policies will be tailored to your organization's needs, ensuring optimal AWS resource monitoring.