Using a service-linked role for Network Synthetic Monitor - Amazon CloudWatch

Using a service-linked role for Network Synthetic Monitor

Network Synthetic Monitor uses the following service-linked role for the permissions that it requires to call other AWS services on your behalf:

AWSServiceRoleForNetworkMonitor

Network Synthetic Monitor uses the service-linked role named AWSServiceRoleForNetworkMonitor to update and manage monitors.

The AWSServiceRoleForNetworkMonitor service-linked role trusts the following service to assume the role:

  • networkmonitor.amazonaws.com

The CloudWatchNetworkMonitorServiceRolePolicy is attached to the service linked role and grants access for the service to access VPC and EC2 resources in your account, as well as manage the monitors that you create.

Permissions groupings

The policy is grouped into the following sets of permissions:

  • cloudwatch - This allows the service principal to publish network monitoring metrics to CloudWatch resources.

  • ec2 - This allows the service principal to describe VPCs and subnets in your account to create or update monitors and probes. This also allows the service principal to create, modify, and delete security groups, network interfaces, and their associated permissions to configure the monitor or probe to send monitoring traffic to your endpoints.

To view the permissions for this policy, see CloudWatchNetworkMonitorServiceRolePolicy in the AWS Managed Policy Reference.

Create the service-linked role

AWSServiceRoleForNetworkMonitor

You don't need to manually create the AWSServiceRoleForNetworkMonitor role.

  • Network Synthetic Monitor creates the AWSServiceRoleForNetworkMonitor role when you create your first monitor with the feature. This role then applies to all additional monitors that you create.

To create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-Linked Role Permissions in the IAM User Guide.

Edit the service-linked role

You can edit the AWSServiceRoleForNetworkMonitor descriptions using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Network Synthetic Monitor, we recommend that you delete the AWSServiceRoleForNetworkMonitor role.

You can delete these service-linked roles only after you delete your monitors. For more information, see Delete a monitor.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

After you delete AWSServiceRoleForNetworkMonitor Network Synthetic Monitor will create the role again when you create a new monitor.

Supported Regions for the Network Synthetic Monitor service-linked role

Network Synthetic Monitor supports the service-linked role in all of AWS Regions where the service is available. For more information, see AWS endpoints in the AWS General Reference.