Configuring access policies for Performance Insights - Amazon Aurora
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring access policies for Performance Insights

To access Performance Insights, a principal must have the appropriate permissions from Amazon Identity and Access Management (IAM). You can grant access in the following ways:

  • Attach the AmazonRDSPerformanceInsightsReadOnly managed policy to a permission set or role to access all read-only operations of the Performance Insights API.

  • Attach the AmazonRDSPerformanceInsightsFullAccess managed policy to a permission set or role to access all operations of the Performance Insights API.

  • Create a custom IAM policy and attach it to a permission set or role.

If you specified a customer managed key when you turned on Performance Insights, make sure that users in your account have the kms:Decrypt and kms:GenerateDataKey permissions on the Amazon KMS key.

In the following sections, attach an Amazon managed policy to an IAM principal, create a custom IAM policy, change an Amazon KMS policy, and grant fine-grained access for Performance Insights.

Attaching the AmazonRDSPerformanceInsightsReadOnly policy to an IAM principal

AmazonRDSPerformanceInsightsReadOnly is an Amazon managed policy that grants access to all read-only operations of the Amazon RDS Performance Insights API.

If you attach AmazonRDSPerformanceInsightsReadOnly to a permission set or role, the recipient can use Performance Insights with other console features.

For more information, see Amazon managed policy: AmazonRDSPerformanceInsightsReadOnly.

Attaching the AmazonRDSPerformanceInsightsFullAccess policy to an IAM principal

AmazonRDSPerformanceInsightsFullAccess is an Amazon managed policy that grants access to all operations of the Amazon RDS Performance Insights API.

If you attach AmazonRDSPerformanceInsightsFullAccess to a permission set or role, the recipient can use Performance Insights with other console features.

For more information, see Amazon managed policy: AmazonRDSPerformanceInsightsFullAccess.