IAM permissions and policies - Amazon Managed Service for Prometheus

IAM permissions and policies

Access to Amazon Managed Service for Prometheus actions and data requires credentials. Those credentials must have permissions to perform the actions and to access the AWS resources, such as retrieving Amazon Managed Service for Prometheus data about your cloud resources. The following sections provide details about how you can use AWS Identity and Access Management (IAM) and Amazon Managed Service for Prometheus to help secure your resources, by controlling who can access them. For more information, see Policies and permissions in IAM.

Amazon Managed Service for Prometheus permissions

The following table displays possible Amazon Managed Service for Prometheus actions and their required permissions. The actions may also require permissions from other services, not detailed here.

Action Required permission

Create alerts.

aps:CreateAlertManagerAlerts

Create an alert manager definition in a workspace. For more information, see Managing and forwarding alerts in Amazon Managed Service for Prometheus with alert manager.

aps:CreateAlertManagerDefinition

Create a rule groups namespace in a workspace. For more information, see Using rules to modify or monitor metrics as they are received.

aps:CreateRuleGroupsNamespace

Create an Amazon Managed Service for Prometheus workspace.A workspace is a logical space dedicated to the storage and querying of Prometheus metrics.

aps:CreateWorkspace

Delete an alert manager definition from a workspace.

aps:DeleteAlertManagerDefinition

Delete alert silences.

aps:DeleteAlertManagerSilence

Delete an Amazon Managed Service for Prometheus workspace.

aps:DeleteWorkspace

Retrieve detailed information about alert manager definitions.

aps:DescribeAlertManagerDefinition

Retrieve detailed information about rule groups namespaces.

aps:DescribeRuleGroupsNamespace

Retrieve detailed information about an Amazon Managed Service for Prometheus workspace.

aps:DescribeWorkspace

Retrieve detailed information about an alert silence.

aps:GetAlertManagerSilence

Retrieve the status of the alert manager in a workspace.

aps:GetAlertManagerStatus

Retrieve labels.

aps:GetLabels

Retrieve metadata for Amazon Managed Service for Prometheus metrics.

aps:GetMetricMetadata

Retrieve time series data.

aps:GetSeries

Retrieve a list of the alert groups that are defined in the alert manager definition.

aps:ListAlertManagerAlertGroups

Retrieve a list of the alerts that are defined in alert manager.

aps:ListAlertManagerAlerts

Retrieve a list of the receivers that are defined in the alert manager definition.

aps:ListAlertManagerReceivers

Retrieve a list of the alert silences that are defined.

aps:ListAlertManagerSilences

Retrieve a list of the active alerts.

aps:ListAlerts

Retrieve a list of the rules in the rule groups namespaces in your workspaces.

aps:ListRules

Retrieve a list of the rule groups namespaces in your workspaces.

aps:ListRuleGroupsNamespaces

Retrieve the tags that are associated with your Amazon Managed Service for Prometheus resources.

aps:ListTagsForResource

Retrieve a list of the Amazon Managed Service for Prometheus workspaces that exist in the account.

aps:ListWorkspaces

Update an existing alert manager definition in a workspace.

aps:PutAlertManagerDefinition

Create alert silences.

aps:PutAlertManagerSilences

Update an existing rule groups namespace.

aps:PutRuleGroupsNamespace

Run a query on Amazon Managed Service for Prometheus metrics.

aps:QueryMetrics

Perform a remote write operation to initiate the streaming of metrics from a Prometheus server to Amazon Managed Service for Prometheus.

aps:RemoteWrite

Assign tags to Amazon Managed Service for Prometheus resources.

aps:TagResource

Remove tags from Amazon Managed Service for Prometheus resources.

aps:UntagResource

Modify the aliases of existing workspaces.

aps:UpdateWorkspaceAlias

Create a logging configuration.

aps:CreateLoggingConfiguration

Delete a logging configuration.

aps:DeleteLoggingConfiguration

Describe the workspace logging configuration.

aps:DescribeLoggingConfiguration

Update a logging configuration.

aps:UpdateLoggingConfiguration

Sample IAM policies

This section provides examples of other self-managed policies that you can create.

The following IAM policy grants full access to Amazon Managed Service for Prometheus and also enables a user to discover Amazon EKS clusters and see the details about them.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aps:*", "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }