Amazon managed policies for Amazon CloudWatch Application Insights - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon CloudWatch Application Insights

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: CloudWatchApplicationInsightsFullAccess

You can attach the CloudWatchApplicationInsightsFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to Application Insights functionality.

Permissions details

This policy includes the following permissions.

  • applicationinsights – Allows full access to Application Insights functionality.

  • iam – Allows Application Insights to create the service-linked role, AWSServiceRoleForApplicationInsights. This is required so that Application Insights can perform operations such as analyze the resource groups of a customer, create CloudFormation stacks to create alarms on metrics, and configure the CloudWatch Agent on EC2 instances. For more information, see Using service-linked roles for CloudWatch Application Insights.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "applicationinsights:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "sqs:ListQueues", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "dynamodb:ListTables", "s3:ListAllMyBuckets", "sns:ListTopics", "states:ListStateMachines", "apigateway:GET", "ecs:ListClusters", "ecs:DescribeTaskDefinition", "ecs:ListServices", "ecs:ListTasks", "eks:ListClusters", "eks:ListNodegroups", "fsx:DescribeFileSystems", "logs:DescribeLogGroups", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/application-insights.amazonaws.com/AWSServiceRoleForApplicationInsights" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "application-insights.amazonaws.com" } } } ] }

Amazon managed policy: CloudWatchApplicationInsightsReadOnlyAccess

You can attach the CloudWatchApplicationInsightsReadOnlyAccess policy to your IAM identities.

This policy grants administrative permissions that allow read-only access to all Application Insights functionality.

Permissions details

This policy includes the following permissions.

  • applicationinsights – Allows read-only access to Application Insights functionality.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "applicationinsights:Describe*", "applicationinsights:List*" ], "Resource": "*" } ] }

Amazon managed policy: CloudwatchApplicationInsightsServiceLinkedRolePolicy

You can't attach CloudwatchApplicationInsightsServiceLinkedRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Application Insights to monitor customer resources. For more information, see Using service-linked roles for CloudWatch Application Insights.

Application Insights updates to Amazon managed policies

View details about updates to Amazon managed policies for Application Insights since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Insights Document history page.

Change Description Date

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to list CloudFormation stacks.

These permissions are required for Amazon CloudWatch Application Insights to analyze and monitor Amazon resources nested in the CloudFormation stack.

April 24, 2023

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to get list of Amazon VPC and Route 53 resources.

These permissions are required for Amazon CloudWatch Application Insights to automatically set up best practice network monitoring with Amazon CloudWatch.

January 23, 2023

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to get SSM command invocation results.

These permissions are required for Amazon CloudWatch Application Insights to automatically detect and monitor workloads running on Amazon EC2 instances.

December 19, 2022

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to describe Amazon VPC and Route 53 resources.

These permissions are required for Amazon CloudWatch Application Insights to read customer Amazon VPC and Route 53 resource configurations, and to help customers automatically set up best practice network monitoring with Amazon CloudWatch.

December 19, 2022

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to describe EFS resources.

These permissions are required for Amazon CloudWatch Application Insights to read Amazon EFS customer resource configurations, and to help customers automatically set up best practices for EFS monitoring with CloudWatch.

October 3, 2022

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to describe the EFS file system.

These permissions are required for Amazon CloudWatch Application Insights to create account-based applications by querying all of the supported resources in an account.

October 3, 2022

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to retrieve information about FSx resources.

These permissions are required for Amazon CloudWatch Application Insights to monitor workloads by retrieving sufficient information about the underlying FSx volumes.

September 12, 2022

Amazon managed policy: CloudWatchApplicationInsightsFullAccess – Update to an existing policy

Application Insights added a new permission to describe log groups.

This permissions is required for Amazon CloudWatch Application Insights to ensure that the correct permissions for monitoring log groups are in an account when creating a new application.

January 24, 2022

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to create and delete CloudWatch Log Subscription Filters.

These permissions are required for Amazon CloudWatch Application Insights to create Subscription Filters to facilitate log monitoring of resources within configured applications.

January 24, 2022

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to describe target groups and target health for Elastic Load Balancers.

These permissions are required for Amazon CloudWatch Application Insights to create account-based applications by querying all of the supported resources in an account.

November 4, 2021

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to run the AmazonCloudWatch-ManageAgent SSM document on Amazon EC2 instances.

This permissions is required for Amazon CloudWatch Application Insights to clean up CloudWatch agent configuration files created by Application Insights.

September 30, 2021

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to support account-based application monitoring to onboard and monitor all supported resources in your account.

These permissions are required for Amazon CloudWatch Application Insights to query, tag resources, and create groups for these resources.

Application Insights added new permissions to support monitoring of SNS topics.

These permissions are required for Amazon CloudWatch Application Insights to gather metadata from SNS resources to configure monitoring for SNS topics.

September 15, 2021

Amazon managed policy: CloudWatchApplicationInsightsFullAccess – Update to an existing policy

Application Insights added new permissions to describe and list supported resources.

These permissions are required for Amazon CloudWatch Application Insights to create account-based applications by querying all of the supported resources in an account.

September 15, 2021

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to describe FSx resources.

These permissions are required for Amazon CloudWatch Application Insights to read customer FSx resource configurations, and to help customers automatically set up best practice FSx monitoring with CloudWatch.

August 31, 2021

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to describe and list ECS and EKS service resources.

This permission is required for Amazon CloudWatch Application Insights to read customer container resources configuration, and to help customers automatically set up best practice container monitoring with CloudWatch.

May 18, 2021

CloudwatchApplicationInsightsServiceLinkedRolePolicy – Update to an existing policy

Application Insights added new permissions to allow OpsCenter to tag OpsItems using the ssm:AddTagsToResource action on resources with the opsitem resource type.

This permission is required by OpsCenter. Amazon CloudWatch Application Insights creates OpsItems so that the customer can resolve problems using Amazon SSM OpsCenter.

April 13, 2021

Application Insights started tracking changes

Application Insights started tracking changes for its Amazon managed policies.

April 13, 2021