IAM permissions and policies
Access to Amazon Managed Service for Prometheus actions and data requires credentials. Those credentials must have permissions to perform the actions and to access the AWS resources, such as retrieving Amazon Managed Service for Prometheus data about your cloud resources. The following sections provide details about how you can use AWS Identity and Access Management (IAM) and Amazon Managed Service for Prometheus to help secure your resources, by controlling who can access them. For more information, see Policies and permissions in IAM.
Amazon Managed Service for Prometheus permissions
The following table displays possible Amazon Managed Service for Prometheus actions and their required permissions. The actions may also require permissions from other services, not detailed here.
| Action | Required permission |
|---|---|
|
Create alerts. |
|
|
Create an alert manager definition in a workspace. For more information, see Managing and forwarding alerts in Amazon Managed Service for Prometheus with alert manager. |
|
|
Create a rule groups namespace in a workspace. For more information, see Using rules to modify or monitor metrics as they are received. |
|
|
Create an Amazon Managed Service for Prometheus workspace.A workspace is a logical space dedicated to the storage and querying of Prometheus metrics. |
|
|
Delete an alert manager definition from a workspace. |
|
|
Delete alert silences. |
|
|
Delete an Amazon Managed Service for Prometheus workspace. |
|
|
Retrieve detailed information about alert manager definitions. |
|
|
Retrieve detailed information about rule groups namespaces. |
|
|
Retrieve detailed information about an Amazon Managed Service for Prometheus workspace. |
|
|
Retrieve detailed information about an alert silence. |
|
|
Retrieve the status of the alert manager in a workspace. |
|
|
Retrieve labels. |
|
|
Retrieve metadata for Amazon Managed Service for Prometheus metrics. |
|
|
Retrieve time series data. |
|
|
Retrieve a list of the alert groups that are defined in the alert manager definition. |
|
|
Retrieve a list of the alerts that are defined in alert manager. |
|
|
Retrieve a list of the receivers that are defined in the alert manager definition. |
|
|
Retrieve a list of the alert silences that are defined. |
|
|
Retrieve a list of the active alerts. |
|
|
Retrieve a list of the rules in the rule groups namespaces in your workspaces. |
|
|
Retrieve a list of the rule groups namespaces in your workspaces. |
|
|
Retrieve the tags that are associated with your Amazon Managed Service for Prometheus resources. |
|
|
Retrieve a list of the Amazon Managed Service for Prometheus workspaces that exist in the account. |
|
|
Update an existing alert manager definition in a workspace. |
|
|
Create alert silences. |
|
|
Update an existing rule groups namespace. |
|
|
Run a query on Amazon Managed Service for Prometheus metrics. |
|
|
Perform a remote write operation to initiate the streaming of metrics from a Prometheus server to Amazon Managed Service for Prometheus. |
|
|
Assign tags to Amazon Managed Service for Prometheus resources. |
|
|
Remove tags from Amazon Managed Service for Prometheus resources. |
|
|
Modify the aliases of existing workspaces. |
|
|
Create a logging configuration. |
|
|
Delete a logging configuration. |
|
|
Describe the workspace logging configuration. |
|
|
Update a logging configuration. |
|
Sample IAM policies
This section provides examples of other self-managed policies that you can create.
The following IAM policy grants full access to Amazon Managed Service for Prometheus and also enables a user to discover Amazon EKS clusters and see the details about them.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aps:*", "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }
