Application Signals 所需权限 - Amazon CloudWatch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

Application Signals 所需权限

Application Signals 是 Amazon CloudWatch 的预览版,可能会发生变化。

本部分介绍启用、管理和操作 Application Signals 所需的权限。

启用和管理 Application Signals 的权限

要管理 Application Signals,并在 Amazon EKS 以外的架构中启用使用自定义设置的 Application Signals,您必须登录具有以下权限的账户。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsFullAccessPermissions", "Effect": "Allow", "Action": [ "cloudwatch:BatchGetServiceLevelIndicatorReport", "cloudwatch:BatchGetServiceLevelObjectiveBudgetReport", "cloudwatch:CreateServiceLevelObjective", "cloudwatch:DeleteServiceLevelObjective", "cloudwatch:EnableTopologyDiscovery", "cloudwatch:GetService", "cloudwatch:GetServiceLevelObjective", "cloudwatch:GetTopologyMap", "cloudwatch:ListServices", "cloudwatch:ListServiceLevelObjectives", "cloudwatch:UpdateServiceLevelObjective", "iam:GetRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumPermissions", "Effect": "Allow", "Action": [ "rum:BatchCreateRumMetricDefinitions", "rum:BatchDeleteRumMetricDefinitions", "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:PutRumMetricsDestination", "rum:UpdateRumMetricDefinition" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsPutMetricAlarmPermissions", "Effect": "Allow", "Action": "cloudwatch:PutMetricAlarm", "Resource": [ "arn:aws:cloudwatch:*:*:alarm:SLO-AttainmentGoalAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLO-WarningAlarm-*", "arn:aws:cloudwatch:*:*:alarm:SLI-HealthAlarm-*" ] }, { "Sid": "CloudWatchApplicationSignalsEksPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" }, { "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals", "Condition": { "StringLike": { "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com" } } }, { "Sid": "CloudWatchApplicationSignalsTaggingPermissions", "Effect": "Allow", "Action": [ "cloudwatch:TagResource", "cloudwatch:UntagResource", "cloudwatch:ListTagsForResource" ], "Resource": "arn:aws:cloudwatch:*:*:slo/*" }, { "Sid": "CloudWatchApplicationSignalsSnsWritePermissions", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe" ], "Resource": "arn:aws:sns:*:*:cloudwatch-application-signals-*" }, { "Sid": "CloudWatchApplicationSignalsSnsReadPermissions", "Effect": "Allow", "Action": "sns:ListTopics", "Resource": "*" } ] }

要使用控制台在 Amazon EKS 集群的应用程序上启用 Application Signals,您还需要以下权限。安装和管理 Amazon CloudWatch Observability EKS 附加组件需要这些权限。

重要

这些权限包括带有 Resource "*”iam:PassRole 与带有 Resource “*”eks:CreateAddon。这些权限的功能强大,应谨慎授予。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:CreateAddon", "eks:DescribeAddon", "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions", "eks:DescribeCluster", "eks:DescribeUpdate", "eks:ListAddons", "eks:ListClusters", "eks:ListUpdates", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }

要在 Application Signals 控制面板的 SLO 页面查看您的 SLO 与哪些 Amazon Service Catalog AppRegistry 应用程序相关联,您还需要以下权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }

操作 Application Signals

使用 Application Signals 监控服务和 SLO 的服务运营商必须登录具有以下权限的账户。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsReadOnlyAccessPermissions", "Effect": "Allow", "Action": [ "cloudwatch:BatchGetServiceLevelIndicatorReport", "cloudwatch:BatchGetServiceLevelObjectiveBudgetReport", "cloudwatch:GetService", "cloudwatch:GetServiceLevelObjective", "cloudwatch:GetTopologyMap", "cloudwatch:ListServices", "cloudwatch:ListServiceLevelObjectives" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsAlarmsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsMetricsReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsSyntheticsReadPermissions", "Effect": "Allow", "Action": [ "synthetics:DescribeCanariesLastRun", "synthetics:GetCanaryRuns" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsRumReadPermissions", "Effect": "Allow", "Action": [ "rum:BatchGetRumMetricDefinitions", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsXrayReadPermissions", "Effect": "Allow", "Action": [ "xray:GetTraceSummaries" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": [ "cloudwatch:ListTagsForResource" ], "Resource": "arn:aws:cloudwatch:*:*:slo/*" }, { "Sid": "CloudWatchApplicationSignalsEksReadPermissions", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:ListClusters" ], "Resource": "*" }, { "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions", "Effect": "Allow", "Action": [ "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*" } ] }

要使运营商能够在 Application Signals 控制面板的 SLO 页面查看您的 SLO 与哪些 Amazon Service Catalog AppRegistry 应用程序相关联,运营商还需要以下权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] }