Add Amazon Monitor with Required IAM Permissions
This article explains how to add Amazon monitors using only the required APIs (Custom IAM Policy - second method ↓)
Methods to Configure IAM Permissions for Amazon Monitoring
Read Only Access (AWS Managed Policy - Recommended)
- This predefined policy is maintained and updated by the AWS team, ensuring automatic updates when new AWS services are introduced.
- For full monitoring capabilities, assign the default ReadOnlyAccess policy document to the IAM user or role. For setup details, refer to the prerequisites page.
Custom IAM Policy (Granular Control)
- If your organization restricts default policies or requires more control, create a custom IAM policy with only the necessary permissions.
- The policy must be updated when new AWS services are added to Applications Manager.
- The custom policy is split into three sections:
- Core Monitoring (Read-Only) — Required for all AWS monitoring. Contains only read/describe/list/get permissions.
- EC2 Instance Actions (Optional) — Required only if you want to start, stop, or reboot EC2 instances from Applications Manager. These are not read-only permissions.
- VPC Flow Log Analysis (Optional) — Required only if you use VPC Flow Log analysis. Includes S3 write, Glue catalog creation, and Athena query execution permissions that are not read-only.
📝
Key Notes
• As Applications Manager adds support for new AWS services, update the policy accordingly.
• Always use the latest version of the policy for compatibility. Ensure the policy is updated as needed when Applications Manager is upgraded.
• The EC2 Instance Actions and VPC Flow Log Analysis sections contain write permissions and should only be added if those features are required.
• As Applications Manager adds support for new AWS services, update the policy accordingly.
• Always use the latest version of the policy for compatibility. Ensure the policy is updated as needed when Applications Manager is upgraded.
• The EC2 Instance Actions and VPC Flow Log Analysis sections contain write permissions and should only be added if those features are required.
Step-by-Step Procedure to Add Amazon Monitor Using Custom IAM Policy
To enable AWS monitoring in Applications Manager, you need AWS Access Keys for authentication and retrieval of key performance metrics. Follow the steps below:
Step 1: Create User
- Go to AWS IAM Console → Click on 'Users' under Access Management → Click on 'Create User'.
- Provide a username (e.g., AppManagerUser) and proceed with the user creation steps.
Step 2: Attach Permissions
Attach the required IAM policy to the newly created user:
- Select the user in the IAM console.
- Go to the Permissions tab.
- Click Add Permission and choose Create inline policy.
- Switch to the JSON tab in the policy editor.
-
Choose a JSON policy from the options below based on your requirement, copy and paste it, then click Next to finalize.
Core Monitoring (Read-Only) - Required
Policy 1: Core Monitoring (Read-Only) — Required
This policy contains only read-only permissions required for discovering and monitoring all supported AWS services. No resources are modified.
Last updated on May 28, 2026
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CoreMonitoringReadOnly",
"Effect": "Allow",
"Action": [
/* EC2 */
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRegions",
"ec2:DescribeVolumes",
"ec2:GetConsoleOutput",
"ec2:DescribeNatGateways",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeFlowLogs",
/* CloudWatch */
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
/* Auto Scaling */
"autoscaling:DescribeAutoScalingGroups",
/* ECS */
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
/* EKS */
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile",
/* Lambda */
"lambda:ListFunctions",
"lambda:GetFunction",
/* RDS, DocumentDB, Neptune, RDS Proxy */
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeGlobalClusters",
"rds:DescribeDBProxies",
"rds:DescribeEvents",
/* DynamoDB */
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:DescribeLimits",
"dynamodb:DescribeStream",
/* ElastiCache */
"elasticache:DescribeCacheClusters",
/* Redshift */
"redshift:DescribeClusters",
/* S3 */
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
/* SNS */
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
/* SQS */
"sqs:ListQueues",
"sqs:GetQueueAttributes",
/* Elastic Load Balancing */
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
/* Elastic Beanstalk */
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEvents",
/* CloudFront */
"cloudfront:ListDistributions",
"cloudfront:GetDistribution",
"cloudfront:ListInvalidations",
/* CloudFormation */
"cloudformation:ListStackResources",
/* EFS */
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
/* FSx */
"fsx:DescribeFileCaches",
/* Direct Connect */
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
/* ECR */
"ecr:DescribeRepositories",
"ecr:DescribeImages",
/* Route 53 */
"route53:ListHealthChecks",
"route53:GetHealthCheck",
"route53:GetHealthCheckStatus",
"route53:GetHealthCheckLastFailureReason",
/* Route 53 Resolver */
"route53resolver:ListResolverEndpoints",
"route53resolver:GetResolverEndpoint",
"route53resolver:ListResolverEndpointIpAddresses",
/* AWS Transfer Family */
"transfer:ListServers",
"transfer:DescribeServer",
"transfer:ListUsers",
/* Step Functions */
"states:ListStateMachines",
"states:DescribeStateMachine",
"states:ListExecutions",
/* Network Firewall */
"network-firewall:ListFirewalls",
"network-firewall:DescribeFirewall",
/* VPC Lattice */
"vpc-lattice:ListServices",
"vpc-lattice:GetService",
/* SES */
"ses:ListIdentities",
"ses:GetSendQuota",
"ses:GetSuppressedDestination",
/* MSK (Kafka) */
"kafka:ListClustersV2",
"kafka:DescribeClusterV2",
/* Cost Explorer */
"ce:GetCostAndUsage",
"ce:GetCostForecast",
/* STS */
"sts:GetCallerIdentity",
/* Lightsail */
"lightsail:GetInstances",
"lightsail:GetInstance",
"lightsail:GetOperationsForResource",
"lightsail:GetInstanceMetricData",
/* WorkSpaces */
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeIpGroups",
/* Systems Manager (SSM) */
"ssm:DescribeInstanceInformation",
"ssm:ListCommands",
/* Certificate Manager (ACM) */
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:GetCertificate",
/* AWS Backup */
"backup:ListBackupPlans",
"backup:ListBackupVaults",
"backup:DescribeBackupVault",
"backup:ListBackupJobs",
"backup:ListRestoreJobs",
"backup:ListCopyJobs",
"backup:ListRecoveryPointsByBackupVault",
/* Elastic Disaster Recovery (DRS) */
"drs:DescribeSourceServers",
"drs:DescribeRecoveryInstances",
"drs:GetReplicationConfiguration",
"drs:GetLaunchConfiguration"
],
"Resource": "*"
},
{
"Sid": "APIGatewayRESTAPIs",
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis"
]
},
{
"Sid": "APIGatewayHTTPAPIs",
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": [
"arn:aws:apigateway:*::/apis/*",
"arn:aws:apigateway:*::/apis"
]
}
]
}
EC2 Instance Actions (Optional) — Not Read-Only
Policy 2: EC2 Instance Actions (Optional) — Not Read-Only
⚠️
Write Permissions
This policy grants permissions to start, stop, and reboot EC2 instances from the Applications Manager UI. Add this policy only if you require EC2 instance management actions. These are not read-only permissions.
This policy grants permissions to start, stop, and reboot EC2 instances from the Applications Manager UI. Add this policy only if you require EC2 instance management actions. These are not read-only permissions.
Last updated on May 28, 2026
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2InstanceActions",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "*"
}
]
}
VPC Flow Log Monitoring (Optional) — Not Read-Only
Policy 3: VPC Flow Log Monitoring (Optional) — Not Read-Only
⚠️
Write Permissions
This policy grants permissions for VPC Flow Log monitoring including S3 object writes (Athena query results), Glue catalog/table creation, and Athena query execution. Add this policy only if you use the VPC Flow Log analysis feature. Replace <flow-log-bucket> with your actual S3 bucket name.
This policy grants permissions for VPC Flow Log monitoring including S3 object writes (Athena query results), Glue catalog/table creation, and Athena query execution. Add this policy only if you use the VPC Flow Log analysis feature. Replace <flow-log-bucket> with your actual S3 bucket name.
Last updated on May 28, 2026
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCS3FlowLogAccess",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<flow-log-bucket>",
"arn:aws:s3:::<flow-log-bucket>/*"
]
},
{
"Sid": "VPCS3QueryResultsWrite",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::<flow-log-bucket>/AWSLogs/*/vpcflowlogs/*/outputs/*"
},
{
"Sid": "GluePermissions",
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:CreateDatabase",
"glue:GetTable",
"glue:CreateTable",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/meapm_vpc_*",
"arn:aws:glue:*:*:table/meapm_vpc_*/*"
]
},
{
"Sid": "AthenaPermissions",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults"
],
"Resource": "*"
}
]
}Step 3: Create Access Key and Secret Access Key
- Select the user and go to the Security Credentials tab.
- In the Access Keys section, click Create Access Key.
- Choose 'Third party service' as the use case, check the confirmation box, and click Next.
- Optionally, add a tag and click Create Access Key.
- Download the .csv file containing the Access Key and Secret Access Key.
By following these steps, IAM policies will be tailored to your organization's needs, ensuring optimal AWS resource monitoring.
New to ADSelfService Plus?
Related Articles
Amazon VPC Monitoring – Frequently Asked Questions
Amazon VPC Monitoring – Frequently Asked Questions This Knowledge Base article answers frequently asked questions about configuring and monitoring Amazon VPC using Applications Manager. It covers prerequisites, data collection issues, VPC Flow Log ...Mail Server Monitor - Troubleshooting
Common Mail Server Monitor Errors and Troubleshooting Guide 1. Unknown Host Error Description: This error occurs when the mail client cannot resolve the hostname of the mail server to an IP address. The issue typically arises from DNS resolution ...Permissions required for Non-Admin user to monitor Microsoft Monitors
1) To enable WMI permissions for the non admin account follow the steps mentioned in the below link. https://pitstop.manageengine.com/portal/en/kb/articles/configuring-non-admin-user-account-for-wmi-monitoring As an alternative to Steps 1-6 in the ...Real User Monitor (RUM) - Troubleshooting guide
If your Real User Monitor has not collected data for an extended period, follow the steps below to troubleshoot the issue. Step 1: Verify the RUM Agent configuration Real User Monitoring requires the RUM Agent to be installed and mapped to ...Configuring non-admin user account for WMI monitoring
By default, Windows allows only members of the Administrators or Domain Admin groups to read WMI class information. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be ...