# Security in Amazon Managed Grafana
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon Managed Grafana, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Managed Grafana. The following topics show you how to configure Amazon Managed Grafana to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon Managed Grafana resources.
**Topics**
+ [Data protection in AWS](data-protection.md)
+ [Identity and Access Management for Amazon Managed Grafana](security-iam.md)
+ [Amazon Managed Grafana permissions and policies for AWS data sources](AMG-manage-permissions.md)
+ [IAM permissions](AMG-and-IAM.md)
+ [Compliance Validation for Amazon Managed Grafana](AMG-compliance.md)
+ [Resilience in Amazon Managed Grafana](disaster-recovery-resiliency.md)
+ [Infrastructure Security in Amazon Managed Grafana](infrastructure-security.md)
+ [Logging Amazon Managed Grafana API calls using AWS CloudTrail](logging-using-cloudtrail.md)
+ [Security best practices](AMG-Security-Best-Practices.md)
+ [Interface VPC endpoints](VPC-endpoints.md)
# Data protection in AWS
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Managed Grafana. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Managed Grafana or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
## Data protection in Amazon Managed Grafana
Amazon Managed Grafana collects and stores the following types of data:
+ Customer-provided dashboard and alert configurations for Grafana workspaces.
+ Grafana dashboard snapshots that you have saved to your workspace.
+ A list of AWS IAM Identity Center users that have been granted access to the Grafana workspace, including the user names and email addresses of the users.
The data that Amazon Managed Grafana stores is encrypted with AWS Key Management Service. Data in transit is automatically encrypted with Secure Sockets Layer (SSL).
# Identity and Access Management for Amazon Managed Grafana
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Managed Grafana resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How Amazon Managed Grafana works with IAM](security_iam_service-with-iam.md)
+ [Identity-based policy examples for Amazon Managed Grafana](security_iam_id-based-policy-examples.md)
+ [AWS managed policies for Amazon Managed Grafana](security-iam-awsmanpol.md)
+ [Troubleshooting Amazon Managed Grafana identity and access](security_iam_troubleshoot.md)
+ [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md)
+ [Using service-linked roles for Amazon Managed Grafana](using-service-linked-roles.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting Amazon Managed Grafana identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How Amazon Managed Grafana works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples for Amazon Managed Grafana](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### Federated identity
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How Amazon Managed Grafana works with IAM
Before you use IAM to manage access to Amazon Managed Grafana, learn what IAM features are available to use with Amazon Managed Grafana.
**IAM features you can use with Amazon Managed Grafana**
| IAM feature | Amazon Managed Grafana support |
| --- | --- |
| [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | Yes |
| [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | No |
| [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | Yes |
| [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | Yes |
| [Policy condition keys](#security_iam_service-with-iam-id-based-policies-conditionkeys) | No |
| [ACLs](#security_iam_service-with-iam-acls) | No |
| [ABAC (tags in policies)](#security_iam_service-with-iam-tags) | Yes |
| [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | Yes |
| [Forward access sessions (FAS)](#security_iam_service-with-iam-principal-permissions) | Yes |
| [Service roles](#security_iam_service-with-iam-roles-service) | Yes |
| [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | Yes |
To get a high-level view of how Amazon Managed Grafana and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Identity-based policies for Amazon Managed Grafana
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Identity-based policy examples for Amazon Managed Grafana
To view examples of Amazon Managed Grafana identity-based policies, see [Identity-based policy examples for Amazon Managed Grafana](security_iam_id-based-policy-examples.md).
## Resource-based policies within Amazon Managed Grafana
**Supports resource-based policies:** No
Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services.
To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Policy actions for Amazon Managed Grafana
**Supports policy actions:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
To see a list of Amazon Managed Grafana actions, see [Actions defined by Amazon Managed Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html#amazonmanagedgrafana-actions-as-permissions) in the *Service Authorization Reference*.
Policy actions in Amazon Managed Grafana use the following prefix before the action:
```
grafana
```
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"grafana:action1",
"grafana:action2"
]
```
To view examples of Amazon Managed Grafana identity-based policies, see [Identity-based policy examples for Amazon Managed Grafana](security_iam_id-based-policy-examples.md).
## Policy resources for Amazon Managed Grafana
**Supports policy resources:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
To see a list of Amazon Managed Grafana resource types and their ARNs, see [Resources defined by Amazon Managed Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html#amazonmanagedgrafana-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions defined by Amazon Managed Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html#amazonmanagedgrafana-actions-as-permissions).
To view examples of Amazon Managed Grafana identity-based policies, see [Identity-based policy examples for Amazon Managed Grafana](security_iam_id-based-policy-examples.md).
## Policy condition keys for Amazon Managed Grafana
**Supports service-specific policy condition keys:** No
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
## Access control lists (ACLs) in Amazon Managed Grafana
**Supports ACLs:** No
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
## Attribute-based access control (ABAC) with Amazon Managed Grafana
**Supports ABAC (tags in policies):** Yes
Amazon Managed Grafana supports resource and identity based tagging.
For more information about tagging Amazon Managed Grafana resources, see [Tag Amazon Managed Grafana workspaces](Tagging_workspaces.md).
To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see [AWS managed policies for Amazon Managed Grafana](security-iam-awsmanpol.md).
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and AWS resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.
To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.
If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.
For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
## Using Temporary credentials with Amazon Managed Grafana
**Supports temporary credentials:** Yes
Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Forward access sessions for Amazon Managed Grafana
**Supports forward access sessions (FAS):** Yes
Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
## Service roles for Amazon Managed Grafana
**Supports service roles:** Yes
A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
**Warning**
Changing the permissions for a service role might break Amazon Managed Grafana functionality. Edit service roles only when Amazon Managed Grafana provides guidance to do so.
## Service-linked roles for Amazon Managed Grafana
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For details about creating or managing Amazon Managed Grafana service-linked roles, see [Using service-linked roles for Amazon Managed Grafana](using-service-linked-roles.md).
# Identity-based policy examples for Amazon Managed Grafana
By default, users and roles don't have permission to create or modify Amazon Managed Grafana resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*.
For details about actions and resource types defined by Amazon Managed Grafana, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for Amazon Managed Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html) in the *Service Authorization Reference*.
**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Using the Amazon Managed Grafana console](#security_iam_id-based-policy-examples-console)
+ [Sample policies for Amazon Managed Grafana](#security_iam_AMG-id-based-policy-examples)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete Amazon Managed Grafana resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Using the Amazon Managed Grafana console
To access the console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
## Sample policies for Amazon Managed Grafana
This section contains identity-based policies that are useful for several Amazon Managed Grafana scenarios.
### Grafana administrator using SAML
If you use SAML for your user authentication, the administrator who creates and manages Amazon Managed Grafana needs the following policies:
+ **AWSGrafanaAccountAdministrator** or the equivalent permissions to create and manage Amazon Managed Grafana workspaces.
+ The **AWSMarketplaceManageSubscriptions** policy or equivalent permissions, if you want to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise.
#### Grafana administrator in a management account using IAM Identity Center
To grant permissions to create and manage Amazon Managed Grafana workspaces across an entire organization, and to enable dependencies such as IAM Identity Center, assign the **AWSGrafanaAccountAdministrator**, **AWSSSOMasterAccountAdministrator** and the **AWSSSODirectoryAdministrator** policies to a user. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the **AWSMarketplaceManageSubscriptions** IAM policy or the equivalent permissions.
If you want to use service-managed permissions when you create an Amazon Managed Grafana workspace, the user who creates the workspace must also have the `iam:CreateRole`, `iam:CreatePolicy`, and `iam:AttachRolePolicy` permissions. These are required to use CloudFormation StackSets to deploy policies that enable you to read data sources in the organization's accounts.
**Important**
Granting a user the `iam:CreateRole`, `iam:CreatePolicy`, and `iam:AttachRolePolicy` permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.
To see the permissions granted to **AWSGrafanaAccountAdministrator**, see [AWS managed policy: AWSGrafanaAccountAdministrator](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSGrafanaAccountAdministrator)
#### Grafana administrator in a member account using IAM Identity Center
To grant permissions to create and manage Amazon Managed Grafana workspaces in the member account of an organization, assign the **AWSGrafanaAccountAdministrator**, **AWSSSOMemberAccountAdministrator** and the **AWSSSODirectoryAdministrator** policies to a user. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the **AWSMarketplaceManageSubscriptions** IAM policy or the equivalent permissions.
If you want to use service-managed permissions when you create an Amazon Managed Grafana workspace, the user who creates the workspace must also have the `iam:CreateRole`, `iam:CreatePolicy`, and `iam:AttachRolePolicy` permissions. These are required to enable the user to read data sources in the account.
**Important**
Granting a user the `iam:CreateRole`, `iam:CreatePolicy`, and `iam:AttachRolePolicy` permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.
To see the permissions granted to **AWSGrafanaAccountAdministrator**, see [AWS managed policy: AWSGrafanaAccountAdministrator](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSGrafanaAccountAdministrator)
#### Create and manage Amazon Managed Grafana workspaces and users in a single standalone account using IAM Identity Center
A standalone AWS account is an account that is not yet a member of an organization. For more information about organizations, see [What is AWS Organizations?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html)
To grant permissions to create and manage Amazon Managed Grafana workspaces and users in a standalone account, assign the **AWSGrafanaAccountAdministrator**, **AWSSSOMasterAccountAdministrator**, **AWSOrganizationsFullAccess** and **AWSSSODirectoryAdministrator** policies to a user. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the **AWSMarketplaceManageSubscriptions** IAM policy or the equivalent permissions.
**Important**
Granting a user the `iam:CreateRole`, `iam:CreatePolicy`, and `iam:AttachRolePolicy` permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.
To see the permissions granted to **AWSGrafanaAccountAdministrator**, see [AWS managed policy: AWSGrafanaAccountAdministrator](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSGrafanaAccountAdministrator)
#### Assign and unassign users access to Amazon Managed Grafana
To grant permissions to manage other users' access to Amazon Managed Grafana workspaces in the account, including granting Grafana admin permissions to those users for the workspaces,assign the **AWSGrafanaWorkspacePermissionManagementV2** policy to that user. If you are using IAM Identity Center to manage users in this workspace, the user also needs the **AWSSSOReadOnly** and **AWSSSODirectoryReadOnly** policies.
To see the permissions granted to **AWSGrafanaWorkspacePermissionManagementV2**, see [AWS managed policy: AWSGrafanaWorkspacePermissionManagementV2](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagementV2)
#### Amazon Managed Grafana read-only permissions
To grant permissions for read actions, such as listing and viewing workspaces and opening the Grafana workspace console, assign the **AWSGrafanaConsoleReadOnlyAccess**, **AWSSSOReadOnly** and **AWSSSODirectoryReadOnly** policies to a user or IAM role.
To see the permissions granted to **AWSGrafanaConsoleReadOnlyAccess**, see [AWS managed policy: AWSGrafanaConsoleReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSGrafanaConsoleReadOnlyAccess).
# AWS managed policies for Amazon Managed Grafana
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSGrafanaAccountAdministrator
AWSGrafanaAccountAdministrator policy provides access within Amazon Managed Grafana to create and manage accounts and workspaces for the entire organization.
You can attach AWSGrafanaAccountAdministrator to your IAM entities.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to list and get IAM roles so that the administrator can associate a role with a workspace as well as pass roles to the Amazon Managed Grafana service.
+ `Amazon Managed Grafana` – Allows principals read and write access to all Amazon Managed Grafana APIs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSGrafanaOrganizationAdmin",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "GrafanaIAMGetRolePermission",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Sid": "AWSGrafanaPermissions",
"Effect": "Allow",
"Action": [
"grafana:*"
],
"Resource": "*"
},
{
"Sid": "GrafanaIAMPassRolePermission",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringLike": {
"iam:PassedToService": "grafana.amazonaws.com"
}
}
}
]
}
```
------
## AWS managed policy: AWSGrafanaWorkspacePermissionManagement (obsolete)
This policy is obsolete. This policy should not be attached to any new users, groups, or roles.
Amazon Managed Grafana added a new policy, [AWSGrafanaWorkspacePermissionManagementV2](#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagementV2) to replace this policy. This new managed policy improves security for your workspace by providing a more restrictive set of permissions.
## AWS managed policy: AWSGrafanaWorkspacePermissionManagementV2
AWSGrafanaWorkspacePermissionManagementV2 policy provides only the ability to update user and group permissions for Amazon Managed Grafana workspaces.
You can attach AWSGrafanaWorkspacePermissionManagementV2 to your IAM entities.
**Permissions details**
This policy includes the following permissions.
+ `Amazon Managed Grafana` – Allows principals to read and update user and group permissions for Amazon Managed Grafana workspaces.
+ `IAM Identity Center` – Allows principals to read IAM Identity Center entities. This is a necessary part of associating principals with Amazon Managed Grafana applications, but that also requires an additional step, described after the policy listing that follows.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AWSGrafanaPermissions",
"Effect": "Allow",
"Action": [
"grafana:DescribeWorkspace",
"grafana:DescribeWorkspaceAuthentication",
"grafana:UpdatePermissions",
"grafana:ListPermissions",
"grafana:ListWorkspaces"
],
"Resource": "arn:aws:grafana:*:*:/workspaces*"
},
{
"Sid": "IAMIdentityCenterPermissions",
"Effect": "Allow",
"Action": [
"sso:DescribeRegisteredRegions",
"sso:GetSharedSsoConfiguration",
"sso:ListDirectoryAssociations",
"sso:GetManagedApplicationInstance",
"sso:ListProfiles",
"sso:GetProfile",
"sso:ListProfileAssociations",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup"
],
"Resource": "*"
}
]
}
```
------
**Additional policy needed**
To fully allow a user to assign permissions, in addition to the `AWSGrafanaWorkspacePermissionManagementV2` policy, you must also assign a policy to provide access to Application assignment in IAM Identity Center.
To create this policy, you must first collect the **Grafana application ARN** for your workspace
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Applications** from the left menu.
1. Under the **AWS managed** tab, find the application called **Amazon Grafana-*workspace-name***, where `workspace-name` is the name of your workspace. Select the application name.
1. The IAM Identity Center application managed by Amazon Managed Grafana for the workspace is shown. This application's ARN is shown in the details page. It will be in the form: `arn:aws:sso::owner-account-id:application/ssoins-unique-id/apl-unique-id`.
The policy you create should look like the following. Replace *grafana-application-arn* with the ARN that you found in the previous step:
For information about how to create and apply policy to your roles or users, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *AWS Identity and Access Management User Guide*.
## AWS managed policy: AWSGrafanaConsoleReadOnlyAccess
AWSGrafanaConsoleReadOnlyAccess policy grants access to read-only operations in Amazon Managed Grafana.
You can attach AWSGrafanaConsoleReadOnlyAccess to your IAM entities.
**Permissions details**
This policy includes the following permission.
+ `Amazon Managed Grafana` – Allows principals read-only access to Amazon Managed Grafana APIs
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSGrafanaConsoleReadOnlyAccess",
"Effect": "Allow",
"Action": ["grafana:Describe*", "grafana:List*"],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonGrafanaRedshiftAccess
This policy grants scoped access to Amazon Redshift and the dependencies needed to use the Amazon Redshift plugin in Amazon Managed Grafana. AmazonGrafanaRedshiftAccess policy allows a user or an IAM role to use the Amazon Redshift data source plugin in Grafana. Temporary credentials for Amazon Redshift databases are scoped to the database user `redshift_data_api_user` and credentials from Secrets Manager can be retrieved if the secret is tagged with the key `RedshiftQueryOwner`. This policy allows access to Amazon Redshift clusters tagged with `GrafanaDataSource`. When creating a customer managed policy, the tag-based authentication is optional.
You can attach AmazonGrafanaRedshiftAccess to your IAM entities. Amazon Managed Grafana also attaches this policy to a service role that allows Amazon Managed Grafana to perform actions on your behalf.
**Permissions details**
This policy includes the following permission.
+ `Amazon Redshift` – Allows principals to describe clusters and obtain temporary credentials for a database user named `redshift_data_api_user`.
+ `Amazon Redshift–data` – Allows principals to execute queries on clusters tagged as `GrafanaDataSource`.
+ `Secrets Manager` – Allows principals to list secrets and read secret values for secrets tagged as `RedshiftQueryOwner`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift-data:GetStatementResult",
"redshift-data:DescribeStatement",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift-data:DescribeTable",
"redshift-data:ExecuteStatement",
"redshift-data:ListTables",
"redshift-data:ListSchemas"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/GrafanaDataSource": "false"
}
}
},
{
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:*:*:dbname:*/*",
"arn:aws:redshift:*:*:dbuser:*/redshift_data_api_user"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"Null": {
"secretsmanager:ResourceTag/RedshiftQueryOwner": "false"
}
}
}
]
}
```
------
## AWS managed policy: AmazonGrafanaAthenaAccess
This policy grants access to Athena and the dependencies needed to enable querying and writing results to Amazon S3 from the Athena plugin in Amazon Managed Grafana. AmazonGrafanaAthenaAccess policy allows a user or an IAM role to use the Athena data source plugin in Grafana. Athena workgroups must be tagged with `GrafanaDataSource` to be accessible. This policy contains permissions for writing query results in an Amazon S3 bucket with a name prefixed with `grafana-athena-query-results-`. Amazon S3 permissions for accessing the underlying data source of an Athena query are not included in this policy.
You can attach AWSGrafanaAthenaAccess policy to your IAM entities. Amazon Managed Grafana also attaches this policy to a service role that allows Amazon Managed Grafana to perform actions on your behalf.
**Permissions details**
This policy includes the following permission.
+ `Athena` – Allows principals to run queries on Athena resources in workgroups tagged as `GrafanaDataSource`.
+ `Amazon S3` – Allows principals to read and write query results to a bucket prefixed with `grafana-athena-query-results-`.
+ `AWS Glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:GetDatabase",
"athena:GetDataCatalog",
"athena:GetTableMetadata",
"athena:ListDatabases",
"athena:ListDataCatalogs",
"athena:ListTableMetadata",
"athena:ListWorkGroups"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:ResourceTag/GrafanaDataSource": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::grafana-athena-query-results-*"
]
}
]
}
```
------
## AWS managed policy: AmazonGrafanaCloudWatchAccess
This policy grants access to Amazon CloudWatch and the dependencies needed to use CloudWatch as a datasource within Amazon Managed Grafana.
You can attach AWSGrafanaCloudWatchAccess policy to your IAM entities. Amazon Managed Grafana also attaches this policy to a service role that allows Amazon Managed Grafana to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `CloudWatch` – Allows principals to list and get metric data and logs from Amazon CloudWatch. It also allows viewing data shared from source accounts in CloudWatch cross-account observability.
+ `Amazon EC2` – Allows principals to get details regarding resources that are being monitored.
+ `Tags` – Allows principals to access tags on resources, to allow filtering the CloudWatch metric queries.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"cloudwatch:GetInsightRuleReport"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:GetLogGroupFields",
"logs:StartQuery",
"logs:StopQuery",
"logs:GetQueryResults",
"logs:GetLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeRegions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oam:ListSinks",
"oam:ListAttachedLinks"
],
"Resource": "*"
}
]
}
```
------
## Amazon Managed Grafana updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Managed Grafana since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Amazon Managed Grafana document history](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSGrafanaWorkspacePermissionManagement](#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagement) – obsolete | This policy has been replaced by **AWSGrafanaWorkspacePermissionManagementV2**. This policy is considered obsolete, and will no longer be updated. The new policy improves security for your workspace by providing a more restrictive set of permissions. | January 5, 2024 |
| [AWSGrafanaWorkspacePermissionManagementV2](#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagementV2) – New policy | Amazon Managed Grafana added a new policy, **AWSGrafanaWorkspacePermissionManagementV2** to replace the obsolete **AWSGrafanaWorkspacePermissionManagement** policy. This new managed policy improves security for your workspace by providing a more restrictive set of permissions. | January 5, 2024 |
| [AmazonGrafanaCloudWatchAccess](#security-iam-awsmanpol-AmazonGrafanaCloudWatchAccess) – New policy | Amazon Managed Grafana added a new policy **AmazonGrafanaCloudWatchAccess**. | March 24, 2023 |
| [AWSGrafanaWorkspacePermissionManagement](#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagement) – Update to an existing policy | Amazon Managed Grafana added new permissions to **AWSGrafanaWorkspacePermissionManagement** so that IAM Identity Center users and groups in Active Directory can be associated with Grafana workspaces. The following permissions were added: `sso-directory:DescribeUser`, and `sso-directory:DescribeGroup` | March 14, 2023 |
| [AWSGrafanaWorkspacePermissionManagement](#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagement) – Update to an existing policy | Amazon Managed Grafana added new permissions to **AWSGrafanaWorkspacePermissionManagement** so that IAM Identity Center users and groups can be associated with Grafana workspaces. The following permissions were added: `sso:DescribeRegisteredRegions`, `sso:GetSharedSsoConfiguration`, `sso:ListDirectoryAssociations`, `sso:GetManagedApplicationInstance`, `sso:ListProfiles`, `sso:AssociateProfile`, `sso:DisassociateProfile`, `sso:GetProfile`, and `sso:ListProfileAssociations`. | December 20, 2022 |
| [AmazonGrafanaServiceLinkedRolePolicy](using-service-linked-roles.md) – New SLR policy | Amazon Managed Grafana added a new policy for the Grafana service-linked role, **AmazonGrafanaServiceLinkedRolePolicy**. | November 18, 2022 |
| [AWSGrafanaAccountAdministrator](#security-iam-awsmanpol-AWSGrafanaAccountAdministrator), [AWSGrafanaConsoleReadOnlyAccess](#security-iam-awsmanpol-AWSGrafanaConsoleReadOnlyAccess) | Allow access to all Amazon Managed Grafana resources | February 17, 2022 |
| [AmazonGrafanaRedshiftAccess](#security-iam-awsmanpol-AmazonGrafanaRedshiftAccess) – New policy | Amazon Managed Grafana added a new policy **AmazonGrafanaRedshiftAccess**. | November 26, 2021 |
| [AmazonGrafanaAthenaAccess](#security-iam-awsmanpol-AmazonGrafanaAthenaAccess) – New policy | Amazon Managed Grafana added a new policy **AmazonGrafanaAthenaAccess**. | November 22, 2021 |
| [AWSGrafanaAccountAdministrator](#security-iam-awsmanpol-AWSGrafanaAccountAdministrator) – Update to an existing policy | Amazon Managed Grafana removed permissions from **AWSGrafanaAccountAdministrator**. The `iam:CreateServiceLinkedRole` permission scoped to the `sso.amazonaws.com` service was removed, and instead we recommend that you attach the **AWSSSOMasterAccountAdministrator** policy to grant this permission to a user. | October 13, 2021 |
| [AWSGrafanaWorkspacePermissionManagement](#security-iam-awsmanpol-AWSGrafanaWorkspacePermissionManagement) – Update to an existing policy | Amazon Managed Grafana added new permissions to **AWSGrafanaWorkspacePermissionManagement** so that users with this policy can see the authentication methods associated with workspaces. The `grafana:DescribeWorkspaceAuthentication` permission was added. | September 21, 2021 |
| [AWSGrafanaConsoleReadOnlyAccess](#security-iam-awsmanpol-AWSGrafanaConsoleReadOnlyAccess) – Update to an existing policy | Amazon Managed Grafana added new permissions to **AWSGrafanaConsoleReadOnlyAccess** so that users with this policy can see the authentication methods associated with workspaces. The `grafana:Describe*` and `grafana:List*` permissions were added to the policy, and they replace the previous narrower permissions `grafana:DescribeWorkspace`, `grafana:ListPermissions`, and `grafana:ListWorkspaces`. | September 21, 2021 |
| Amazon Managed Grafana started tracking changes | Amazon Managed Grafana started tracking changes for its AWS managed policies. | September 9, 2021 |
# Troubleshooting Amazon Managed Grafana identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Managed Grafana and IAM.
**Topics**
+ [I am not authorized to perform an action in Amazon Managed Grafana](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I want to allow people outside of my AWS account to access my Amazon Managed Grafana resources](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Amazon Managed Grafana
If you receive an error that you're not authorized to perform an action, your policies must be updated to allow you to perform the action.
The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but doesn't have the fictional `grafana:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: grafana:GetWidget on resource: my-example-widget
```
In this case, the policy for the `mateojackson` user must be updated to allow access to the `my-example-widget` resource by using the `grafana:GetWidget` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Managed Grafana.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Managed Grafana. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want to allow people outside of my AWS account to access my Amazon Managed Grafana resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Amazon Managed Grafana supports these features, see [How Amazon Managed Grafana works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that Amazon Managed Grafana gives another service to the resource. If the `aws:SourceArn` value does not contain the account ID, such as an Amazon S3 bucket ARN, you must use both global condition context keys to limit permissions. If you use both global condition context keys and the `aws:SourceArn` value contains the account ID, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement. Use `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use.
The value of `aws:SourceArn` must be the ARN of your Amazon Managed Grafana workspace.
The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the resource. If you don't know the full ARN of the resource or if you are specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcards (`*`) for the unknown portions of the ARN. For example, `arn:aws:grafana:*:123456789012:*`.
The following example shows how you can use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in Amazon Managed Grafana Workspace IAM role trust policies to prevent the confused deputy problem.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "grafana.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "accountId",
"aws:SourceArn": "arn:aws:grafana:region:accountId:/workspaces/workspaceId"
}
}
}
]
}
```
------
# Using service-linked roles for Amazon Managed Grafana
Amazon Managed Grafana uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon Managed Grafana. Service-linked roles are predefined by Amazon Managed Grafana and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Amazon Managed Grafana easier because you don’t have to manually add the necessary permissions. Amazon Managed Grafana defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Managed Grafana can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your Amazon Managed Grafana resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for Amazon Managed Grafana
Amazon Managed Grafana uses the service-linked role named **AmazonManagedGrafana** – Amazon Managed Grafana uses this role to create and configure resources, such as ENIs or Secrets Manager secrets, within customer accounts. The AmazonManagedGrafana service-linked role trusts the following services to assume the role:
+ `grafana.amazonaws.com`
The AmazonManagedGrafana service-linked role is attached to the `AmazonGrafanaServiceLinkedRolePolicy` policy. For updates to this policy, see [Amazon Managed Grafana updates to AWS managed policies](security-iam-awsmanpol.md#iam-awsmanpol-updates).
The role permissions policy allows Amazon Managed Grafana to complete the following actions on the specified resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterface",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AmazonGrafanaManaged"
]
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
},
"Null": {
"aws:RequestTag/AmazonGrafanaManaged": "false"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DeleteNetworkInterface",
"Resource": "*",
"Condition": {
"Null": {
"ec2:ResourceTag/AmazonGrafanaManaged": "false"
}
}
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for Amazon Managed Grafana
You don't need to manually create a service-linked role. When you call CreateWorkspace with a VpcConfiguration in the AWS Management Console, the AWS CLI, or the AWS API, Amazon Managed Grafana creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the Amazon Managed Grafana service before November 30, 2022, when it began supporting service-linked roles, then Amazon Managed Grafana created the AmazonManagedGrafana role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you call CreateWorkspace with a VpcConfiguration, Amazon Managed Grafana creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **Grafana** use case. In the AWS CLI or the AWS API, create a service-linked role with the `grafana.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for Amazon Managed Grafana
Amazon Managed Grafana does not allow you to edit the AmazonManagedGrafana service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Amazon Managed Grafana
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Amazon Managed Grafana service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete Amazon Managed Grafana resources used by the AmazonManagedGrafana**
1. Navigate to the **All workspaces** view in your `Region` in the AWS console.
1. Delete all the workspaces in the `Region`. You have to check the radio button for each workspace and choose the **delete** button in the upper right side of the **All workspaces** view. Repeat deleting each workspace until all the workspaces are deleted from the `Region`. For more information about deleting a workspace in Amazon Managed Grafana, see [Deleting a workspace](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-edit-delete-workspace.html) topic in this user guide.
**Note**
Repeat the procedure for each AWS Region where you have workspaces. You must delete all workspaces *in all Regions* before you can delete the service-linked role.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AmazonManagedGrafana service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported regions for Amazon Managed Grafana service-linked roles
Amazon Managed Grafana supports using service-linked roles in all of the regions where the service is available. For more information, see [AWS regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/grafana-service.html).
# Amazon Managed Grafana permissions and policies for AWS data sources
Amazon Managed Grafana offers three permission modes:
+ Service-managed permissions for current account
+ Service-managed permissions for organizations
+ Customer-managed permissions
When you create a workspace, you choose which permission mode to use. You can also change this later if you want.
In either of the service-managed permission modes, Amazon Managed Grafana creates roles and policies that are needed to access and discover AWS data sources in your account or organization. You can then edit these policies in the IAM console if you choose.
## Service-managed permissions for a single account
In this mode, Amazon Managed Grafana creates a role called **AmazonGrafanaServiceRole-*random-id***. Amazon Managed Grafana then attaches a policy to this role for each AWS service that you select to access from the Amazon Managed Grafana workspace.
**CloudWatch**
Amazon Managed Grafana attaches the AWS managed policy **AmazonGrafanaCloudWatchAccess**.
For workspaces that used CloudWatch before the **AmazonGrafanaCloudWatchAccess** managed policy was created, Amazon Managed Grafana created a customer-managed policy with the name **AmazonGrafanaCloudWatchPolicy-*random-id***.
**Amazon OpenSearch Service**
Amazon Managed Grafana creates a customer-managed policy with the name **AmazonGrafanaOpenSearchPolicy-*random-id***. The Get/Post permissions are needed for data source access. The List/Describe permissions are used by Amazon Managed Grafana for data source discovery, but they aren’t required for the data source plugin to work. The contents of the policy are as follows:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": [
"arn:aws:es:*:*:domain/*/_msearch*",
"arn:aws:es:*:*:domain/*/_opendistro/_ppl"
]
}
]
}
```
**AWS IoT SiteWise**
Amazon Managed Grafana attaches the AWS managed policy **AWSIoTSiteWiseReadOnlyAccess**.
**Amazon Redshift**
Amazon Managed Grafana attaches the AWS managed policy **AmazonGrafanaRedshiftAccess**.
**Amazon Athena**
Amazon Managed Grafana attaches the AWS managed policy **AmazonGrafanaAthenaAccess**.
**Amazon Managed Service for Prometheus**
Amazon Managed Grafana creates a customer-managed policy with the name **AmazonGrafanaPrometheusPolicy-*random-id***. The List/Describe permissions are used by Amazon Managed Grafana for data source discovery, they aren’t required for the plugin to work. The contents of the policy are as follows:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aps:ListWorkspaces",
"aps:DescribeWorkspace",
"aps:QueryMetrics",
"aps:GetLabels",
"aps:GetSeries",
"aps:GetMetricMetadata"
],
"Resource": "*"
}
]
}
```
**Amazon SNS**
Amazon Managed Grafana creates a customer-managed policy with the name **AmazonGrafanaSNSPolicy-*random-id***. The policy restricts you to only using SNS topics in your account that start with the string `grafana`. This is not necessary if you create your own policy. The contents of the policy are as follows:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:111122223333:grafana*"
]
}
]
}
```
**Timestream**
Amazon Managed Grafana attaches the AWS managed policy **AmazonTimestreamReadOnlyAccess**.
**X-Ray**
Amazon Managed Grafana attaches the AWS managed policy **AWSXrayReadOnlyAccess**.
## Service-managed permissions for an organization
This mode is supported only for workspaces created in management accounts or delegated administrator accounts in an organization. Delegated administrator accounts can create and administer stack sets for the organization. For more information about delegated administrator accounts, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html).
**Note**
Creating resources such as Amazon Managed Grafana workspaces in the management account of an organization is against AWS security best practices.
In this mode, Amazon Managed Grafana creates all the IAM roles that are necessary to access AWS resources in other accounts in your AWS organization. In each account in the Organizational Units that you select, Amazon Managed Grafana creates a role called **AmazonGrafanaOrgMemberRole-*random-id***. This role creation is performed through an integration with AWS CloudFormation StackSets.
This role has a policy attached for each AWS data source that you select to use in the workspace. For the contents of these data policies, see [Service-managed permissions for a single account](#AMG-service-managed-account).
Amazon Managed Grafana also creates a role called **AmazonGrafanaOrgAdminRole-*random-id*** in the organization's management account. This role allows the Amazon Managed Grafana workspace permission to access other accounts in the organization. AWS service notification channel policies also get attached to this role. Use the **AWS Data Source** menu in your workspace to quickly provision data sources for each account that your workspace can access
To use this mode, you must enable CloudFormation Stacksets as a trusted service in your AWS organization. For more information, see [ Enable trusted access with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html).
Here is the content of the **AmazonGrafanaStackSet-*random-id*** stack set:
```
Parameters:
IncludePrometheusPolicy:
Description: Whether to include Amazon Prometheus access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeAESPolicy:
Description: Whether to include Amazon Elasticsearch access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeCloudWatchPolicy:
Description: Whether to include CloudWatch access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeTimestreamPolicy:
Description: Whether to include Amazon Timestream access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeXrayPolicy:
Description: Whether to include AWS X-Ray access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeSitewisePolicy:
Description: Whether to include AWS IoT SiteWise access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeRedshiftPolicy:
Description: Whether to include Amazon Redshift access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeAthenaPolicy:
Description: Whether to include Amazon Athena access in the role
Type: String
AllowedValues:
- true
- false
Default: false
RoleName:
Description: Name of the role to create
Type: String
AdminAccountId:
Description: Account ID of the Amazon Grafana org admin
Type: String
Conditions:
addPrometheus: !Equals [!Ref IncludePrometheusPolicy, true]
addAES: !Equals [!Ref IncludeAESPolicy, true]
addCloudWatch: !Equals [!Ref IncludeCloudWatchPolicy, true]
addTimestream: !Equals [!Ref IncludeTimestreamPolicy, true]
addXray: !Equals [!Ref IncludeXrayPolicy, true]
addSitewise: !Equals [!Ref IncludeSitewisePolicy, true]
addRedshift: !Equals [!Ref IncludeRedshiftPolicy, true]
addAthena: !Equals [!Ref IncludeAthenaPolicy, true]
Resources:
PrometheusPolicy:
Type: AWS::IAM::Policy
Condition: addPrometheus
Properties:
Roles:
- !Ref GrafanaMemberServiceRole
PolicyName: AmazonGrafanaPrometheusPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- aps:QueryMetrics
- aps:GetLabels
- aps:GetSeries
- aps:GetMetricMetadata
- aps:ListWorkspaces
- aps:DescribeWorkspace
Resource: '*'
AESPolicy:
Type: AWS::IAM::Policy
Condition: addAES
Properties:
Roles:
- !Ref GrafanaMemberServiceRole
PolicyName: AmazonGrafanaElasticsearchPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowReadingESDomains
Effect: Allow
Action:
- es:ESHttpGet
- es:ESHttpPost
- es:ListDomainNames
- es:DescribeElasticsearchDomains
Resource: '*'
CloudWatchPolicy:
Type: AWS::IAM::Policy
Condition: addCloudWatch
Properties:
Roles:
- !Ref GrafanaMemberServiceRole
PolicyName: AmazonGrafanaCloudWatchPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowReadingMetricsFromCloudWatch
Effect: Allow
Action:
- cloudwatch:DescribeAlarmsForMetric
- cloudwatch:DescribeAlarmHistory
- cloudwatch:DescribeAlarms
- cloudwatch:ListMetrics
- cloudwatch:GetMetricStatistics
- cloudwatch:GetMetricData
- cloudwatch:GetInsightRuleReport
Resource: "*"
- Sid: AllowReadingLogsFromCloudWatch
Effect: Allow
Action:
- logs:DescribeLogGroups
- logs:GetLogGroupFields
- logs:StartQuery
- logs:StopQuery
- logs:GetQueryResults
- logs:GetLogEvents
Resource: "*"
- Sid: AllowReadingTagsInstancesRegionsFromEC2
Effect: Allow
Action:
- ec2:DescribeTags
- ec2:DescribeInstances
- ec2:DescribeRegions
Resource: "*"
- Sid: AllowReadingResourcesForTags
Effect: Allow
Action:
- tag:GetResources
Resource: "*"
GrafanaMemberServiceRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AdminAccountId}:root
Action:
- 'sts:AssumeRole'
Path: /service-role/
ManagedPolicyArns:
- !If [addTimestream, arn:aws:iam::aws:policy/AmazonTimestreamReadOnlyAccess, !Ref AWS::NoValue]
- !If [addXray, arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess, !Ref AWS::NoValue]
- !If [addSitewise, arn:aws:iam::aws:policy/AWSIoTSiteWiseReadOnlyAccess, !Ref AWS::NoValue]
- !If [addRedshift, arn:aws:iam::aws:policy/service-role/AmazonGrafanaRedshiftAccess, !Ref AWS::NoValue]
- !If [addAthena, arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess, !Ref AWS::NoValue]
```
Here is the content of **AmazonGrafanaOrgAdminPolicy-*random-id***.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"organizations:ListAccountsForParent",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-organizationId"
}
}
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/service-role/AmazonGrafanaOrgMemberRole-random-Id"
}]
}
```
------
## Customer-managed permissions
If you choose to use customer-managed permissions, you specify an existing IAM role in your account when you create an Amazon Managed Grafana workspace. The role must have a trust policy which trusts `grafana.amazonaws.com`.
The following is an example of such a policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "grafana.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
For that role to access AWS data sources or notification channels in that account, it must have the permissions in the policies listed earlier in this section. For example, to use the CloudWatch data source, it must have the permissions in the CloudWatch policy listed in [Service-managed permissions for a single account](#AMG-service-managed-account).
The `List` and `Describe` permissions in the policies for Amazon OpenSearch Service and Amazon Managed Service for Prometheus shown in [Service-managed permissions for a single account](#AMG-service-managed-account) are only needed for the data source discovery and provisioning to work correctly. They aren’t needed if you just want to set up these data sources manually.
**Cross-account access**
When a workspace is created in account 111111111111, a role in account 1111111111111 must be supplied. For this example, call this role *WorkspaceRole*. To access data in account 999999999999, you must create a role in account 999999999999. Call that *DataSourceRole*. You must then establish a trust relationship between *WorkspaceRole* and *DataSourceRole*. For more information about establishing trust between two roles, see [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html).
*DataSourceRole* needs to contain the policy statements listed earlier in this section for each data source that you want to use. After the trust relationship is established, you can specify the ARN of *DataSourceRole* (arn:aws:iam::999999999999:role:DataSourceRole) in the **Assume Role ARN** field on the data source configuration page of any AWS data source in your workspace. The data source then accesses account 999999999999 with the permissions that are defined in *DataSourceRole*.
# IAM permissions
Access to Amazon Managed Grafana actions and data requires credentials. Those credentials must have permissions to perform the actions and to access the AWS resources, such as retrieving Amazon Managed Grafana data about your cloud resources. The following sections provide details about how you can use AWS Identity and Access Management and Amazon Managed Grafana to help secure your resources, by controlling who can access them. For more information, see [Policies and permissions in IAM.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
## Amazon Managed Grafana permissions
The following table displays possible Amazon Managed Grafana actions and their required permissions:
| Action | Required permission |
| --- | --- |
| Create an Amazon Managed Grafana workspace. A workspace is a logically isolated Grafana server used to create and visualize metrics, logs, and traces. | `grafana:CreateWorkspace` |
| Delete an Amazon Managed Grafana workspace. | `grafana:DeleteWorkspace` |
| Retrieve detailed information about an Amazon Managed Grafana workspace. | `grafana:DescribeWorkspace` |
| Retrieve the authentication configuration associated with a workspace. | `grafana:DescribeWorkspaceAuthentication` |
| Retrieve a list of permissions associated with workspace users and groups. | `grafana:ListPermissions` |
| Retrieve a list of the Amazon Managed Grafana workspaces that exist in the account. | `grafana:ListWorkspaces` |
| Update the permissions associated with workspace users and groups. | `grafana:UpdatePermissions` |
| Update Amazon Managed Grafana workspaces. | `grafana:UpdateWorkspace` |
| Update the authentication configuration associated with a workspace. | `grafana:UpdateWorkspaceAuthentication` |
| Associate a Grafana enterprise license with a workspace. | `grafana:AssociateLicense` |
# Compliance Validation for Amazon Managed Grafana
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in Amazon Managed Grafana
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
In addition to the AWS global infrastructure, Amazon Managed Grafana offers several features to help support your data resiliency and backup needs.
# Infrastructure Security in Amazon Managed Grafana
As a managed service, Amazon Managed Grafana is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Amazon Managed Grafana through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# Logging Amazon Managed Grafana API calls using AWS CloudTrail
Amazon Managed Grafana is integrated with [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html), a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures all API calls for Amazon Managed Grafana as events. The calls captured include calls from the Amazon Managed Grafana console and code calls to the Amazon Managed Grafana API operations.
Amazon Managed Grafana also captures some calls that use Grafana APIs. The calls captured are those that change data, such as calls that create, update, or delete resources. For more information about Grafana APIs that are supported in Amazon Managed Grafana, see [Using Grafana HTTP APIs](Using-Grafana-APIs.md).
Using the information collected by CloudTrail, you can determine the request that was made to Amazon Managed Grafana, the IP address from which the request was made, when it was made, and additional details.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root user or user credentials.
+ Whether the request was made on behalf of an IAM Identity Center user.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
CloudTrail is active in your AWS account when you create the account and you automatically have access to the CloudTrail **Event history**. The CloudTrail **Event history** provides a viewable, searchable, downloadable, and immutable record of the past 90 days of recorded management events in an AWS Region. For more information, see [Working with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide*. There are no CloudTrail charges for viewing the **Event history**.
For an ongoing record of events in your AWS account past 90 days, create a trail or a [CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) event data store.
**CloudTrail trails**
A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. All trails created using the AWS Management Console are multi-Region. You can create a single-Region or a multi-Region trail by using the AWS CLI. Creating a multi-Region trail is recommended because you capture activity in all AWS Regions in your account. If you create a single-Region trail, you can view only the events logged in the trail's AWS Region. For more information about trails, see [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) and [Creating a trail for an organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) in the *AWS CloudTrail User Guide*.
You can deliver one copy of your ongoing management events to your Amazon S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). For information about Amazon S3 pricing, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/).
**CloudTrail Lake event data stores**
*CloudTrail Lake* lets you run SQL-based queries on your events. CloudTrail Lake converts existing events in row-based JSON format to [ Apache ORC](https://orc.apache.org/) format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into *event data stores*, which are immutable collections of events based on criteria that you select by applying [advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-concepts.html#adv-event-selectors). The selectors that you apply to an event data store control which events persist and are available for you to query. For more information about CloudTrail Lake, see [Working with AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) in the *AWS CloudTrail User Guide*.
CloudTrail Lake event data stores and queries incur costs. When you create an event data store, you choose the [pricing option](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html#cloudtrail-lake-manage-costs-pricing-option) you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
## Amazon Managed Grafana management events in CloudTrail
[Management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. By default, CloudTrail logs management events.
Amazon Managed Grafana logs all Amazon Managed Grafana control plane operations as management events. For a list of the Amazon Managed Grafana control plane operations that Amazon Managed Grafana logs to CloudTrail, see the [Amazon Managed Grafana API Reference](https://docs.aws.amazon.com/grafana/latest/APIReference/Welcome.html).
## Amazon Managed Grafana event examples
An event represents a single request from any source and includes information about the requested API operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.
The following example shows a CloudTrail log entry for a CreateWorkspace action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ANPAJ2UCCR6DPCEXAMPLE:sdbt-example",
"arn": "arn:aws:sts::123456789012:assumed-role/Admin/sdbt-example",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ANPAJ2UCCR6DPCEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-11-26T20:59:21Z"
}
}
},
"eventTime": "2020-11-26T21:10:48Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "CreateWorkspace",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.179",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:82.0) Gecko/20100101 Firefox/82.0",
"requestParameters": {
"permissionType": "Service Managed",
"workspaceNotificationDestinations": [
"SNS"
],
"workspaceDescription": "",
"clientToken": "12345678-abcd-1234-5678-111122223333",
"workspaceDataSources": [
"SITEWISE",
"XRAY",
"CLOUDWATCH",
"ELASTICSEARCH",
"PROMETHEUS",
"TIMESTREAM"
],
"accountAccessType": "CURRENT_ACCOUNT",
"workspaceName": "CloudTrailTest",
"workspaceRoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonGrafanaServiceRole-27O5976ol"
},
"responseElements": {
"Access-Control-Expose-Headers": "x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date",
"workspace": {
"accountAccessType": "CURRENT_ACCOUNT",
"created": 1606425045.22,
"dataSources": [
"SITEWISE",
"XRAY",
"CLOUDWATCH",
"ELASTICSEARCH",
"PROMETHEUS",
"TIMESTREAM"
],
"description": "",
"grafanaVersion": "7.3.1",
"id": "g-a187c473d3",
"modified": 1606425045.22,
"name": "CloudTrailTest",
"notificationDestinations": [
"SNS"
],
"permissionType": "Service Managed",
"status": "CREATING",
"workspaceRoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonGrafanaServiceRole-27O5976ol"
}
},
"requestID": "12345678-5533-4e10-b486-e9c7b219f2fd",
"eventID": "12345678-2710-4359-ad90-b902dbfb606b",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "123456789012"
}
```
The following example shows a CloudTrail log entry for an UpdateWorkspaceAuthentication action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAU2UJBF3NRO35YZ3GV:CODETEST_Series_GrafanaApiTestHydraCanary12-o6aeXqaXS_1090259374",
"arn": "arn:aws:sts::332073610971:assumed-role/HydraInvocationRole-4912743f1277b7c3c67cb29518f8bc413ae/CODETEST_Series_GrafanaApiTestHydraCanary12-o6aeXqaXS_1090259374",
"accountId": "111122223333",
"accessKeyId": "AIDACKCEVSQ6C2EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAU2UJBF3NRO35YZ3GV",
"arn": "arn:aws:iam::111122223333:role/HydraInvocationRole-4912743f1277b7c3c67cb29518f8bc413ae",
"accountId": "332073610971",
"userName": "TestInvocationRole-4912743f1277b7c3c67cb29518f8bc413ae"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2021-08-04T20:50:24Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2021-08-04T21:29:25Z",
"eventSource": "gamma-grafana.amazonaws.com",
"eventName": "UpdateWorkspaceAuthentication",
"awsRegion": "us-west-2",
"sourceIPAddress": "34.215.72.249",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/4.14.231-180.360.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS java/11.0.11 vendor/Amazon.com_Inc. cfg/retry-mode/legacy exec-env/AWS_Lambda_java11",
"requestParameters": {
"authenticationProviders": [
"AWS_SSO",
"SAML"
],
"samlConfiguration": {
"idpMetadata": {
"url": "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/NjMwMDg2NDc4OTA3X2lucy1jY2E2ZGU3ZDlmYjdiM2Vh"
}
},
"workspaceId": "g-84ea23c1b4"
},
"responseElements": {
"authentication": {
"awsSso": {
"ssoClientId": "gAROcWGs9-LoqCMIQ56XyEXAMPLE"
},
"providers": [
"AWS_SSO",
"SAML"
],
"saml": {
"configuration": {
"idpMetadata": {
"url": "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/NjMwMDg2NDc4OTA3X2lucy1jY2E2ZGU3ZDlmYjdiM2Vh"
},
"loginValidityDuration": 60
},
"status": "CONFIGURED"
}
}
},
"requestID": "96adb1de-7fa5-487e-b6c6-6b0d4495cb71",
"eventID": "406bc825-bc52-475c-9c91-4c0d8a07c1fa",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
For information about CloudTrail record contents, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) in the *AWS CloudTrail User Guide*.
## Grafana API event examples
Amazon Managed Grafana also logs some Grafana API calls in CloudTrail. The calls captured are those that change data, such as calls that create, update, or delete resources. For more information about Grafana APIs that are supported in Amazon Managed Grafana, see [Using Grafana HTTP APIs](Using-Grafana-APIs.md).
**User signs in to Amazon Managed Grafana workspace using AWS IAM Identity Center**
```
{
"Records": [
{
"eventVersion": "1.08",
"userIdentity": {
"type": "SAMLUser",
"userName": "johndoe"
},
"eventTime": "2021-07-09T02:31:59Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "login-auth.sso",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36",
"requestParameters": null,
"responseElements": null,
"eventID": "176bf326-0302-4190-8dbf-dfdf481d8198",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:31:59.045984031Z",
"user": {
"userId": 1,
"orgId": 1,
"name": "johndoe",
"isAnonymous": false
},
"action": "login-auth.sso",
"requestUri": "",
"request": {
"query": {
"code": [
"eyJraWQiOiJrZXktMTU2Njk2ODEyMSIsImFsZyI6IkhTMzg0In0.eyJwbGFpbnRleHQiOiJZUzEwYWtaWHpBZUowTDlQcW5ROGFmZUw2YUZMRklPWUtkX2RRMmhmUUFFIiwiZXhwIjoxNjI1Nzk4MjE4LCJ0eXBlIjoiYXV0aENvZGUifQ.F6MCLvokeXFv1zEwaSg66wdfnNh0dEnLIKBZ4c1dhfNHX_XQywkSq3aqqUg4CsB7"
],
"state": [
"QUFBQURtdGxlUzB4TlRZNE9UVTFOekkyM2RUWUFUaHZHYXcyOU9ULUVaWHhNUXAwX184N25RVGVWMmd0enFpVE1iWlRPV0M0X09HaDZscjcweDZNbUE3blRjamNISk9RQ2hCUktrY093ZW52aDNWZ2R5UXVndnc4R2g0RkxsamkwMGNvektWbS1KYWRVYnZ0X3AtSU5JRzIxZjFvcWgxN19vM0lPaW9vY1FBVlhLVmEzRE5CRjQxTU1fM3VmYzNWdW53aGZ0QVdFWHBUWTNWTkxrcllKQ3I1akFOUmV1Zlh4Y3ZjQi1XOEVMa0RPUFBqM094VGgta2hHdVFxSDB4YXZKMng"
]
}
},
"result": {
"statusType": "failure"
},
"ipAddress": "192.0.2.0,198.51.100.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE",
"extUserInfo": "{\"OAuthToken\":null,\"AuthModule\":\"auth.sso\",\"AuthId\":\"92670be4c1-e524608b-82f2-452d-a707-161c1e5f4706\",\"UserId\":0,\"Email\":\"\",\"Login\":\"johndoe\",\"Name\":\"johndoe\",\"Groups\":null,\"OrgRoles\":{\"1\":\"Admin\"},\"IsGrafanaAdmin\":false,\"IsDisabled\":false}"
}
}
}
]
}
```
**Grafana API POST /api/auth/keys**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:32Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "create",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.1",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "157bbf19-6ba4-4704-bc3b-d3e334b3a2b8",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:32.419795511Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "create",
"resources": [
{
"ID": 0,
"type": "api-key"
}
],
"requestUri": "",
"request": {
"body": "{\"name\":\"keyname\",\"role\":\"Admin\",\"secondsToLive\":60}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.1",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API DELETE /api/auth/keys/:id**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:33Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "delete",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.2",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "df1aafb3-28c6-4836-a64b-4d34538edc51",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:33.045041594Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "delete",
"resources": [
{
"ID": 0,
"type": "api-key"
}
],
"requestUri": "",
"request": {
"params": {
":id": "24"
}
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.2",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API POST /api/alerts/:id/pause**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:40Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "pause",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.3",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "d533a7ba-f193-45ac-a88c-75ed0594509b",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:40.261226856Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "pause",
"resources": [
{
"ID": 0,
"type": "alert"
}
],
"requestUri": "",
"request": {
"params": {
":alertId": "1"
},
"body": "{\"paused\":true}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.3",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana POST /api/alerts/test**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:39Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "test",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,10.0.42.208",
"userAgent": "python-requests/2.24.0",
"errorCode": "400",
"errorMessage": "The dashboard needs to be saved at least once before you can test an alert rule",
"requestParameters": null,
"responseElements": null,
"eventID": "7094644d-8230-4774-a092-8a128eb6dec9",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:39.622607860Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "test",
"resources": [
{
"ID": 0,
"type": "panel"
}
],
"requestUri": "",
"request": {},
"result": {
"statusType": "failure",
"statusCode": "400",
"failureMessage": "The dashboard needs to be saved at least once before you test an alert rule"
},
"ipAddress": "192.0.2.0, 10.0.42.208",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API POST /api/alert-notifications**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:40Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "create",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.0",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "1ce099b3-c427-4338-9f42-d38d1ef64efe",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:40.888295790Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "create",
"resources": [
{
"ID": 0,
"type": "alert-notification"
}
],
"requestUri": "",
"request": {
"body": "{\"name\":\"alert notification name\",\"type\":\"Slack\"}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.0",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API PUT /api/alert-notifications/uid/:uid**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:42Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "update",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.3",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "cebfeb38-5007-495c-bd29-c8077797acac",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:42.792652648Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "update",
"resources": [
{
"ID": 0,
"type": "alert-notification"
}
],
"requestUri": "",
"request": {
"params": {
":uid": "WvDWDSinz"
},
"body": "{\"name\":\"DIFFERENT alert notification name\",\"type\":\"AWS SNS\"}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.3",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API POST /api/annotations**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:45Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "create",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.1",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "13bf3bef-966c-4913-a760-ade365a4a08f",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:45.394513179Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "create",
"resources": [
{
"ID": 0,
"type": "annotation"
}
],
"requestUri": "",
"request": {
"body": "{\"dashboardId\":36,\"panelId\":2,\"tags\":[\"tag1\",\"tag2\"],\"what\":\"Event Name\"}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.1",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API DELETE /api/dashboards/uid/:uid**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:17:09Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "delete",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.7",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "d6ad9134-5fbc-403c-a76d-4ed9a81065b6",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:17:09.200112003Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "delete",
"resources": [
{
"ID": 0,
"type": "dashboard"
}
],
"requestUri": "",
"request": {
"params": {
":uid": "GLzWvIi7z"
}
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.7",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API PUT /api/datasources/:datasourceId**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:36Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "update",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,10.0.108.94",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "92877483-bdf6-44f5-803e-1ac8ad997113",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:36.918660585Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "update",
"resources": [
{
"ID": 0,
"type": "datasource"
}
],
"requestUri": "",
"request": {
"params": {
":id": "108"
},
"body": "{\"access\":\"proxy\",\"basicAuth\":false,\"name\":\"test_amp_datasource_NEW_name\",\"type\":\"Amazon Managed Prometheus\",\"url\":\"http://amp.amazonaws.com\"}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,10.0.108.94",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API DELETE /api/teams/:teamId/groups/:groupId**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:17:07Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "delete",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.2",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "b41d3967-daab-44d1-994a-a437556add82",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:17:07.296142539Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "delete",
"resources": [
{
"ID": 0,
"type": "team"
}
],
"requestUri": "",
"request": {
"params": {
":groupId": "cn=editors,ou=groups,dc=grafana,dc=org",
":teamId": "35"
}
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,198.51.100.2",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API PUT /api/folders/:uid**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:16:56Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "update",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,198.51.100.1",
"userAgent": "python-requests/2.24.0",
"errorCode": "412",
"errorMessage": "the folder has been changed by someone else",
"requestParameters": null,
"responseElements": null,
"eventID": "414c98c8-aa53-45e4-940d-bea55716eaf6",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:16:56.382646826Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "update",
"resources": [
{
"ID": 0,
"type": "folder"
}
],
"requestUri": "",
"request": {
"params": {
":uid": "lnsZvSi7z"
},
"body": "{\"title\":\"NEW Folder Name\"}"
},
"result": {
"statusType": "failure",
"statusCode": "412",
"failureMessage": "the folder has been changed by someone else"
},
"ipAddress": "192.0.2.0,198.51.100.1",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
**Grafana API POST /api/teams**
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"userName": "api_key"
},
"eventTime": "2021-07-09T02:17:02Z",
"eventSource": "grafana.amazonaws.com",
"eventName": "create",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0,10.0.40.206",
"userAgent": "python-requests/2.24.0",
"errorCode": "200",
"requestParameters": null,
"responseElements": null,
"eventID": "8d40bd79-76a8-490c-b7bb-74205253b707",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"timestamp": "2021-07-09T02:17:02.845022379Z",
"user": {
"orgId": 1,
"orgRole": "Admin",
"name": "api_key",
"apiKeyId": "23",
"isAnonymous": false
},
"action": "create",
"resources": [
{
"ID": 0,
"type": "team"
}
],
"requestUri": "",
"request": {
"body": "{\"name\":\"TeamName\"}"
},
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "192.0.2.0,10.0.40.206",
"userAgent": "python-requests/2.24.0",
"grafanaVersion": "7.5.7",
"additionalData": {
"GiraffeCustomerAccount": "111122223333",
"GiraffeWorkspaceId": "g-123EXAMPLE"
}
}
}
```
# Security best practices
The topics in this section explain the best practices to follow to best maintain security in your Amazon Managed Grafana deployment.
## Use short-lived API keys
To use Grafana APIs in an Amazon Managed Grafana workspace, you must first create an API key to use for authorization. When you create the key, you specify the **Time to live** for the key, which defines how long the key is valid, up to a maximum of 30 days. We strongly recommend that you set the key's time to live for a shorter time, such as a few hours or less. This creates much less risk than having API keys that are valid for a long time.
We also recommend that you treat API keys as passwords, in terms of securing them. For example, do not store them in plain text.
## Migrating from self-managed Grafana
This section is relevant for you if you are migrating an existing self-managed Grafana or Grafana Enterprise deployment to Amazon Managed Grafana. This applies to both on-premises Grafana and to a Grafana deployment on AWS, in your own account.
If you are running Grafana on-premises or in your own AWS account, you have likely defined users and teams and potentially organization roles to manage access. In Amazon Managed Grafana, users and groups are managed outside of Amazon Managed Grafana, using IAM Identity Center or directly from your identity provider (IdP) via SAML 2.0 integration. With Amazon Managed Grafana, you can assign certain permissions as necessary for carrying out a task— for example viewing dashboards. For more information about user management in Amazon Managed Grafana, see [Manage workspaces, users, and policies in Amazon Managed Grafana](AMG-manage-workspaces-users.md).
Additionally, when you run on-premises Grafana you’re using long-lived keys or secret credentials to access data sources. We strongly recommend that when you migrate to Amazon Managed Grafana, you replace these IAM users with IAM roles. For an example, see [Manually add CloudWatch as a data source](adding--CloudWatch-manual.md).
# Interface VPC endpoints
We provide AWS PrivateLink support between Amazon VPC and Amazon Managed Grafana. You can control access to the Amazon Managed Grafana service from the virtual private cloud (VPC) endpoints by attaching an IAM resource policy for Amazon VPC endpoints.
Amazon Managed Grafana supports two different kinds of VPC endpoints. You can connect to the Amazon Managed Grafana service, providing access to the Amazon Managed Grafana APIs to manage workspaces. Or you can create a VPC endpoint to a specific workspace.
## Using Amazon Managed Grafana with interface VPC endpoints
There are two ways to use interface VPC endpoints with Amazon Managed Grafana. You can use a VPC endpoint to allow AWS resources such as Amazon EC2 instances to access the Amazon Managed Grafana API to manage resources, or you can use a VPC endpoint as part of limiting network access to your Amazon Managed Grafana workspaces.
+ If you are using Amazon VPC to host your AWS resources, you can establish a private connection between your VPC and the [Amazon Managed Grafana API](https://docs.aws.amazon.com/grafana/latest/APIReference/API_Operations.html) using the `com.amazonaws.region.grafana` service name endpoint.
+ If you are trying to use network access control to add security to your Amazon Managed Grafana workspace, you can establish a private connection between your VPC and the Grafana workspaces endpoint, using the `com.amazonaws.region.grafana-workspace` service name endpoint.
Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways. To connect your VPC to your Amazon Managed Grafana API, you define an *interface VPC endpoint *. The endpoint provides reliable, scalable connectivity to Amazon Managed Grafana without requiring an internet gateway, a network address translation (NAT) instance, or a VPN connection. For more information, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) in the *Amazon VPC User Guide.*
* Interface VPC endpoints* are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IP addresses. For more information, see [New – AWS PrivateLink for AWS Services](https://aws.amazon.com/blogs/aws/new-aws-privatelink-endpoints-kinesis-ec2-systems-manager-and-elb-apis-in-your-vpc/).
For information about how to get started with Amazon VPC, see [Get started](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html) in the *Amazon VPC User Guide*.
## Creating a VPC endpoint to make an AWS PrivateLink connection to Amazon Managed Grafana
Create an interface VPC endpoint to Amazon Managed Grafana with one of the following service name endpoints:
+ To connect to the Amazon Managed Grafana API for managing workspaces, choose:
`com.amazonaws.region.grafana`.
+ To connect to a Amazon Managed Grafana workspace (for example, to use the Grafana API), choose:
`com.amazonaws.region.grafana-workspace`
For the details about creating an interface VPC endpoint, see [Create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) in the *Amazon VPC User Guide.*
For calling Grafana APIs, you must also enable private DNS for your VPC endpoint, by following the instructions in the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html#enable-private-dns-names). This enables local resolution of URLs in the form `*.grafana-workspace.region.amazonaws.com`
## Using network access control to limit access to your Grafana workspace
If you want to limit what IP addresses or VPC endpoints can be used to access a specific Grafana workspace, you can [configure network access control](AMG-configure-nac.md) to that workspace.
For VPC endpoints that you give access to your workspace, you can further limit their access by configuring security groups for the endpoints. To learn more, see [Associate security groups](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html#associate-security-groups) and [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) in the *Amazon VPC documentation*.
## Controlling access to your Amazon Managed Grafana API VPC endpoint with an endpoint policy
For VPC endpoints that are connected the Amazon Managed Grafana API (using `com.amazonaws.region.grafana`), you can add a VPC endpoint policy to limit access to the service.
**Note**
VPC endpoints connected to workspaces (using `com.amazonaws.region.grafana-workspace`) do not support VPC endpoint policies.
A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you don't attach a policy when you create an endpoint, Amazon VPC attaches a default policy for you that allows full access to the service. An endpoint policy doesn't override or replace IAM identity-based policies or service-specific policies. It's a separate policy for controlling access from the endpoint to the specified service.
Endpoint policies must be written in JSON format.
For more information, see [Control access to service with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *Amazon VPC User Guide.*
The following is an example of an endpoint policy for Amazon Managed Grafana. This policy allows users connecting to Amazon Managed Grafana through the VPC to send data to the Amazon Managed Grafana service. It also prevents them from performing other Amazon Managed Grafana actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSGrafanaPermissions",
"Effect": "Allow",
"Action": [
"grafana:DescribeWorkspace",
"grafana:UpdatePermissions",
"grafana:ListPermissions",
"grafana:ListWorkspaces"
],
"Resource": "arn:aws:grafana:*:*:/workspaces*",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root"
]
}
}
]
}
```
------
**To edit the VPC endpoint policy for Grafana**
1. Open the Amazon VPC console at [VPC console](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. If you have not already created endpoints, choose **Create Endpoint**.
1. Select the `com.amazonaws.region.grafana` endpoint, and then choose the **Policy** tab.
1. Choose **Edit Policy**, and then make your changes.