# 在 CloudWatch Application Insights 中使用服务相关角色
CloudWatch Application Insights 使用 Amazon Identity and Access Management (IAM)[ 服务相关角色](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role)。服务相关角色是一种独特类型的 IAM 角色,它与 CloudWatch Application Insights 直接相关。服务相关角色由 CloudWatch Application Insights 预定义,并包含该服务代表您调用其他 Amazon 服务所需的一切权限。
服务相关角色更方便设置 CloudWatch Application Insights,因为无需手动添加必要权限。CloudWatch Application Insights 定义其服务相关角色的权限,除非另外定义,否则只有 CloudWatch Application Insights 可以代入其角色。定义的权限包括信任策略和权限策略,而且权限策略不能附加到任何其他 IAM 实体。
有关支持服务相关角色的其他服务的信息,请参阅[使用 IAM 的 Amazon 服务](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)并查找 **Service-Linked Role**(服务相关角色)列中显示为 **Yes**(是)的服务。选择**是**链接,查看该服务的服务相关角色文档。
## CloudWatch Application Insights 的服务相关角色权限
CloudWatch Application Insights 使用名为 **AWSServiceRoleForApplicationInsights** 的服务相关角色。Application Insights 使用此角色执行操作,例如分析客户的资源组、创建 CloudFormation 堆栈以创建有关指标的告警,以及在 EC2 实例上配置 CloudWatch 代理。服务相关角色附加了 IAM policy,名为 `CloudwatchApplicationInsightsServiceLinkedRolePolicy`。有关此策略的更新,请参阅 [对 Amazon 托管式策略的 Application Insights 更新](security-iam-awsmanpol-appinsights.md#security-iam-awsmanpol-appinsights-updates)。
角色权限策略允许 CloudWatch Application Insights 对资源完成以下操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:PutAnomalyDetector",
"cloudwatch:DeleteAnomalyDetector",
"cloudwatch:DescribeAnomalyDetectors"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "EventBridge",
"Effect": "Allow",
"Action": [
"events:DescribeRule"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudFormation",
"Effect": "Allow",
"Action": [
"cloudFormation:CreateStack",
"cloudFormation:UpdateStack",
"cloudFormation:DeleteStack",
"cloudFormation:DescribeStackResources",
"cloudFormation:UpdateTerminationProtection"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/ApplicationInsights-*"
]
},
{
"Sid": "CloudFormationStacks",
"Effect": "Allow",
"Action": [
"cloudFormation:DescribeStacks",
"cloudFormation:ListStackResources",
"cloudFormation:ListStacks"
],
"Resource": [
"*"
]
},
{
"Sid": "Tag",
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": [
"*"
]
},
{
"Sid": "ResourceGroups",
"Effect": "Allow",
"Action": [
"resource-groups:ListGroupResources",
"resource-groups:GetGroupQuery",
"resource-groups:GetGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "ApplicationInsightsResourceGroup",
"Effect": "Allow",
"Action": [
"resource-groups:CreateGroup",
"resource-groups:DeleteGroup"
],
"Resource": [
"arn:aws:resource-groups:*:*:group/ApplicationInsights-*"
]
},
{
"Sid": "ElasticLoadBalancing",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": [
"*"
]
},
{
"Sid": "AutoScaling",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "SSMParameter",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:AddTagsToResource",
"ssm:RemoveTagsFromResource",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-ApplicationInsights-*"
},
{
"Sid": "SSMAssociation",
"Effect": "Allow",
"Action": [
"ssm:CreateAssociation",
"ssm:UpdateAssociation",
"ssm:DeleteAssociation",
"ssm:DescribeAssociation"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:association/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:document/AWSEC2-ApplicationInsightsCloudwatchAgentInstallAndConfigure",
"arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage",
"arn:aws:ssm:*:*:document/AmazonCloudWatch-ManageAgent"
]
},
{
"Sid": "SSMOpsItem",
"Effect": "Allow",
"Action": [
"ssm:GetOpsItem",
"ssm:CreateOpsItem",
"ssm:DescribeOpsItems",
"ssm:UpdateOpsItem",
"ssm:DescribeInstanceInformation"
],
"Resource": [
"*"
]
},
{
"Sid": "SSMTags",
"Effect": "Allow",
"Action": [
"ssm:AddTagsToResource"
],
"Resource": "arn:aws:ssm:*:*:opsitem/*"
},
{
"Sid": "SSMGetCommandInvocation",
"Effect": "Allow",
"Action": [
"ssm:ListCommandInvocations",
"ssm:GetCommandInvocation"
],
"Resource": [
"*"
]
},
{
"Sid": "SSMSendCommand",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:document/AWSEC2-CheckPerformanceCounterSets",
"arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage",
"arn:aws:ssm:*:*:document/AWSEC2-DetectWorkload",
"arn:aws:ssm:*:*:document/AmazonCloudWatch-ManageAgent"
]
},
{
"Sid": "EC2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeNatGateways"
],
"Resource": [
"*"
]
},
{
"Sid": "RDS",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": [
"*"
]
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetFunctionConfiguration",
"lambda:ListEventSourceMappings"
],
"Resource": [
"*"
]
},
{
"Sid": "EventBridgeManagedRule",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:DeleteRule"
],
"Resource": [
"arn:aws:events:*:*:rule/AmazonCloudWatch-ApplicationInsights-*"
]
},
{
"Sid": "XRay",
"Effect": "Allow",
"Action": [
"xray:GetServiceGraph",
"xray:GetTraceSummaries",
"xray:GetTimeSeriesServiceStatistics",
"xray:GetTraceGraph"
],
"Resource": [
"*"
]
},
{
"Sid": "DynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:DescribeContributorInsights",
"dynamodb:DescribeTimeToLive"
],
"Resource": [
"*"
]
},
{
"Sid": "ApplicationAutoscaling",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets"
],
"Resource": [
"*"
]
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetMetricsConfiguration",
"s3:GetReplicationConfiguration"
],
"Resource": [
"*"
]
},
{
"Sid": "States",
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:DescribeExecution",
"states:DescribeStateMachine",
"states:GetExecutionHistory"
],
"Resource": [
"*"
]
},
{
"Sid": "APIGateway",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"*"
]
},
{
"Sid": "ECS",
"Effect": "Allow",
"Action": [
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:DescribeTaskSets",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTasks"
],
"Resource": [
"*"
]
},
{
"Sid": "ECSCluster",
"Effect": "Allow",
"Action": [
"ecs:UpdateClusterSettings"
],
"Resource": [
"arn:aws:ecs:*:*:cluster/*"
]
},
{
"Sid": "EKS",
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"fsx:DescribeFileSystems",
"fsx:DescribeVolumes"
],
"Resource": [
"*"
]
},
{
"Sid": "SNS",
"Effect": "Allow",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:GetSMSAttributes",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics"
],
"Resource": [
"*"
]
},
{
"Sid": "SQS",
"Effect": "Allow",
"Action": [
"sqs:ListQueues"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogsDeleteSubscriptionFilter",
"Effect": "Allow",
"Action": [
"logs:DeleteSubscriptionFilter"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "CloudWatchLogsCreateSubscriptionFilter",
"Effect": "Allow",
"Action": [
"logs:PutSubscriptionFilter"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*",
"arn:aws:logs:*:*:destination:AmazonCloudWatch-ApplicationInsights-LogIngestionDestination*"
]
},
{
"Sid": "EFS",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems"
],
"Resource": [
"*"
]
},
{
"Sid": "Route53",
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:GetHealthCheck",
"route53:ListHostedZones",
"route53:ListHealthChecks",
"route53:ListQueryLoggingConfigs"
],
"Resource": [
"*"
]
},
{
"Sid": "Route53Resolver",
"Effect": "Allow",
"Action": [
"route53resolver:ListFirewallRuleGroupAssociations",
"route53resolver:GetFirewallRuleGroup",
"route53resolver:ListFirewallRuleGroups",
"route53resolver:ListResolverEndpoints",
"route53resolver:GetResolverQueryLogConfig",
"route53resolver:ListResolverQueryLogConfigs",
"route53resolver:ListResolverQueryLogConfigAssociations",
"route53resolver:GetResolverEndpoint",
"route53resolver:GetFirewallRuleGroupAssociation"
],
"Resource": [
"*"
]
}
]
}
```
------
您必须配置权限,允许 IAM 实体(如用户、组或角色)创建、编辑或删除服务关联角色。有关更多信息,请参阅《IAM 用户指南》**中的[服务关联角色权限](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions)。
## 为 CloudWatch Application Insights 创建服务相关角色
您无需手动创建服务关联角色。当您在 Amazon Web Services 管理控制台 中创建新的 Application Insights 应用程序时,CloudWatch Application Insights 将为您创建服务相关角色。
如果删除该服务相关角色,然后希望再次创建该角色,您可以使用相同的过程在您的账户中重新创建该角色。当您创建新的 Application Insights 应用程序时,CloudWatch Application Insights 将为您再次创建服务相关角色。
## 为 CloudWatch Application Insights 编辑服务相关角色
CloudWatch Application Insights 不允许您编辑 AWSServiceRoleForApplicationInsights 服务相关角色。创建服务关联角色后,您将无法更改角色的名称,因为可能有多种实体引用该角色。但是可以使用 IAM 编辑角色描述。有关更多信息,请参阅《IAM 用户指南》**中的[编辑服务关联角色](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role)。
## 为 CloudWatch Application Insights 删除服务相关角色
如果不再需要使用某个需要服务关联角色的功能或服务,我们建议您删除该角色。这样,您就可以避免使用当前未监控或维护的未使用实体。不过,您必须先删除 Application Insights 中的所有应用程序,然后才能手动删除该角色。
**注意**
在尝试删除资源时,如果 CloudWatch Application Insights 服务正在使用该角色,删除可能会失败。如果发生这种情况,请等待几分钟后重试。
**若要删除 AWSServiceRoleForApplicationInsights 使用的 CloudWatch Application Insights 资源**
+ 删除所有 CloudWatch Application Insights 应用程序。有关更多信息,请参阅《CloudWatch Application Insights 用户指南》中的“删除应用程序”。
**使用 IAM 手动删除服务关联角色**
使用 IAM 控制台、Amazon CLI 或 Amazon API 删除 AWSServiceRoleForApplicationInsights 服务相关角色。有关更多信息,请参见《IAM 用户指南》**中的[删除服务相关角色](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role)。
## CloudWatch Application Insights 服务相关角色支持的区域
CloudWatch Application Insights 支持在服务可用的所有 Amazon 区域中使用服务相关角色。有关更多信息,请参阅 [CloudWatch Application Insights 区域和端点](https://docs.amazonaws.cn/general/latest/gr/applicationinsights.html)。