Help Amazon Web Services Policies and Permissions

Managed and custom policy

Policies and Permissions

Whether you are providing access by creating an IAM user or via the cross-account IAM role, you need to provide Site24x7 permissions. These permissions will decide what specific AWS resources can be accessed.

Site24x7 requires ReadOnly permissions to your AWS services and resources, you can either assign the default ReadOnly policy, assign our custom policy or create your own.

Default ReadOnly Access Policy (recommended)

To ensure that there are no performance blind spots, and to make use of Site24x7’s full scope of monitoring capabilities, we highly recommend you to assign the default ReadOnly policy document to the IAM user/Role created. This policy provides full read-only access to all popular AWS services.

  • Currently the read-only permissions required to monitor Kinesis Video stream usage are not present in the managed policy "ReadOnlyAccess". To monitor you can either apply the managed policy "AmazonKinesisVideoStreamsReadOnlyAccess" along with the "ReadOnlyAccess" policy or construct a new policy from scratch in the visual editor.
  • The read-only permissions required to monitor Route 53 Resolver are not present in the managed policy "ReadOnlyAccess". To monitor, construct a new policy from scratch in the visual editor or create a role with the necessary permissions.

These predefined policies are maintained and updated by the AWS team itself, so when we bring in monitoring support for any new AWS service, there won't be any need for you to update the permissions in the policy document.

Use Site24x7's custom policy (JSON)

Create your own custom IAM policy (Visual editor)

If your organization doesn't permit you to assign the default ReadOnly policy or if you prefer to have more precise control over the permissions you provide, you can create your own policy using the point-and-click visual editor in the IAM console. The supported AWS services and the individual actions required for each service is mentioned below.

AWS serviceRead-level actionsPartial write-level actions
CloudWatch

"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"

 
DynamoDB

"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:DescribeLimits",
"lambda:ListEventSourceMappings"

 
EC2

"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:GetConsoleOutput",
"ec2:DescribeImages",
"ec2:DescribeVolumeStatus",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVolumes",
"ec2:DescribeAccountAttributes",
"ec2:DescribeElasticGpus",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeAutoScalingGroups"

"ec2:RebootInstances",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:StopInstances",
"ec2:StartInstances"

Elastic Beanstalk (EBS)

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

"elasticbeanstalk:RestartAppServer"
ELB

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"

 
Gateway Load Balancer

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"ec2Instance:describeVpcEndpoints",
"ec2Instance:describeVpcEndpointServiceConfigurations"

 
RDS

"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeEvents"
"rds:StartCluster"
"rds:StopCluster"
"rds:FailoverDBCluster"
"rds:RebootDBInstance"

"rds:StartDBInstance",
"rds:RebootDBInstance",
"rds:StopDBInstance"

S3

"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetBucketLogging"
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"

 
SNS

"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:GetSMSAttributes"

sns:Publish
Lambda

"lambda:ListFunctions",
"lambda:ListTags",
"lambda:GetFunctionConfiguration",
"lambda:GetAccountSettings",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"lambda:GetPolicy"

"lambda:InvokeFunction"
Lambda logs logs:Describe*
logs:Get*
 
ElastiCache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource",
"elasticache:DescribeServiceUpdates",
"elasticache:DescribeReplicationGroups"

elasticache:RebootCacheCluster
Simple Queue Service (SQS)

"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:GetQueueAttributes"

sqs:SendMessage
Amazon CloudFront

"cloudfront:GetDistribution",
"cloudfront:ListPublicKeys",
"cloudfront:ListTagsForResource",
"cloudfront:ListInvalidations",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig"

 
Amazon Kinesis Data Streams

"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesis:DescribeStream"

kinesis:PutRecord"
Amazon Kinesis Video Streams

"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kinesisvideo:DescribeStream"

 
Amazon Kinesis Firehose

"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"firehose:DescribeDeliveryStream"

 
Amazon Kinesis Data Analytics

"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"kinesisanalytics:DescribeApplication

kinesisanalytics:StopApplication
kinesisanalytics:StartApplication
Route 53

Route 53 Health Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckStatus",
"route53:ListHealthChecks",
"route53:GetHealthCheck",
"route53:ListGeoLocations",
"route53:ListTagsForResource"

Route 53 Hosted Zone & Record Set Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"route53:GetTrafficPolicy",
"route53:ListTagsForResource",
"route53:ListQueryLoggingConfigs",
"route53domains:ListDomains",
"route53domains:GetDomainDetail",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

Route 53 Resolver:
"route53resolver:ListResolverEndpointIpAddresses",
"route53resolver:ListResolverRules",
"route53resolver:GetResolverRule",
"route53resolver:ListResolverRuleAssociations",
"route53resolver:ListResolverEndpoints"

 
Elastic Beanstalk

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

"elasticbeanstalk:RestartAppServer"
Direct Connect

"directconnect:DescribeConnections",
"directconnect:DescribeTags",
"directconnect:DescribeVirtualGateways",
"directconnect:DescribeVirtualInterfaces"

 
VPC-Virtual Private Network (VPN) connection

"ec2:DescribeVpnConnections",
"ec2:DescribeAddresses"

 
API Gateway "apigateway:GET" apigateway:POST 
Amazon Elastic Container Service (ECS)

"ecs:ListServices",
"ecs:ListAccountSettings",
"ecs:ListTagsForResource",
"ecs:DescribeServices",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListTasks",
"ecs:DescribeTasks"

 
Amazon Redshift

"redshift:DescribeClusters",
"redshift:DescribeClusterParameters",
"redshift:DescribeLoggingStatus",
"redshift:DescribeEvents",
"redshift:DescribeAccountAttributes"

redshift:RebootCluster
Elastic File System (EFS)

"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"

 
Simple Email Service (SES)

"ses:DescribeConfigurationSet",
"ses:DescribeReceiptRuleSet",
"ses:GetSendQuota",
"ses:GetIdentityPolicies",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetTemplate",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetAccountSendingEnabled",
"ses:ListIdentityPolicies",
"ses:ListIdentities",
"ses:ListConfigurationSets",
"ses:ListReceiptRuleSets",
"ses:ListReceiptFilters",
"ses:ListTemplates"

ses:SendEmail
ses:SendTemplatedEmail

Step Functions

"states:ListStateMachines",
"states:DescribeStateMachine",
"states:ListActivities",
"states:DescribeExecution",
"states:ListExecutions",
"states:GetExecutionHistory",
"states:ListTagsForResource"

"states:StartExecution"
Web Application Firewall (WAF)

"waf-regional:ListWebACLs",
"waf-regional:ListRules",
"waf-regional:GetWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:GetGeoMatchSet",
"waf-regional:GetIPSet",
"waf-regional:GetXssMatchSet",
"waf-regional:GetByteMatchSet",
"waf-regional:GetRegexMatchSet",
"waf-regional:GetSqlInjectionMatchSet",
"waf-regional:GetSizeConstraintSet",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf:ListRules",
"waf:GetWebACL",
"waf:ListTagsForResource",
"waf:ListWebACLs",
"waf:GetByteMatchSet",
"waf:GetIPSet",
"waf:GetXssMatchSet",
"waf:GetRegexMatchSet",
"waf:GetSizeConstraintSet",
"waf:ListActivatedRulesInRuleGroup",
"wafv2:ListLoggingConfigurations",
"wafv2:GetWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"waf-regional:ListResourcesForWebACL"
"cloudfront:listDistributionsByWebACLId"

 
Key Management Service (KMS)

"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:ListGrants",
"kms:ListKeyPolicies"

 
CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeScalingParameters",
"cloudsearch:DescribeAnalysisSchemes",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeExpressions",
"cloudsearch:DescribeSuggesters"

 
Elasticsearch

"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"es:ListTags",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"es:DescribePackages"

 
Elastic MapReduce

"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceFleets",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListInstances"

elasticmapreduce:addJobFlowSteps 
WorkSpaces

"workspaces:DescribeTags",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeIpGroups",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceImages"

workspaces:StartWorkspaces
workspaces:RebootWorkspaces
workspaces:RebuildWorkspaces
workspaces:StopWorkspaces
Certificate Manager (ACM)

"acm:ListCertificates",
"acm:ListTagsForCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate"

 
Lightsail Instance

"lightsail:GetInstances",
"lightsail:GetInstance",
"lightsail:GetActiveNames",
"lightsail:GetOperationsForResource",
"lightsail:GetInstanceMetricData"

lightsail:StartInstance
lightsail:StopInstance
lightsail:RebootInstance
Lightsail Database

"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetOperationsForResource",
"lightsail:GetRelationalDatabaseMetricData"

lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Lightsail Load Balancer

"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperationsForResource",
"lightsail:GetLoadBalancerMetricData"

lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Elastic Kubernetes Service (EKS)

"eks:DescribeCluster",
"eks:ListClusters",
"cloudwatch:ListMetrics"

 
Storage Gateway

"storagegateway:DescribeGatewayInformation",
"storagegateway:ListGateways",
"storagegateway:ListTagsForResource",
"storagegateway:ListTapes",
"storagegateway:ListFileShares",
"storagegateway:ListVolumes",
"storagegateway:DescribeAvailabilityMonitorTest",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:ListLocalDisks",
"storagegateway:DescribeVTLDevices",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 
Amazon MQ

"mq:DescribeBroker",
"mq:DescribeConfiguration",
"mq:DescribeConfigurationRevision",
"mq:DescribeUser",
"mq:ListTags",
"mq:ListBrokers",
"mq:DescribeBrokerEngineTypes",
"cloudwatch:ListMetrics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

mq:RebootBroker
Transit Gateway

"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeAddresses"

ec2:SearchTransitGatewayRoutes
ec2:SearchTransitGatewayMulticastGroups
Data Migration Service (DMS)

"dms:DescribeAccountAttributes",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationTasks",
"dms:DescribeTableStatistics",
"dms:DescribeCertificates",
"dms:DescribeConnections",
"dms:DescribeEndpoints",
"dms:ListTagsForResource",
"dms:DescribeEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

dms:StartReplicationTask
dms:StopReplicationTask
Amazon FSx

"fsx:ListTagsForResource",
"fsx:DescribeBackups",
"fsx:DescribeDataRepositoryTasks",
"fsx:DescribeFileSystems"

fsx:CreateDataRepositoryTask
fsx:CreateBackup
GuardDuty

"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings"

 
Lambda@Edge

"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"cloudfront:ListPublicKeys",
"cloudfront:ListDistributions"

lambda:InvokeFunction
DocumentDB

"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:DescribeCertificates",
"rds:DescribeEvents",
"rds:DescribeGlobalClusters",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:GetLogEvents",

 
Amazon Secure File Transfer Protocol (SFTP)

"transfer:DescribeUser",
"transfer:DescribeServer",
"transfer:ListUsers",
"transfer:ListServers",
"transfer:ListTagsForResource"
"logs:DescribeLogGroups"
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 
AWS Systems Manager

"ssm:ListCommands",
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations"

 
Service Quotas

"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListServiceQuotas"

"servicequotas:RequestServiceQuotaIncrease"

Amazon AppStream 2.0

"appstream:DescribeFleets",
"appstream:ListAssociatedStacks",
"appstream:DescribeImages",
"appstream:DescribeUserStackAssociations",
"appstream:DescribeUsers",
"appstream:DescribeSessions",
"appstream:DescribeApplicationFleetAssociations",
"appstream:DescribeApplications",
"appstream:ListTagsForResource"

"appstream:StopFleet"
"appstream:StartFleet

AWS AppSync

"Appsync:getGraphqlApi"
"Appsync:getApiCache"
"Appsync:getSchemaCreationStatus"
"Appsync:listTagsForResource"
"Appsync:listDataSources"
"Appsync:listTypes"
"Appsync:listResolvers"
"Appsync:getFunction"
"Appsync:listGraphqlApis"
"Appsync:getType"
"Appsync:describeLogStreams"
"Appsync:getLogEvents"
"Appsync:getLogStreams"
"Appsync:listApiKeys"

 
AWS Health

"health:DescribeAffectedEntities"
"health:DescribeEventAggregates"
"health:DescribeEventDetails"
"health:DescribeEvents"

 
AWS Backup

"backup:ListCopyJobs"
"backup:ListTags"
"backup:ListBackupJobs"
"backup:ListProtectedResources"
"backup:DescribeGlobalSettings"
"backup-gateway:ListHypervisors"
"backup:DescribeRegionSettings"
"backup:ListRestoreJobs"
"backup:ListBackupVaults"
"backup:DescribeBackupVault"
"backup:ListBackupPlans"
"backup-gateway:ListGateways"
"backup-gateway:ListVirtualMachines"
"backup:ListRecoveryPointsByBackupVault"
"backup:GetBackupPlan"
"backup:ListBackupSelections"

 
Amazon EBS volume

"ec2:DescribeVolumes"

"ec2:DescribeVolumes"
"ec2:DescribeSnapshots"

AWS Batch

"batch:DescribeJobDefinitions"
"batch:DescribeJobDefinitions"
"batch:DescribeJobQueues"
"batch:DescribeJobs"
"batch:ListJobs"
"batch:TerminateJob"
"batch:CancelJob"

"batch:TerminateJob"
"batch:CancelJob"

Amazon EBS snapshot

"ec2:DescribeVolumes"
"ec2:DescribeSnapshots"

 
AWS Secrets Manager

"secretsmanager:DescribeSecret"
"secretsmanager:ListSecrets"
"secretsmanager:GetResourcePolicy"

"secretsmanager:RotateSecret"
AWS Elastic IP

"ec2: describeAddresses"
"ec2: DescribeAddressesResult"
"ec2: GetAddresses"

 

Follow the steps mentioned below to create a new policy using the visual editor

  • Log in to the AWS IAM console, choose Policies and click on Create new policy
  • Select the Visual editor tab
  • In Select a service field, type CloudWatch in the search box, and choose CloudWatch from the list.
  • In the Access level groups section, select Read and select the below mentioned actions by expanding the section
  • Now continue the same process for other supported services. Once you are done click on Review policy.

“was

Custom policy for ReadOnly actions

You can also use our custom policy document to provide access to your AWS resources. Paste the policy JSON mentioned below in the JSON editor, review it, give an appropriate name and description and click on create policy.

Once done, attach the policy to the Site24x7 IAM user or role.

{
"Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "sqs:Get*",
                "sqs:List*",
                "autoscaling:Describe*",
                "elasticloadbalancing:Describe*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "s3:Get*",
                "s3:List*",
                "rds:Describe*",
                "rds:List*",
                "kinesisanalytics:Describe*",
                "kinesisanalytics:Get*",
                "kinesisanalytics:List*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "kinesisvideo:Get*",
                "kinesisvideo:List*",
                "kinesisvideo:Describe*",
                "firehose:Describe*",
                "firehose:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "directconnect:Describe*",
                "apigateway:GET",
                "ecs:DescribeServices",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeClusters",
                "ecs:List*",
                "redshift:Describe*",
                "elasticfilesystem:Describe*",
                "ses:Get*",
                "ses:List*",
                "ses:Describe*",
                "lambda:List*",
                "lambda:Get*",
                "logs:Describe*",
                "logs:Get*",
                "route53domains:Get*",
                "route53domains:List*",
                "route53:Get*",
                "route53:List*",
                "route53resolver:Get*",
                "route53resolver:List*",
                "states:List*",
                "states:Describe*",
                "states:GetExecutionHistory",
                "sns:Get*",
                "sns:List*",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "waf:Get*",
                "waf:List*",
                "waf-regional:List*",
                "waf-regional:Get*",
                "cloudsearch:Describe*",
                "cloudsearch:List*",
                "es:Describe*",
                "es:List*",
                "es:Get*",
                "workspaces:Describe*",
                "ds:Describe*",
                "elasticmapreduce:List*",
                "elasticmapreduce:Describe*",
                "acm:GetCertificate",
                "acm:Describe*",
                "acm:List*",
                "lightsail:Get*",
                "eks:Describe*",
                "eks:List*",
                "mq:Describe*",
                "mq:List*",
                "ec2:Get*",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:SearchTransitGatewayMulticastGroups",
                "storagegateway:List*",
                "storagegateway:Describe*",
                "guardduty:GetFindings",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "dms:Describe*",
                "dms:List*",
                "dms:TestConnection",
                "fsx:Describe*",
                "fsx:ListTagsForResource",
                "inspector:List*",
                "inspector:Describe*",
                "transfer:Describe*",
                "transfer:List*",
                "ssm:ListCommands",
                "ssm:DescribeInstanceInformation",
                "ssm:ListCommandInvocations",
                "appstream:Describe*",
                "appstream:List*",
                "appsync:List*",
                "appsync:Get*",
                "health:Describe*",
                "backup:ListCopyJobs",
                "backup:ListTags",
                "backup:ListBackupJobs",
                "backup:ListProtectedResources",
                "backup:DescribeGlobalSettings",
                "backup-gateway:ListHypervisors",
                "backup:DescribeRegionSettings",
                "backup:ListRestoreJobs",
                "backup:ListBackupVaults",
                "backup:DescribeBackupVault",
                "backup:ListBackupPlans",
                "backup-gateway:ListGateways",
                "backup-gateway:ListVirtualMachines",
                "backup:ListRecoveryPointsByBackupVault",
                "backup:GetBackupPlan",
                "backup:ListBackupSelections",
                "ec2:DescribeVolumes",
                "batch:DescribeJobDefinitions",
                "batch:DescribeJobDefinitions",
                "batch:DescribeJobQueues",
                "batch:DescribeJobs",
                "batch:ListJobs",
                "batch:TerminateJob",
                "batch:CancelJob",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetResourcePolicy",
                "wafv2:ListLoggingConfigurations",
                "wafv2:GetWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:ListWebACLs",
                "wafv2:GetIPSet",
                "wafv2:GetRegexPatternSet",
                "wafv2:GetRuleGroup",
                "ssm:DescribeActivations",
                "batch:DescribeComputeEnvironments",
                "servicequotas:GetRequestedServiceQuotaChange",
                "servicequotas:ListRequestedServiceQuotaChangeHistory",
                "servicequotas:ListServiceQuotas"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}    

This policy was last updated on August 17, 2023.

The policy is created and maintained by the Site24x7 team, and provide ReadOnly access to all the AWS services under monitoring support. Also, the policy is subject to change when new AWS integrations get added, so please make sure you are up to with the latest version.

Custom policy for partial write-level actions

Create a new custom IAM policy with the below mentioned JSON, to help Site24x7 perform actions in response to alert events.

{
"Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ec2:RebootInstances",
            "sns:Publish",
            "ec2:StartInstances",
            "kinesisanalytics:StopApplication",
            "kinesisanalytics:StartApplication",
            "kinesis:PutRecord",
            "rds:RebootDBInstance",
            "elasticache:RebootCacheCluster",
            "lambda:InvokeFunction",
            "redshift:RebootCluster",
            "ses:SendEmail",
            "apigateway:POST",
            "elasticbeanstalk:RestartAppServer",
            "sqs:SendMessage",
            "rds:StopDBInstance",
            "ec2:StopInstances",
            "rds:StartDBInstance",
            "states:StartExecution",
            "elasticmapreduce:addJobFlowSteps",
            "workspaces:StartWorkspaces",
            "workspaces:RebootWorkspaces",
            "workspaces:RebuildWorkspaces",
            "workspaces:StopWorkspaces",
            "lightsail:StartRelationalDatabase",
            "lightsail:StopRelationalDatabase",
            "lightsail:RebootRelationalDatabase",
            "lightsail:StartInstance",
            "lightsail:StopInstance",
            "lightsail:RebootInstance",
            "mq:RebootBroker",
            "dms:StartReplicationTask",
            "dms:StopReplicationTask",
            "fsx:CreateDataRepositoryTask",
            "fsx:CreateBackup",
"transfer:StartServer",
"transfer:StopServer",
"servicequotas:RequestServiceQuotaIncrease"
"appstream:StopFleet",
"appstream:StartFleet",
"batch:TerminateJob",
"batch:CancelJob",
"secretsmanager:RotateSecret"
], "Resource":"*" } ] }

The above policy JSON contains partial write-level permissions. These permissions are used for automations such as stop/start/reboot EC2 and RDS instances , reboot ElastiCache clusters , invoke Lambda functions , start/stop analytics application and publish message to SNS topic or SQS queue and many more. If you don't want Site24x7 to perform certain actions you can manually edit or remove the permission from the JSON.

Was this document helpful?
Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.

Help Amazon Web Services Policies and Permissions