Integration with Amazon EKS
CloudWatch investigations investigation groups can utilize information directly from your Amazon EKS cluster. To
get started, first grant access to the Investigation Group IAM role. We
recommend using the default Amazon managed access
policy
AmazonAIOpsAssistantPolicy that grants CloudWatch investigations investigation groups access to
resources in the cluster. By using this policy you will automatically get policy updates
as needed.
Note
AmazonAIOpsAssistantPolicy is an access policy. The Amazon managed
identity policy that authorizes the access associated with CloudWatch investigations investigation groups
is AIOpsAssistantPolicy.
Use the Advanced Configuration option to scope down
the access provided by the access policy to a set of namespaces or the entire cluster.
Alternatively, you can further scope access down by associating the access entry to a
Kubernetes group RBAC permission. For more information, see Creating access entries
Configuring the Amazon EKS access entry (Console)
To associate the AmazonAIOpsAssistantPolicy to the investigation role
using the Amazon Management Console, follow these steps:
-
Open the CloudWatch console and navigate to the Investigations Configuration page.
-
In the Amazon EKS Access section, select the option to associate the
AmazonAIOpsAssistantPolicywith your investigation role. -
Review the policy details and confirm the association.
To further customize the access scope:
-
Click Advanced Configuration in the Amazon EKS Access section.
-
You will be redirected to the Amazon EKS console.
-
In the Amazon EKS console, you can:
-
Scope the policy to specific namespaces
-
Configure the group feature for more granular access control
-
Configuring Amazon EKS Access Entries (CDK)
To configure Amazon EKS Access Entries using the Amazon CDK, use the following code example:
const testAccessEntry = new AccessEntry(this, `test-access-entry`, { cluster: eksCluster, principal: investigationsIamRole.roleArn, accessPolicies: [ AccessPolicy.fromAccessPolicyName('AmazonAIOpsAssistantPolicy', { accessScopeType: AccessScopeType.CLUSTER }), ], });
AmazonAIOpsAssistantPolicy
The Amazon EKS Access Policy, AmazonAIOpsAssistantPolicy, provides
comprehensive Read Only access to resources in the cluster. Information from each
resource may not be currently utilized by CloudWatch investigations.
- apiGroups: [""] resources: - pods - pods/log - services - nodes - namespaces - events - persistentvolumes - persistentvolumeclaims - configmaps verbs: - get - list - apiGroups: ["apps"] resources: - deployments - replicasets - statefulsets - daemonsets verbs: - get - list - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: - get - list - apiGroups: ["events.k8s.io"] resources: - events verbs: - get - list - apiGroups: ["networking.k8s.io"] resources: - ingresses - ingressclasses verbs: - get - list - apiGroups: ["storage.k8s.io"] resources: - storageclasses verbs: - get - list - apiGroups: ["metrics.k8s.io"] resources: - pods - nodes verbs: - get - list
Updates to AmazonAIOpsAssistantPolicy
| Change | Description | Date |
|---|---|---|
| Add policy for CloudWatch investigations | Initial release of
AmazonAIOpsAssistantPolicy |
August 9, 2025 |