Configuring access policies for Performance Insights
To access Performance Insights, a principal must have the appropriate permissions from Amazon Identity and Access Management (IAM). You can grant access in the following ways:
-
Attach the
AmazonRDSPerformanceInsightsReadOnly
managed policy to a permission set or role to access all read-only operations of the Performance Insights API. -
Attach the
AmazonRDSPerformanceInsightsFullAccess
managed policy to a permission set or role to access all operations of the Performance Insights API. -
Create a custom IAM policy and attach it to a permission set or role.
If you specified a customer managed key when you turned on Performance Insights, make sure that users in your account have the kms:Decrypt
and
kms:GenerateDataKey
permissions on the Amazon KMS key
Attaching the AmazonRDSPerformanceInsightsReadOnly policy to an IAM principal
AmazonRDSPerformanceInsightsReadOnly
is an Amazon managed
policy that grants access to all read-only operations of the Amazon RDS Performance Insights API.
If you attach AmazonRDSPerformanceInsightsReadOnly
to a permission set or
role, the recipient can use Performance Insights with other console features.
For more information, see Amazon managed policy: AmazonRDSPerformanceInsightsReadOnly.
Attaching the AmazonRDSPerformanceInsightsFullAccess policy to an IAM principal
AmazonRDSPerformanceInsightsFullAccess
is an Amazon managed
policy that grants access to all operations of the Amazon RDS Performance Insights API.
If you attach AmazonRDSPerformanceInsightsFullAccess
to a permission set
or role, the recipient can use Performance Insights with other console features.
For more information, see Amazon managed policy: AmazonRDSPerformanceInsightsFullAccess.
Creating a custom IAM policy for Performance Insights
For users who don't have either the AmazonRDSPerformanceInsightsReadOnly
or
AmazonRDSPerformanceInsightsFullAccess
policy, you can grant access to Performance Insights
by creating or modifying a user-managed IAM policy. When you attach the policy to an IAM
permission set or role, the recipient can use Performance Insights.
To create a custom policy
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
On the Create Policy page, choose the JSON option.
-
Copy and paste the text provided in the JSON policy document section in the Amazon Managed Policy Reference Guide for AmazonRDSPerformanceInsightsReadOnly or AmazonRDSPerformanceInsightsFullAccess policy.
-
Choose Review policy.
-
Provide a name for the policy and optionally a description, and then choose Create policy.
You can now attach the policy to a permission set or role. The following procedure assumes that you already have a user available for this purpose.
To attach the policy to a user
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Users.
-
Choose an existing user from the list.
Important
To use Performance Insights, make sure that you have access to Amazon RDS in addition to the custom policy. For example, the
AmazonRDSPerformanceInsightsReadOnly
predefined policy provides read-only access to Amazon RDS. For more information, see Managing access using policies. -
On the Summary page, choose Add permissions.
-
Choose Attach existing policies directly. For Search, type the first few characters of your policy name, as shown in the following image.
-
Choose your policy, and then choose Next: Review.
-
Choose Add permissions.
Configuring an Amazon KMS policy for Performance Insights
Performance Insights uses an Amazon KMS key to encrypt sensitive data. When you enable Performance Insights through the API or the console, you can do either of the following:
-
Choose the default Amazon managed key.
Amazon RDS uses the Amazon managed key for your new DB instance. Amazon RDS creates an Amazon managed key for your Amazon Web Services account. Your Amazon Web Services account has a different Amazon managed key for Amazon RDS for each Amazon Web Services Region.
-
Choose a customer managed key.
If you specify a customer managed key, users in your account that call the Performance Insights API need the
kms:Decrypt
andkms:GenerateDataKey
permissions on the KMS key. You can configure these permissions through IAM policies. However, we recommend that you manage these permissions through your KMS key policy. For more information, see Key policies in Amazon KMS in the Amazon Key Management Service Developer Guide.
The following example shows how to add statements to your KMS key policy. These statements allow access to Performance Insights. Depending on how you use the KMS key, you might want to change some restrictions. Before adding statements to your policy, remove all comments.
{ "Version" : "2012-10-17", "Id" : "your-policy", "Statement" : [ { //This represents a statement that currently exists in your policy. } ...., //Starting here, add new statement to your policy for Performance Insights. //We recommend that you add one new statement for every RDS instance { "Sid" : "Allow viewing RDS Performance Insights", "Effect": "Allow", "Principal": { "AWS": [ //One or more principals allowed to access Performance Insights "arn:aws-cn:iam::
444455556666
:role/Role1
" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition" : { "StringEquals" : { //Restrict access to only RDS APIs (including Performance Insights). //Replaceregion
with your Amazon Region. //For example, specify us-west-2. "kms:ViaService" : "rds.region
.amazonaws.com" }, "ForAnyValue:StringEquals": { //Restrict access to only data encrypted by Performance Insights. "kms:EncryptionContext:aws:pi:service": "rds", "kms:EncryptionContext:service": "pi", //Restrict access to a specific RDS instance. //The value is a DbiResourceId. "kms:EncryptionContext:aws:rds:db-id": "db-AAAAABBBBBCCCCDDDDDEEEEE
" } } }
How Performance Insights uses Amazon KMS customer managed key
Performance Insights uses customer managed keys to encrypt sensitive data. When you turn on Performance Insights, you can provide an Amazon KMS key through the API. Performance Insights creates KMS permissions on this key. It uses the key and performs the necessary operations to process sensitive data. Sensitive data includes fields such as user, database, application, and SQL query text. Performance Insights ensures that the data remains encrypted both at rest and in-flight.
How Performance Insights IAM works with Amazon KMS
IAM gives permissions to specific APIs. Performance Insights has the following public APIs, which you can restrict using IAM policies:
DescribeDimensionKeys
GetDimensionKeyDetails
GetResourceMetadata
GetResourceMetrics
ListAvailableResourceDimensions
ListAvailableResourceMetrics
You can use the following API requests to get sensitive data.
DescribeDimensionKeys
GetDimensionKeyDetails
GetResourceMetrics
When you use the API to get sensitive data, Performance Insights leverages the caller's credentials. This check ensures that access to sensitive data is limited to those with access to the KMS key.
When calling these APIs, you need permissions to call the API through the IAM policy and
permissions to invoke the kms:decrypt
action through the Amazon KMS key
policy.
The GetResourceMetrics
API can return both sensitive and non-sensitive data. The request
parameters determine whether the response should include sensitive data. The API returns sensitive data
when the request includes a sensitive dimension in either the filter or group-by parameters.
For more information about the dimensions that you can use with the GetResourceMetrics
API, see DimensionGroup.
Examples
The following example requests the sensitive data for the db.user
group:
POST / HTTP/1.1 Host: <Hostname> Accept-Encoding: identity X-Amz-Target: PerformanceInsightsv20180227.GetResourceMetrics Content-Type: application/x-amz-json-1.1 User-Agent: <UserAgentString> X-Amz-Date: <Date> Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature> Content-Length: <PayloadSizeBytes> { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "MetricQueries": [ { "Metric": "db.load.avg", "GroupBy": { "Group": "db.user", "Limit": 2 } } ], "StartTime": 1693872000, "EndTime": 1694044800, "PeriodInSeconds": 86400 }
The following example requests the non-sensitive data for the db.load.avg
metric:
POST / HTTP/1.1 Host: <Hostname> Accept-Encoding: identity X-Amz-Target: PerformanceInsightsv20180227.GetResourceMetrics Content-Type: application/x-amz-json-1.1 User-Agent: <UserAgentString> X-Amz-Date: <Date> Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature> Content-Length: <PayloadSizeBytes> { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "MetricQueries": [ { "Metric": "db.load.avg" } ], "StartTime": 1693872000, "EndTime": 1694044800, "PeriodInSeconds": 86400 }
Granting fine-grained access for Performance Insights
Fine-grained access control offers additional ways of controlling access to Performance Insights. This
access control can allow or deny access to individual dimensions for
GetResourceMetrics
, DescribeDimensionKeys
, and
GetDimensionKeyDetails
Performance Insights actions. To use fine-grained access,
specify dimensions in the IAM policy by using condition keys. The evaluation of the access follows the IAM
policy evaluation logic. For more information, see Policy
evaluation logic in the IAM User Guide. If the IAM
policy statement doesn't specify any dimension, then the statement controls access to
all the dimensions for the specified action. For the list of available dimensions, see DimensionGroup.
To find out the dimensions that your credentials are authorized to access, use the AuthorizedActions
parameter in ListAvailableResourceDimensions
and specify the action. The allowed
values for AuthorizedActions
are as follows:
-
GetResourceMetrics
-
DescribeDimensionKeys
-
GetDimensionKeyDetails
For example, if you specify GetResourceMetrics
to the AuthorizedActions
parameter,
ListAvailableResourceDimensions
returns the list of dimensions that the GetResourceMetrics
action is authorized to access. If you specify multiple actions in the AuthorizedActions
parameter, then
ListAvailableResourceDimensions
returns an intersection of dimensions that those actions are
authorized to access.
The following example provides access to the specified dimensions for
GetResourceMetrics
and DescribeDimensionKeys
actions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "SingleAllow", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAllValues:StringEquals": { // only these dimensions are allowed. Dimensions not included in // a policy with "Allow" effect will be denied "pi:Dimensions": [ "db.sql_tokenized.id", "db.sql_tokenized.statement" ] } } } ] }
The following is the response for the requested dimension:
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, // { "Identifier": "db.sql_tokenized.db_id" }, // not included because not allows in the IAM Policy { "Identifier": "db.sql_tokenized.statement" } ] } ] } ] }
The following example specifies one allow and two deny access for the dimensions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "O01AllowAllWithoutSpecifyingDimensions", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "O01DenyAppDimensionForAll", "Effect": "Deny", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAnyValue:StringEquals": { "pi:Dimensions": [ "db.application.name" ] } } }, { "Sid": "O01DenySQLForGetResourceMetrics", "Effect": "Deny", "Action": [ "pi:GetResourceMetrics" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAnyValue:StringEquals": { "pi:Dimensions": [ "db.sql_tokenized.statement" ] } } } ] }
The following are the responses for the requested dimensions:
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["GetResourceMetrics"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // removed from response because denied by the IAM Policy // { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] }
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // allowed for DescribeDimensionKeys because our IAM Policy // denies it only for GetResourceMetrics { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] }