Application Signals 所需权限
Amazon CloudWatch 的 Application Signals 目前为预览版,可能会发生变化。
本部分介绍启用、管理和操作 Application Signals 所需的权限。
启用和管理 Application Signals 的权限
要管理 Application Signals,您必须使用以下权限登录:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsFullAccessPermissions", "Effect": "Allow", "Action": "application-signals:*", "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:DescribeMetricFilters" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" }, { "Sid": "CloudWatchApplicationSignalsLogsPermissions", "Effect": "Allow", "Action": [ "logs:GetQueryResults", "logs:StopQuery" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumPermissions", "Effect": "Allow", "Action": [ "rum:BatchCreateRumMetricDefinitions", "rum:BatchDeleteRumMetricDefinitions", "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:PutRumMetricsDestination", "rum:UpdateRumMetricDefinition" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsPutMetricAlarmPermissions", "Effect": "Allow", "Action": "cloudwatch:PutMetricAlarm", "Resource": [ "arn:aws:cloudwatch:*:*:alarm:SLO-AttainmentGoalAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLO-WarningAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLI-HealthAlarm-*" ] }, { "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", "Condition": { "StringLike": { "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" } } }, { "Sid": "CloudWatchApplicationSignalsGetRolePermissions", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "CloudWatchApplicationSignalsSnsWritePermissions", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe" ], "Resource": "arn:aws:sns:*:*:cloudwatch-application-signals-*" }, { "Sid": "CloudWatchApplicationSignalsSnsReadPermissions", "Effect": "Allow", "Action": "sns:ListTopics", "Resource": "*" } ] }
要在 Amazon EC2、Kubernetes 或自定义架构上启用 Application Signals,请参阅使用自定义设置在其他平台上启用 Application Signals。要使用 Amazon CloudWatch 可观测性 EKS 插件在 Amazon EKS 上启用和管理 Application Signals,您需要以下权限。
重要
这些权限包括带有 Resource "*” 的 iam:PassRole 与带有 Resource “*” 的 eks:CreateAddon。权限较高,应谨慎授予。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:AccessKubernetesApi", "eks:CreateAddon", "eks:DescribeAddon", "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions", "eks:DescribeCluster", "eks:DescribeUpdate", "eks:ListAddons", "eks:ListClusters", "eks:ListUpdates", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }
Application Signals 控制面板显示与您的 SLO 关联的 Amazon Service Catalog AppRegistry 应用程序。要在 SLO 页面中查看这些应用程序,您必须拥有以下权限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }
操作 Application Signals
使用 Application Signals 监控服务和 SLO 的服务运营商,必须以具有以下只读权限的用户或角色身份登录账户:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsReadOnlyAccessPermissions", "Effect": "Allow", "Action": [ "application-signals:BatchGet*", "application-signals:Get*", "application-signals:List*" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsGetRolePermissions", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "CloudWatchApplicationSignalsLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:DescribeMetricFilters" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*" }, { "Sid": "CloudWatchApplicationSignalsLogsPermissions", "Effect": "Allow", "Action": [ "logs:GetQueryResults", "logs:StopQuery" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsReadPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumReadPermissions", "Effect": "Allow", "Action": [ "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayReadPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" } ] }
要在 Application Signals 控制面板内,查看您的 SLO 与哪些 Amazon Service Catalog AppRegistry 应用程序关联,您还需要以下权限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }
要检查是否已使用 Amazon CloudWatch 可观测性 EKS 插件在 Amazon EKS 上启用了 Application Signals,您需要拥有以下权限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksReadPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }