Application Signals 所需权限 - Amazon CloudWatch
启用和管理 Application Signals 的权限操作 Application Signals

Application Signals 所需权限

本部分介绍启用、管理和操作 Application Signals 所需的权限。

启用和管理 Application Signals 的权限

管理 Application Signals 时,必须使用具备所需权限的账户登录。如需查看 CloudWatchApplicationSignalsFullAccess 策略的内容,请参阅 CloudWatchApplicationSignalsFullAccess

要在 Amazon EC2 或自定义架构上启用 Application Signals,请参阅 在 Amazon EC2 上启用 Application Signals。要使用 Amazon CloudWatch 可观测性 EKS 插件在 Amazon EKS 上启用和管理 Application Signals,您需要以下权限。

重要

这些权限包括带有 Resource "*”iam:PassRole 与带有 Resource “*”eks:CreateAddon。权限较高,应谨慎授予。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
    {
    "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions",
    "Effect": "Allow",
    "Action": [
    "eks:AccessKubernetesApi",
    "eks:CreateAddon",
    "eks:DescribeAddon",
    "eks:DescribeAddonConfiguration",
    "eks:DescribeAddonVersions",
    "eks:DescribeCluster",
    "eks:DescribeUpdate",
    "eks:ListAddons",
    "eks:ListClusters",
    "eks:ListUpdates",
    "iam:ListRoles",
    "iam:PassRole"
    ],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "iam:PassedToService": [
    "eks.amazonaws.com",
    "application-signals.cloudwatch.amazonaws.com"
    ]
    }
    }
    },
    {
    "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions",
    "Effect": "Allow",
    "Action": [
    "eks:DeleteAddon",
    "eks:UpdateAddon"
    ],
    "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*"
    }
    ]
    }

Application Signals 控制面板显示与您的 SLO 关联的 AWS Service Catalog AppRegistry 应用程序。要在 SLO 页面中查看这些应用程序,您必须拥有以下权限:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

操作 Application Signals

通过 Application Signals 监控服务与 SLO 的服务运维人员,必须使用具备只读权限的账户登录。如需查看 CloudWatchApplicationSignalsReadOnlyAccess 策略的内容,请参阅 CloudWatchApplicationSignalsReadOnlyAccess

要在 Application Signals 控制面板内,查看您的 SLO 与哪些 AWS Service Catalog AppRegistry 应用程序关联,您还需要以下权限:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

要检查是否已使用 Amazon CloudWatch 可观测性 EKS 插件在 Amazon EKS 上启用了 Application Signals,您需要拥有以下权限:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsResourceExplorerReadPermissions",
            "Effect": "Allow",
            "Action": [
                "resource-explorer-2:ListIndexes",
                "resource-explorer-2:Search"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchApplicationSignalsResourceExplorerSLRPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "resource-explorer-2.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "CloudWatchApplicationSignalsResourceExplorerCreateIndexPermissions",
            "Effect": "Allow",
            "Action": [
                "resource-explorer-2:CreateIndex"
            ],
            "Resource": "arn:aws:resource-explorer-2:*:*:index/*"
        }
    ]
}