Minimal AWS Permissions

This page explains how to minimize Stackdriver's access to your AWS account.

Overview

When you use the standard instructions for adding an AWS account to one of your Workspaces, you grant Stackdriver read-only access to all your AWS resources. This is done by creating a role in AWS IAM with read-only access to all services. You store in your Workspace a key (the Role ARN) that lets Stackdriver use that role.

Stackdriver's level of access is controlled by the AWS IAM role you choose. To minimize access, create an AWS IAM role with read-only access to only some of your AWS resources, rather than to all of them. For example, your role might permit access to only CloudWatch and SNS.

An AWS role used to authorize Stackdriver can be used in only one Workspace. Each role contains an External ID that is specific to a single Workspace.

Minimal permissions

The following AWS permission policies are the minimal set required by Stackdriver. Your AWS role must contain at least these permissions:

AmazonDynamoDBReadOnlyAccess
AmazonEC2ReadOnlyAccess
AmazonElastiCacheReadOnlyAccess
AmazonESReadOnlyAccess
AmazonKinesisReadOnlyAccess
AmazonRedshiftReadOnlyAccess
AmazonRDSReadOnlyAccess
AmazonS3ReadOnlyAccess
AmazonSESReadOnlyAccess
AmazonSNSReadOnlyAccess
AmazonSQSReadOnlyAccess
AmazonVPCReadOnlyAccess
AutoScalingReadOnlyAccess
AWSLambdaReadOnlyAccess
CloudFrontReadOnlyAccess
CloudWatchReadOnlyAccess
CloudWatchEventsReadOnlyAccess

JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:Describe*",
        "dynamodb:Get*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ec2:Get*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:List*",
        "events:Describe*",
        "events:List*",
        "health:Describe*",
        "health:Get*",
        "health:List*",
        "kinesis:Describe*",
        "kinesis:Get*",
        "kinesis:List*",
        "lambda:Get*",
        "lambda:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift:Describe*",
        "redshift:Get*",
        "redshift:View*",
        "s3:Get*",
        "s3:List*",
        "ses:Get*",
        "ses:List*",
        "ses:Describe*",
        "sns:Get*",
        "sns:List*",
        "sqs:Get*",
        "sqs:List*",
        ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

This list could grow as new AWS services are added to Stackdriver. You can add additional permissions to balance Stackdriver functionality with your desire to keep access limited.

Instructions

Modifying an AWS role

If you have already added your AWS account to a Workspace, then you can limit Stackdriver access by changing the permissions in the AWS role you are already using:

  1. Login to your AWS account.
  2. Go to Services > IAM > Roles to get to the AWS IAM console.
  3. At the bottom of the page, click the role name you are using to authorize Stackdriver. In the Permissions tab, you see the list of permissions for that role:

    • To remove an existing permission, click the X to the right of the permission.
    • To add additional permissions, click Attach policy:
      1. Use the filter to find the policy you want.
      2. Select one of the policies ending in ReadOnlyAccess or ReadOnly.
      3. Click Attach Policy.
      4. Repeat to add more policies.

Adding an AWS account with limited access

Refer to the standard instructions at Adding an AWS account. The instructions for creating your AWS Role are not in the Stackdriver user documentation, but instead are listed inside the Monitoring console when you add an AWS account. Following is a screenshot of those instructions.

Authorize AWS

Here is how to modify those instructions:

  1. Find step 7, "Select ReadOnlyAccess from the policy list and click Next: Review."

  2. Replace that step with the following:

    1. Use the filter to locate a permissions policy you want to use. Select a ReadOnly variant of the policy because that is all you need.
    2. Repeat as necessary to select more permissions.
    3. When finished, click Next: Review. You see something like the following:

    Review role

  3. Continue with the standard instructions.

Was this page helpful? Let us know how we did:

Send feedback about...

Stackdriver Monitoring