Configuring access policies for Performance Insights
To access Performance Insights, a principal must have the appropriate permissions from Amazon Identity and Access Management (IAM). You can grant access in the following ways:
-
Attach the
AmazonRDSPerformanceInsightsReadOnly
managed policy to a permission set or role to access all read-only operations of the Performance Insights API. -
Attach the
AmazonRDSPerformanceInsightsFullAccess
managed policy to a permission set or role to access all operations of the Performance Insights API. -
Create a custom IAM policy and attach it to a permission set or role.
If you specified a customer managed key when you turned on Performance Insights, make sure that users in your account have the kms:Decrypt
and
kms:GenerateDataKey
permissions on the Amazon KMS key.
In the following sections, attach an Amazon managed policy to an IAM principal, create a custom IAM policy, change an Amazon KMS policy, and grant fine-grained access for Performance Insights.
Topics
- Attaching the AmazonRDSPerformanceInsightsReadOnly policy to an IAM principal
- Attaching the AmazonRDSPerformanceInsightsFullAccess policy to an IAM principal
- Creating a custom IAM policy for Performance Insights
- Changing an Amazon KMS policy for Performance Insights
- Granting fine-grained access for Performance Insights
Attaching the AmazonRDSPerformanceInsightsReadOnly policy to an IAM principal
AmazonRDSPerformanceInsightsReadOnly
is an Amazon managed
policy that grants access to all read-only operations of the Amazon RDS Performance Insights API.
If you attach AmazonRDSPerformanceInsightsReadOnly
to a permission set or
role, the recipient can use Performance Insights with other console features.
For more information, see Amazon managed policy: AmazonRDSPerformanceInsightsReadOnly.
Attaching the AmazonRDSPerformanceInsightsFullAccess policy to an IAM principal
AmazonRDSPerformanceInsightsFullAccess
is an Amazon managed
policy that grants access to all operations of the Amazon RDS Performance Insights API.
If you attach AmazonRDSPerformanceInsightsFullAccess
to a permission set
or role, the recipient can use Performance Insights with other console features.
For more information, see Amazon managed policy: AmazonRDSPerformanceInsightsFullAccess.