Service-linked role permissions for Amazon IoT SiteWise - Amazon IoT SiteWise
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-linked role permissions for Amazon IoT SiteWise

Amazon IoT SiteWise uses the service-linked role named AWSServiceRoleForIoTSiteWise. Amazon IoT SiteWise uses this service-linked role to deploy SiteWise Edge gateways (which run on Amazon IoT Greengrass) and perform logging.

The AWSServiceRoleForIoTSiteWise service-linked role uses the AWSServiceRoleForIoTSiteWise policy with the following permissions. This policy:

  • Allows Amazon IoT SiteWise to deploy SiteWise Edge gateways (which run on Amazon IoT Greengrass).

  • Allows Amazon IoT SiteWise to perform logging.

  • Allows Amazon IoT SiteWise to run a metadata search query, against the Amazon IoT TwinMaker database.

For more information on the allowed actions in AWSServiceRoleForIoTSiteWise, see Amazon managed policies for Amazon IoT SiteWise.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowSiteWiseReadGreenGrass",
			"Effect": "Allow",
			"Action": [
				"greengrass:GetAssociatedRole",
				"greengrass:GetCoreDefinition",
				"greengrass:GetCoreDefinitionVersion",
				"greengrass:GetGroup",
				"greengrass:GetGroupVersion"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowSiteWiseAccessLogGroup",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:DescribeLogGroups"
			],
			"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*"
		},
		{
			"Sid": "AllowSiteWiseAccessLog",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogStream",
				"logs:DescribeLogStreams",
				"logs:PutLogEvents"
			],
			"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
		},
		{
			"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
			"Effect": "Allow",
			"Action": [
				"iottwinmaker:GetWorkspace",
				"iottwinmaker:ExecuteQuery"
			],
			"Resource": "arn:aws-cn:iottwinmaker:*:*:workspace/*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"iottwinmaker:linkedServices": [
						"IOTSITEWISE"
					]
				}
			}
		}
	]
}

You can use the logs to monitor and troubleshoot your SiteWise Edge gateways. For more information, see Monitoring SiteWise Edge gateway logs.

To allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role, first configure permissions. For more information, see Service-linked role permissions in the IAM User Guide.