Help Docs

Policies and permissions

Whether you are providing access by creating an IAM user or via the cross-account IAM role, you need to provide permissions for Site24x7. These permissions decide what specific AWS resources can be accessed.

Site24x7 requires ReadOnly permissions to your AWS services and resources. You can either assign the default ReadOnly policy, assign our custom policy, or create your own.

 

Default ReadOnly access policy (recommended)

To ensure that there are no performance blind spots, and to make use of Site24x7’s full scope of monitoring capabilities, we highly recommend you to assign the default ReadOnly policy document to the IAM user/Role created. This policy provides full read-only access to all popular AWS services.

Note

 

  • Currently the read-only permissions required to monitor Kinesis Video stream usage are not present in the managed policy "ReadOnlyAccess". To monitor you can either apply the managed policy "AmazonKinesisVideoStreamsReadOnlyAccess" along with the "ReadOnlyAccess" policy or construct a new policy from scratch in the visual editor.
  • The read-only permissions required to monitor Route 53 Resolver are not present in the managed policy "ReadOnlyAccess". To monitor, construct a new policy from scratch in the visual editor or create a role with the necessary permissions.

 

These predefined policies are maintained and updated by the AWS team itself, so when we bring in monitoring support for any new AWS service, there won't be any need for you to update the permissions in the policy document.

The supported AWS services and the individual actions required for each service is mentioned below.

AWS service Read-level actions Partial write-level actions
CloudWatch

"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"

 
CloudWatch Logs

"logs:Start*"
"logs:Get*"
"logs:Describe*"

 
DynamoDB

"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:DescribeLimits",
"lambda:ListEventSourceMappings"

 
EC2

"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:GetConsoleOutput",
"ec2:DescribeImages",
"ec2:DescribeVolumeStatus",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVolumes",
"ec2:DescribeAccountAttributes",
"ec2:DescribeElasticGpus",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeAutoScalingGroups"

"ec2:RebootInstances",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:StopInstances",
"ec2:StartInstances"

Elastic Beanstalk (EBS)

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

"elasticbeanstalk:RestartAppServer"
ELB

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"

 
Gateway Load Balancer

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"ec2Instance:describeVpcEndpoints",
"ec2Instance:describeVpcEndpointServiceConfigurations"

 
RDS

"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeEvents"
"rds:StartCluster"
"rds:StopCluster"
"rds:FailoverDBCluster"
"rds:RebootDBInstance"

"rds:StartDBInstance",
"rds:RebootDBInstance",
"rds:StopDBInstance"

S3

"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetBucketLogging"
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"

 
SNS

"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:GetSMSAttributes"

sns:Publish
Lambda

"lambda:ListFunctions",
"lambda:ListTags",
"lambda:GetFunctionConfiguration",
"lambda:GetAccountSettings",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"lambda:GetPolicy"

"lambda:InvokeFunction"
Lambda logs logs:Describe*
logs:Get*
 
ElastiCache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource",
"elasticache:DescribeServiceUpdates",
"elasticache:DescribeReplicationGroups"

elasticache:RebootCacheCluster
Simple Queue Service (SQS)

"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:GetQueueAttributes"

sqs:SendMessage
Amazon CloudFront

"cloudfront:GetDistribution",
"cloudfront:ListPublicKeys",
"cloudfront:ListTagsForResource",
"cloudfront:ListInvalidations",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig"

 
Amazon Kinesis Data Streams

"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesis:DescribeStream"

kinesis:PutRecord"
Amazon Kinesis Video Streams

"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kinesisvideo:DescribeStream"

 
Amazon Kinesis Firehose

"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"firehose:DescribeDeliveryStream"

 
Amazon Kinesis Data Analytics

"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"kinesisanalytics:DescribeApplication

kinesisanalytics:StopApplication
kinesisanalytics:StartApplication
Route 53

Route 53 Health Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckStatus",
"route53:ListHealthChecks",
"route53:GetHealthCheck",
"route53:ListGeoLocations",
"route53:ListTagsForResource"

Route 53 Hosted Zone & Record Set Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"route53:GetTrafficPolicy",
"route53:ListTagsForResource",
"route53:ListQueryLoggingConfigs",
"route53domains:ListDomains",
"route53domains:GetDomainDetail",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

Route 53 Resolver:
"route53resolver:ListResolverEndpointIpAddresses",
"route53resolver:ListResolverRules",
"route53resolver:GetResolverRule",
"route53resolver:ListResolverRuleAssociations",
"route53resolver:ListResolverEndpoints"

 
Elastic Beanstalk

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

"elasticbeanstalk:RestartAppServer"
Direct Connect

"directconnect:DescribeConnections",
"directconnect:DescribeTags",
"directconnect:DescribeVirtualGateways",
"directconnect:DescribeVirtualInterfaces"

 
VPC-Virtual Private Network (VPN) connection

"ec2:DescribeVpnConnections",
"ec2:DescribeAddresses"

 
API Gateway "apigateway:GET" apigateway:POST 
Amazon Elastic Container Service (ECS)

"ecs:ListServices",
"ecs:ListAccountSettings",
"ecs:ListTagsForResource",
"ecs:DescribeServices",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListTasks",
"ecs:DescribeTasks"

 
Amazon Redshift

"redshift:DescribeClusters",
"redshift:DescribeClusterParameters",
"redshift:DescribeLoggingStatus",
"redshift:DescribeEvents",
"redshift:DescribeAccountAttributes"

redshift:RebootCluster
Elastic File System (EFS)

"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"

 
Simple Email Service (SES)

"ses:DescribeConfigurationSet",
"ses:DescribeReceiptRuleSet",
"ses:GetSendQuota",
"ses:GetIdentityPolicies",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetTemplate",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetAccountSendingEnabled",
"ses:ListIdentityPolicies",
"ses:ListIdentities",
"ses:ListConfigurationSets",
"ses:ListReceiptRuleSets",
"ses:ListReceiptFilters",
"ses:ListTemplates"

ses:SendEmail
ses:SendTemplatedEmail

Step Functions

"states:ListStateMachines",
"states:DescribeStateMachine",
"states:ListActivities",
"states:DescribeExecution",
"states:ListExecutions",
"states:GetExecutionHistory",
"states:ListTagsForResource"

"states:StartExecution"
Web Application Firewall (WAF)

"waf-regional:ListWebACLs",
"waf-regional:ListRules",
"waf-regional:GetWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:GetGeoMatchSet",
"waf-regional:GetIPSet",
"waf-regional:GetXssMatchSet",
"waf-regional:GetByteMatchSet",
"waf-regional:GetRegexMatchSet",
"waf-regional:GetSqlInjectionMatchSet",
"waf-regional:GetSizeConstraintSet",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf:ListRules",
"waf:GetWebACL",
"waf:ListTagsForResource",
"waf:ListWebACLs",
"waf:GetByteMatchSet",
"waf:GetIPSet",
"waf:GetXssMatchSet",
"waf:GetRegexMatchSet",
"waf:GetSizeConstraintSet",
"waf:ListActivatedRulesInRuleGroup",
"wafv2:ListLoggingConfigurations",
"wafv2:GetWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"waf-regional:ListResourcesForWebACL"
"cloudfront:listDistributionsByWebACLId"

 
Key Management Service (KMS)

"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:ListGrants",
"kms:ListKeyPolicies"

 
CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeScalingParameters",
"cloudsearch:DescribeAnalysisSchemes",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeExpressions",
"cloudsearch:DescribeSuggesters"

 
Elasticsearch

"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"es:ListTags",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"es:DescribePackages"

 
Elastic MapReduce

"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceFleets",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListInstances"

elasticmapreduce:addJobFlowSteps 
WorkSpaces

"workspaces:DescribeTags",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeIpGroups",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceImages"

workspaces:StartWorkspaces
workspaces:RebootWorkspaces
workspaces:RebuildWorkspaces
workspaces:StopWorkspaces
Certificate Manager (ACM)

"acm:ListCertificates",
"acm:ListTagsForCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate"

 
Lightsail Instance

"lightsail:GetInstances",
"lightsail:GetInstance",
"lightsail:GetActiveNames",
"lightsail:GetOperationsForResource",
"lightsail:GetInstanceMetricData"

lightsail:StartInstance
lightsail:StopInstance
lightsail:RebootInstance
Lightsail Database

"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetOperationsForResource",
"lightsail:GetRelationalDatabaseMetricData"

lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Lightsail Load Balancer

"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperationsForResource",
"lightsail:GetLoadBalancerMetricData"

lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Elastic Kubernetes Service (EKS)

"eks:DescribeCluster",
"eks:ListClusters",
"cloudwatch:ListMetrics"

 
Storage Gateway

"storagegateway:DescribeGatewayInformation",
"storagegateway:ListGateways",
"storagegateway:ListTagsForResource",
"storagegateway:ListTapes",
"storagegateway:ListFileShares",
"storagegateway:ListVolumes",
"storagegateway:DescribeAvailabilityMonitorTest",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:ListLocalDisks",
"storagegateway:DescribeVTLDevices",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 
Amazon MQ

"mq:DescribeBroker",
"mq:DescribeConfiguration",
"mq:DescribeConfigurationRevision",
"mq:DescribeUser",
"mq:ListTags",
"mq:ListBrokers",
"mq:DescribeBrokerEngineTypes",
"cloudwatch:ListMetrics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

mq:RebootBroker
Transit Gateway

"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeAddresses"

ec2:SearchTransitGatewayRoutes
ec2:SearchTransitGatewayMulticastGroups
Data Migration Service (DMS)

"dms:DescribeAccountAttributes",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationTasks",
"dms:DescribeTableStatistics",
"dms:DescribeCertificates",
"dms:DescribeConnections",
"dms:DescribeEndpoints",
"dms:ListTagsForResource",
"dms:DescribeEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

dms:StartReplicationTask
dms:StopReplicationTask
Amazon FSx

"fsx:ListTagsForResource",

"fsx:DescribeBackups",

"fsx:DescribeDataRepositoryTasks",

"fsx:DescribeFileSystems",

"fsx:DescribeVolumes",

"fsx:DescribeStorageVirtualMachines"

fsx:CreateDataRepositoryTask
fsx:CreateBackup
GuardDuty

"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings"

 
Lambda@Edge

"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"cloudfront:ListPublicKeys",
"cloudfront:ListDistributions"

lambda:InvokeFunction
DocumentDB

"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:DescribeCertificates",
"rds:DescribeEvents",
"rds:DescribeGlobalClusters",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:GetLogEvents",

 
Amazon Secure File Transfer Protocol (SFTP)

"transfer:DescribeUser",
"transfer:DescribeServer",
"transfer:ListUsers",
"transfer:ListServers",
"transfer:ListTagsForResource"
"logs:DescribeLogGroups"
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 
AWS Systems Manager

"ssm:ListCommands",
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations"

 
Service Quotas

"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListServiceQuotas"

"servicequotas:RequestServiceQuotaIncrease"

Amazon AppStream 2.0

"appstream:DescribeFleets",
"appstream:ListAssociatedStacks",
"appstream:DescribeImages",
"appstream:DescribeUserStackAssociations",
"appstream:DescribeUsers",
"appstream:DescribeSessions",
"appstream:DescribeApplicationFleetAssociations",
"appstream:DescribeApplications",
"appstream:ListTagsForResource"

"appstream:StopFleet"
"appstream:StartFleet

AWS AppSync

"Appsync:getGraphqlApi"
"Appsync:getApiCache"
"Appsync:getSchemaCreationStatus"
"Appsync:listTagsForResource"
"Appsync:listDataSources"
"Appsync:listTypes"
"Appsync:listResolvers"
"Appsync:getFunction"
"Appsync:listGraphqlApis"
"Appsync:getType"
"Appsync:describeLogStreams"
"Appsync:getLogEvents"
"Appsync:getLogStreams"
"Appsync:listApiKeys"

 
AWS Health

"health:DescribeAffectedEntities"
"health:DescribeEventAggregates"
"health:DescribeEventDetails"
"health:DescribeEvents"

 
AWS Backup

"backup:ListCopyJobs"
"backup:ListTags"
"backup:ListBackupJobs"
"backup:ListProtectedResources"
"backup:DescribeGlobalSettings"
"backup-gateway:ListHypervisors"
"backup:DescribeRegionSettings"
"backup:ListRestoreJobs"
"backup:ListBackupVaults"
"backup:DescribeBackupVault"
"backup:ListBackupPlans"
"backup-gateway:ListGateways"
"backup-gateway:ListVirtualMachines"
"backup:ListRecoveryPointsByBackupVault"
"backup:GetBackupPlan"
"backup:ListBackupSelections"

 
Amazon EBS volume

"ec2:DescribeVolumes"

"ec2:DescribeVolumes"
"ec2:DescribeSnapshots"

AWS Batch

"batch:DescribeJobDefinitions"
"batch:DescribeJobDefinitions"
"batch:DescribeJobQueues"
"batch:DescribeJobs"
"batch:ListJobs"
"batch:TerminateJob"
"batch:CancelJob"

"batch:TerminateJob"
"batch:CancelJob"

Amazon EBS snapshot

"ec2:DescribeVolumes"
"ec2:DescribeSnapshots"

 
AWS Secrets Manager

"secretsmanager:DescribeSecret"
"secretsmanager:ListSecrets"
"secretsmanager:GetResourcePolicy"

"secretsmanager:RotateSecret"
AWS Elastic IP

"ec2: describeAddresses"
"ec2: DescribeAddressesResult"
"ec2: GetAddresses"

 
AWS Trusted Advisor

"support:DescribeTrustedAdvisorCheckResult"
"support:DescribeTrustedAdvisorCheckSummaries"
"support:DescribeTrustedAdvisorChecks"

"support:RefreshTrustedAdvisorCheck"
Amazon VPC 

"ec2:Describe*"

 
Amazon RDS Proxy

"rds:DescribeDBProxies"
"rds:DescribeDBProxyEndpoints"
"rds:DescribeDBProxyTargetGroups"
"rds:DescribeDBProxyTargets"

 
Amazon MSK

"kafka:ListClustersV2"
"kafka:DescribeClusterV2"
"kafka:ListNodes"
"kafka:ListReplicators"
"kafka:DescribeReplicator"
"kafkaconnect:ListConnector"
"kafkaconnect:DescribeConnector"
"kafkaconnect:DescribeCustomPlugin"
"kafkaconnect:DescribeWorkerConfiguration"

 
AWS Glue

"glue:ListJobs"
"glue:ListCrawlers"
"glue:GetTriggers"
"glue:GetJobRuns"
"glue:ListCrawls"
"glue:GetJobRun"
"glue:GetCrawler"
"glue:GetJob"
"glue:GetTags"
"glue:GetClassifier"
"glue:GetConnection"
"glue:GetCrawlerMetrics"

"glue:StartJobRun"

"glue:StartCrawler"

RabbitMQ

"mq:DescribeBroker"
"mq:DescribeConfiguration"
"mq:DescribeConfigurationRevision"
"mq:DescribeUser"
"mq:ListTags"
"mq:ListBrokers"
"mq:DescribeBrokerEngineTypes"
"cloudwatch:ListMetrics"
"logs:DescribeLogStreams"
"logs:GetLogEvents"

 
AWS DRS

"drs:DescribeSourceServers"
"drs:ListStagingAccounts"
"drs:ListTagsForResource"
"drs:GetReplicationConfiguration"
"drs:GetLaunchConfiguration"
"drs:DescribeRecoveryInstances"

 

Create your own custom IAM policy (Visual editor)

If your organization doesn't permit you to assign the default ReadOnly policy or if you prefer to have more precise control over the permissions you provide, you can create your own policy using the point-and-click visual editor in the IAM console.

Follow the steps mentioned below to create a new policy using the visual editor:

  1. Log in to the AWS IAM console.
  2. Select Access Management > Policies from the left navigation pane.
  3. Click Create policy.
  4. Select the Visual editor tab.
  5. Search and select CloudWatch from the Select a service drop-down list.
  6. From the Access level section, select Read. Select the applicable read actions.
  7. Configure the Resources and Request conditions sections based on your requirement.
  8. Click +Add more permissions to continue the same process as above for other supported services as needed. Click Next once your have completed the configurations.
  9. In the Review and create page, enter the Policy name and Description.
  10. Click Create policy.

Site24x7's custom policy for ReadOnly actions (JSON)

You can also use our custom policy document to provide access to your AWS resources. Paste the policy JSON mentioned below in the JSON editor, review it, give an appropriate name and description and click on create policy.

Once done, attach the policy to the Site24x7 IAM user or role.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"cloudwatch:Describe*",
				"cloudwatch:Get*",
				"cloudwatch:List*",
				"dynamodb:Describe*",
				"dynamodb:List*",
				"ec2:Describe*",
				"sqs:Get*",
				"sqs:List*",
				"autoscaling:Describe*",
				"elasticloadbalancing:Describe*",
				"cloudfront:Get*",
				"cloudfront:List*",
				"s3:Get*",
				"s3:List*",
				"rds:Describe*",
				"rds:List*",
				"kinesisanalytics:Describe*",
				"kinesisanalytics:Get*",
				"kinesisanalytics:List*",
				"kinesis:Describe*",
				"kinesis:Get*",
				"kinesis:List*",
				"kinesisvideo:Get*",
				"kinesisvideo:List*",
				"kinesisvideo:Describe*",
				"firehose:Describe*",
				"firehose:List*",
				"elasticache:Describe*",
				"elasticache:List*",
				"elasticbeanstalk:Describe*",
				"elasticbeanstalk:List*",
				"directconnect:Describe*",
				"apigateway:GET",
				"ecs:DescribeServices",
				"ecs:DescribeContainerInstances",
				"ecs:DescribeClusters",
				"ecs:List*",
				"redshift:Describe*",
				"elasticfilesystem:Describe*",
				"ses:Get*",
				"ses:List*",
				"ses:Describe*",
				"lambda:List*",
				"lambda:Get*",
				"logs:Describe*",
				"logs:Get*",
				"route53domains:Get*",
				"route53domains:List*",
				"route53:Get*",
				"route53:List*",
				"route53resolver:Get*",
				"route53resolver:List*",
				"states:List*",
				"states:Describe*",
				"states:GetExecutionHistory",
				"sns:Get*",
				"sns:List*",
				"kms:Describe*",
				"kms:Get*",
				"kms:List*",
				"waf:Get*",
				"waf:List*",
				"waf-regional:List*",
				"waf-regional:Get*",
				"cloudsearch:Describe*",
				"cloudsearch:List*",
				"es:Describe*",
				"es:List*",
				"es:Get*",
				"workspaces:Describe*",
				"ds:Describe*",
				"elasticmapreduce:List*",
				"elasticmapreduce:Describe*",
				"acm:GetCertificate",
				"acm:Describe*",
				"acm:List*",
				"lightsail:Get*",
				"eks:Describe*",
				"eks:List*",
				"mq:Describe*",
				"mq:List*",
				"ec2:Get*",
				"ec2:SearchTransitGatewayRoutes",
				"ec2:SearchTransitGatewayMulticastGroups",
				"storagegateway:List*",
				"storagegateway:Describe*",
				"guardduty:GetFindings",
				"guardduty:ListDetectors",
				"guardduty:ListFindings",
				"dms:Describe*",
				"dms:List*",
				"dms:TestConnection",
				"fsx:Describe*",
				"fsx:ListTagsForResource",
				"inspector:List*",
				"inspector:Describe*",
				"transfer:Describe*",
				"transfer:List*",
				"ssm:ListCommands",
				"ssm:DescribeInstanceInformation",
				"ssm:ListCommandInvocations",
				"appstream:Describe*",
				"appstream:List*",
				"appsync:List*",
				"appsync:Get*",
				"health:Describe*",
				"backup:ListCopyJobs",
				"backup:ListTags",
				"backup:ListBackupJobs",
				"backup:ListProtectedResources",
				"backup:DescribeGlobalSettings",
				"backup-gateway:ListHypervisors",
				"backup:DescribeRegionSettings",
				"backup:ListRestoreJobs",
				"backup:ListBackupVaults",
				"backup:DescribeBackupVault",
				"backup:ListBackupPlans",
				"backup-gateway:ListGateways",
				"backup-gateway:ListVirtualMachines",
				"backup:ListRecoveryPointsByBackupVault",
				"backup:GetBackupPlan",
				"backup:ListBackupSelections",
				"batch:DescribeJobDefinitions",
				"batch:DescribeJobQueues",
				"batch:DescribeJobs",
				"batch:ListJobs",
				"batch:TerminateJob",
				"batch:CancelJob",
				"secretsmanager:DescribeSecret",
				"secretsmanager:ListSecrets",
				"secretsmanager:GetResourcePolicy",
				"wafv2:ListLoggingConfigurations",
				"wafv2:GetWebACL",
				"wafv2:ListTagsForResource",
				"wafv2:ListWebACLs",
				"wafv2:GetIPSet",
				"wafv2:GetRegexPatternSet",
				"wafv2:GetRuleGroup",
				"ssm:DescribeActivations",
				"batch:DescribeComputeEnvironments",
				"servicequotas:GetRequestedServiceQuotaChange",
				"servicequotas:ListRequestedServiceQuotaChangeHistory",
				"servicequotas:ListServiceQuotas",
				"support:DescribeTrustedAdvisorCheckResult",
				"support:DescribeTrustedAdvisorCheckSummaries",
				"support:DescribeTrustedAdvisorChecks",
				"kafka:ListClustersV2",
				"kafka:DescribeClusterV2",
				"kafka:ListNodes",
				"kafka:ListReplicators",
				"kafka:DescribeReplicator",
				"kafkaconnect:ListConnectors",
				"kafkaconnect:DescribeConnector",
				"kafkaconnect:DescribeCustomPlugin",
				"kafkaconnect:DescribeWorkerConfiguration"
                                "glue:ListJobs"
                                "glue:ListCrawlers"
                                "glue:GetTriggers"
                                "glue:GetJobRuns"
                                "glue:ListCrawls"
                                "glue:GetJobRun"
                                "glue:GetCrawler"
                                "glue:GetJob"
                                "glue:GetTags"
                                "glue:GetClassifier"
                                "glue:GetConnection"
                                "glue:GetCrawlerMetrics"
                                "mq:DescribeBroker"
                                "mq:DescribeConfiguration"
                                "mq:DescribeConfigurationRevision"
                                "mq:DescribeUser"
                                "mq:ListTags"
                                "mq:ListBrokers"
                                "mq:DescribeBrokerEngineTypes"
                                "cloudwatch:ListMetrics"
                                "logs:DescribeLogStreams"
                                "logs:GetLogEvents"
                                "drs:DescribeSourceServers"
                                "drs:ListStagingAccounts"
                                "drs:ListTagsForResource"
                                "drs:GetReplicationConfiguration"
                                "drs:GetLaunchConfiguration"
                                "drs:DescribeRecoveryInstances"
			],
			"Effect": "Allow",
			"Resource": "*"
		}
	]
}

This policy was last updated on October 07, 2024.

Note

The policy is created and maintained by the Site24x7 team, and provide ReadOnly access to all the AWS services under monitoring support. Also, the policy is subject to change when new AWS integrations get added, so please make sure you are up to with the latest version.

Site24x7's custom policy for partial write-level actions (JSON)

Create a new custom IAM policy with the below mentioned JSON, to help Site24x7 perform actions in response to alert events.

{
"Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ec2:RebootInstances",
            "sns:Publish",
            "ec2:StartInstances",
            "kinesisanalytics:StopApplication",
            "kinesisanalytics:StartApplication",
            "kinesis:PutRecord",
            "rds:RebootDBInstance",
            "elasticache:RebootCacheCluster",
            "lambda:InvokeFunction",
            "redshift:RebootCluster",
            "ses:SendEmail",
            "apigateway:POST",
            "elasticbeanstalk:RestartAppServer",
            "sqs:SendMessage",
            "rds:StopDBInstance",
            "ec2:StopInstances",
            "rds:StartDBInstance",
            "states:StartExecution",
            "elasticmapreduce:addJobFlowSteps",
            "workspaces:StartWorkspaces",
            "workspaces:RebootWorkspaces",
            "workspaces:RebuildWorkspaces",
            "workspaces:StopWorkspaces",
            "lightsail:StartRelationalDatabase",
            "lightsail:StopRelationalDatabase",
            "lightsail:RebootRelationalDatabase",
            "lightsail:StartInstance",
            "lightsail:StopInstance",
            "lightsail:RebootInstance",
            "mq:RebootBroker",
            "dms:StartReplicationTask",
            "dms:StopReplicationTask",
            "fsx:CreateDataRepositoryTask",
            "fsx:CreateBackup",      
            "transfer:StartServer",    
            "transfer:StopServer",          
            "servicequotas:RequestServiceQuotaIncrease",
            "appstream:StopFleet",  
            "appstream:StartFleet",   
            "batch:TerminateJob",         
            "batch:CancelJob",     
            "secretsmanager:RotateSecret",
            "support:RefreshTrustedAdvisorCheck"
            "glue:StartJobRun"
            "glue:StartCrawler"
                     ],  "Resource":"*"
      }
   ]
}

This policy was last updated on April 17, 2024.

The above policy JSON contains partial write-level permissions. These permissions are used for automations such as stop/start/reboot  EC2 and RDS instances , reboot ElastiCache clusters , invoke Lambda functions , start/stop analytics application and publish message to SNS topic or SQS queue and many more. If you don't want Site24x7 to perform certain actions you can manually edit or remove the permission from the JSON.

Was this document helpful?

Would you like to help us improve our documents? Tell us what you think we could do better.


We're sorry to hear that you're not satisfied with the document. We'd love to learn what we could do to improve the experience.


Thanks for taking the time to share your feedback. We'll use your feedback to improve our online help resources.

Shortlink has been copied!