Application Signals 所需的許可 - Amazon CloudWatch
啟用和管理 Application Signals 的許可正在運作的 Application Signals

Application Signals 所需的許可

本節說明啟用、管理和操作 Application Signals 所需的許可。

啟用和管理 Application Signals 的許可

若要管理 Application Signals,必須使用必要的許可登入。若要檢視 CloudWatchApplicationSignalsFullAccess 政策的內容,請參閱 CloudWatchApplicationSignalsFullAccess

若要在 Amazon EC2 上啟用 Application Signals,或自訂架構,請參閱在 Amazon EC2 上啟用 Application Signals。若要在 Amazon EKS 上啟用和管理使用 Amazon CloudWatch Observability EKS 附加元件的 Application Signals,需要取得下列許可。

重要

這些許可包括具有 Resource "*”iam:PassRole 和具有 Resource “*”eks:CreateAddon。這些都是強大的許可,授予它們時應小心。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
    {
    "Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions",
    "Effect": "Allow",
    "Action": [
    "eks:AccessKubernetesApi",
    "eks:CreateAddon",
    "eks:DescribeAddon",
    "eks:DescribeAddonConfiguration",
    "eks:DescribeAddonVersions",
    "eks:DescribeCluster",
    "eks:DescribeUpdate",
    "eks:ListAddons",
    "eks:ListClusters",
    "eks:ListUpdates",
    "iam:ListRoles",
    "iam:PassRole"
    ],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "iam:PassedToService": [
    "eks.amazonaws.com",
    "application-signals.cloudwatch.amazonaws.com"
    ]
    }
    }
    },
    {
    "Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions",
    "Effect": "Allow",
    "Action": [
    "eks:DeleteAddon",
    "eks:UpdateAddon"
    ],
    "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*"
    }
    ]
    }

Application Signals 儀表板會顯示與您的 SLO 關聯的 AWS Service Catalog AppRegistry 應用程式。若要在 SLO 頁面中檢視這些應用程式,必須取得下列許可:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

正在運作的 Application Signals

使用 Application Signals 來監控服務和 SLO 的服務營運商必須登入具有唯讀許可的帳戶。若要檢視 CloudWatchApplicationSignalsReadOnlyAccess 政策的內容,請參閱 CloudWatchApplicationSignalsReadOnlyAccess

若要在 Application Signals 儀表板中查看 SLO 與哪些 AWS Service Catalog AppRegistry 應用程式相關聯,必須取得下列許可:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
            "Effect": "Allow",
            "Action": "tag:GetResources",
            "Resource": "*"
        }
    ]
}

若要檢查 Amazon EKS 上是否啟用了使用 Amazon CloudWatch Observability EKS 附加元件的 Application Signals,需要取得下列許可:

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchApplicationSignalsEksReadPermissions",
            "Effect": "Allow",
            "Action": [
                "eks:ListAddons",
                "eks:ListClusters"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchApplicationSignalsEksDescribeAddonReadPermissions",
            "Effect": "Allow",
            "Action": [
                "eks:DescribeAddon"
            ],
            "Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*"
        }
    ]
}