IAM role permissions for account-based application onboarding - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM role permissions for account-based application onboarding

If you want to onboard all of the resources in your account, and you choose not to use the Application Insights managed policy for full access to Application Insights functionality, you must attach the following permissions to your IAM role so that Application Insights can discover all of the resources in your account:

"ec2:DescribeInstances" "ec2:DescribeNatGateways" "ec2:DescribeVolumes" "ec2:DescribeVPCs" "rds:DescribeDBInstances" "rds:DescribeDBClusters" "sqs:ListQueues" "elasticloadbalancing:DescribeLoadBalancers" "autoscaling:DescribeAutoScalingGroups" "lambda:ListFunctions" "dynamodb:ListTables" "s3:ListAllMyBuckets" "sns:ListTopics" "states:ListStateMachines" "apigateway:GET" "ecs:ListClusters" "ecs:DescribeTaskDefinition" "ecs:ListServices" "ecs:ListTasks" "eks:ListClusters" "eks:ListNodegroups" "fsx:DescribeFileSystems" "route53:ListHealthChecks" "route53:ListHostedZones" "route53:ListQueryLoggingConfigs" "route53resolver:ListFirewallRuleGroups" "route53resolver:ListFirewallRuleGroupAssociations" "route53resolver:ListResolverEndpoints" "route53resolver:ListResolverQueryLogConfigs" "route53resolver:ListResolverQueryLogConfigAssociations" "logs:DescribeLogGroups" "resource-explorer:ListResources"