Minimal AWS permissions

This page explains how to minimize Cloud Monitorings access to your AWS account.

Overview

When you use the standard instructions to add an AWS account as a monitored project to a metrics scope, you grant Monitoring read-only access to all your AWS resources. This is done by creating a role in AWS IAM with read-only access to all services. Google Cloud stores the key (the Role ARN) that lets Monitoring use that role.

Monitoring's level of access is controlled by the AWS IAM role you choose. To minimize access, create an AWS IAM role with read-only access to only some of your AWS resources, rather than to all of them. For example, your role might permit access to only CloudWatch and SNS.

Each role contains an External ID that is specific to a single Google Cloud project.

Minimal permissions

The following AWS permission policies are the minimal set required by Monitoring. Your AWS role must contain at least these permissions:

AmazonDynamoDBReadOnlyAccess
AmazonEC2ReadOnlyAccess
AmazonElastiCacheReadOnlyAccess
AmazonESReadOnlyAccess
AmazonKinesisReadOnlyAccess
AmazonRedshiftReadOnlyAccess
AmazonRDSReadOnlyAccess
AmazonS3ReadOnlyAccess
AmazonSESReadOnlyAccess
AmazonSNSReadOnlyAccess
AmazonSQSReadOnlyAccess
AmazonVPCReadOnlyAccess
AutoScalingReadOnlyAccess
AWSLambdaReadOnlyAccess
CloudFrontReadOnlyAccess
CloudWatchReadOnlyAccess
CloudWatchEventsReadOnlyAccess

This list could grow as new AWS services are added to Monitoring. You can add additional permissions to balance Monitoring functionality with your desire to keep access limited.

Modifying an AWS role

If you have already added your AWS account as a monitored project, then you can limit Monitoring access by changing the permissions in the AWS role you are already using:

  1. Login to your AWS account.
  2. Go to Services > IAM > Roles to get to the AWS IAM console.
  3. At the bottom of the page, click the role name you are using to authorize Stackdriver. In the Permissions tab, you see the list of permissions for that role:

    • To remove an existing permission, click the X to the right of the permission.
    • To add additional permissions, click Attach policy:
      1. Use the filter to find the policy you want.
      2. Select one of the policies ending in ReadOnlyAccess or ReadOnly.
      3. Click Attach Policy.
      4. Repeat to add more policies.

Adding an AWS account with limited access

To add an AWS account with limited access, follow the standard instructions except for the step which specifies that you select the role ReadOnlyAccess.

Replace that step with the following:

  1. Use the filter to locate a permissions policy you want to use. Select a ReadOnly variant of the policy because that is all you need.
  2. Repeat as necessary to select more permissions.
  3. When finished, click Next: Review.
  4. Continue with the standard instructions.