Application Signals에 필요한 권한
이 섹션에서는 Application Signals를 활성화, 관리 및 운영하는 데 필요한 권한을 설명합니다.
Application Signals를 활성화하고 관리할 수 있는 권한
Application Signals를 관리하려면 다음 권한으로 로그인해야 합니다.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsFullAccessPermissions", "Effect": "Allow", "Action": "application-signals:*", "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:DescribeMetricFilters" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" }, { "Sid": "CloudWatchApplicationSignalsLogsPermissions", "Effect": "Allow", "Action": [ "logs:GetQueryResults", "logs:StopQuery" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumPermissions", "Effect": "Allow", "Action": [ "rum:BatchCreateRumMetricDefinitions", "rum:BatchDeleteRumMetricDefinitions", "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:PutRumMetricsDestination", "rum:UpdateRumMetricDefinition" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsPutMetricAlarmPermissions", "Effect": "Allow", "Action": "cloudwatch:PutMetricAlarm", "Resource": [ "arn:aws:cloudwatch:*:*:alarm:SLO-AttainmentGoalAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLO-WarningAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLI-HealthAlarm-*" ] }, { "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", "Condition": { "StringLike": { "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" } } }, { "Sid": "CloudWatchApplicationSignalsGetRolePermissions", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "CloudWatchApplicationSignalsSnsWritePermissions", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe" ], "Resource": "arn:aws:sns:*:*:cloudwatch-application-signals-*" }, { "Sid": "CloudWatchApplicationSignalsSnsReadPermissions", "Effect": "Allow", "Action": "sns:ListTopics", "Resource": "*" } ] }
Amazon EC2에서 Application Signals, Kubernetes 또는 사용자 지정 아키텍처를 활성화하려면 사용자 지정 설정으로 다른 플랫폼에서 Application Signals활성화를 참조하세요. Amazon CloudWatch Observability EKS 추가 기능을 사용하여 Amazon EKS에서 Application Signals를 활성화하고 관리하려면 다음 권한이 필요합니다.
중요
이러한 권한에는 Resource "*”가 있는 iam:PassRole과 Resource “*”가 있는 eks:CreateAddon이 포함됩니다. 이들은 강력한 권한이므로 주의해서 부여해야 합니다.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:AccessKubernetesApi", "eks:CreateAddon", "eks:DescribeAddon", "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions", "eks:DescribeCluster", "eks:DescribeUpdate", "eks:ListAddons", "eks:ListClusters", "eks:ListUpdates", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }
Application Signals 대시보드에는 SLO가 연결된 AWS Service Catalog AppRegistry 애플리케이션이 표시됩니다. SLO 페이지에서 이러한 애플리케이션을 보려면 다음 권한이 필요합니다.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }
Application Signals 운영
Application Signals를 사용하여 서비스와 SLO를 모니터링하는 서비스 운영자는 다음 읽기 전용 권한을 가진 계정에 로그인해야 합니다.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsReadOnlyAccessPermissions", "Effect": "Allow", "Action": [ "application-signals:BatchGet*", "application-signals:Get*", "application-signals:List*" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsGetRolePermissions", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:DescribeMetricFilters" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" }, { "Sid": "CloudWatchApplicationSignalsLogsPermissions", "Effect": "Allow", "Action": [ "logs:GetQueryResults", "logs:StopQuery" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsReadPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumReadPermissions", "Effect": "Allow", "Action": [ "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayReadPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" } ] }
Application Signals 대시보드에서 SLO와 연결된 AWS Service Catalog AppRegistry 애플리케이션을 확인하려면 다음 권한이 필요합니다.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }
Amazon CloudWatch Observability EKS 추가 기능을 사용하여 Amazon EKS에서 Application Signals를 활성화했는지 확인하려면 다음 권한이 필요합니다.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksReadPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }
