Application Signals 所需权限 - Amazon CloudWatch
启用和管理 Application Signals 的权限操作 Application Signals
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

Application Signals 所需权限

本部分介绍启用、管理和操作 Application Signals 所需的权限。

启用和管理 Application Signals 的权限

管理 Application Signals 时,必须使用具备所需权限的账户登录。如需查看 CloudWatchApplicationSignalsFullAccess 策略的内容,请参阅 CloudWatchApplicationSignalsFullAccess

要在 Amazon EC2 或自定义架构上启用 Application Signals,请参阅 在 Amazon EC2 上启用 Application Signals。要使用 Amazon CloudWatch 可观测性 EKS 插件在 Amazon EKS 上启用和管理 Application Signals,您需要以下权限。

重要

这些权限包括带有 Resource "*”iam:PassRole 与带有 Resource “*”eks:CreateAddon。权限较高,应谨慎授予。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
    {
    "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions",
    "Effect": "Allow",
    "Action": [
    "eks:AccessKubernetesApi",
    "eks:CreateAddon",
    "eks:DescribeAddon",
    "eks:DescribeAddonConfiguration",
    "eks:DescribeAddonVersions",
    "eks:DescribeCluster",
    "eks:DescribeUpdate",
    "eks:ListAddons",
    "eks:ListClusters",
    "eks:ListUpdates",
    "iam:ListRoles",
    "iam:PassRole"
    ],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "iam:PassedToService": [
    "eks.amazonaws.com",
    "application-signals.cloudwatch.amazonaws.com"
    ]
    }
    }
    },
    {
    "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions",
    "Effect": "Allow",
    "Action": [
    "eks:DeleteAddon",
    "eks:UpdateAddon"
    ],
    "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*"
    }
    ]
    }

Application Signals 控制面板显示与您的 SLO 关联的 Amazon Service Catalog AppRegistry 应用程序。要在 SLO 页面中查看这些应用程序,您必须拥有以下权限:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

操作 Application Signals

通过 Application Signals 监控服务与 SLO 的服务运维人员,必须使用具备只读权限的账户登录。如需查看 CloudWatchApplicationSignalsReadOnlyAccess 策略的内容,请参阅 CloudWatchApplicationSignalsReadOnlyAccess

要在 Application Signals 控制面板内,查看您的 SLO 与哪些 Amazon Service Catalog AppRegistry 应用程序关联,您还需要以下权限:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

要检查是否已使用 Amazon CloudWatch 可观测性 EKS 插件在 Amazon EKS 上启用了 Application Signals,您需要拥有以下权限:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsResourceExplorerReadPermissions",
            "Effect": "Allow",
            "Action": [
                "resource-explorer-2:ListIndexes",
                "resource-explorer-2:Search"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchApplicationSignalsResourceExplorerSLRPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "resource-explorer-2.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "CloudWatchApplicationSignalsResourceExplorerCreateIndexPermissions",
            "Effect": "Allow",
            "Action": [
                "resource-explorer-2:CreateIndex"
            ],
            "Resource": "arn:aws:resource-explorer-2:*:*:index/*"
        }
    ]
}