Minimal AWS permissions

This page explains how to minimize Cloud Monitorings access to your AWS account.


When you use the standard instructions for adding an AWS account to one of your Workspaces, you grant Monitoring read-only access to all your AWS resources. This is done by creating a role in AWS IAM with read-only access to all services. You store in your Workspace a key (the Role ARN) that lets Monitoring use that role.

Monitoring's level of access is controlled by the AWS IAM role you choose. To minimize access, create an AWS IAM role with read-only access to only some of your AWS resources, rather than to all of them. For example, your role might permit access to only CloudWatch and SNS.

An AWS role used to authorize Monitoring can be used in only one Workspace. Each role contains an External ID that is specific to a single Workspace.

Minimal permissions

The following AWS permission policies are the minimal set required by Monitoring. Your AWS role must contain at least these permissions:


This list could grow as new AWS services are added to Monitoring. You can add additional permissions to balance Monitoring functionality with your desire to keep access limited.

Modifying an AWS role

If you have already added your AWS account to a Workspace, then you can limit Monitoring access by changing the permissions in the AWS role you are already using:

  1. Login to your AWS account.
  2. Go to Services > IAM > Roles to get to the AWS IAM console.
  3. At the bottom of the page, click the role name you are using to authorize Stackdriver. In the Permissions tab, you see the list of permissions for that role:

    • To remove an existing permission, click the X to the right of the permission.
    • To add additional permissions, click Attach policy:
      1. Use the filter to find the policy you want.
      2. Select one of the policies ending in ReadOnlyAccess or ReadOnly.
      3. Click Attach Policy.
      4. Repeat to add more policies.

Adding an AWS account with limited access

Refer to the standard instructions at Adding a project or account to a Workspace. The instructions for creating your AWS Role are not in the Stackdriver user documentation, but instead are listed inside the Cloud Monitoring page in the Google Cloud Console, when you add an AWS account. Following is a screenshot of those instructions.

Add AWS account dialog that asks for Role ARN and account description.

Here is how to modify those instructions:

  1. Find step 7, "Select ReadOnlyAccess from the policy list and click Next: Review."

  2. Replace that step with the following:

    1. Use the filter to locate a permissions policy you want to use. Select a ReadOnly variant of the policy because that is all you need.
    2. Repeat as necessary to select more permissions.
    3. When finished, click Next: Review. You see something like the following:

    Review role

  3. Continue with the standard instructions.