The AWS Identity and Access Management (IAM) is a web service that helps to securely control user access to AWS CloudWatch resources through authentication and authorization. An IAM role to launch SBC SWe HA instance in AWS is required. You are only required to create one role per account. For more information on IAM, refer to Using IAM.
When creating an IAM role for AWS CloudWatch, ensure it is associated with a policy that defines, at a minimum, the following permissions:
CloudWatch Permissions Statement
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
}
]
}
Start
To create a Policy and associate it to a Role for SBC, perform the following procedure:
- Navigate to IAM Dashboard: https://console.aws.amazon.com/iam/home
- Select Policies from the left panel.
The Policies page displays.
- Click Create Policy.
The Policies page displays.
- Click the JSON tab.
The JSON editor panel appears.
If you wish to configure for SBC SA or HA, update your policy statement using the content below:
SBC HA Policy Statement{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeVolumes", "ec2:DescribeTags", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup", "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:DisassociateAddress", "ec2:DescribeInstances", "cloudwatch:PutMetricData", "aws-marketplace:*", "ec2:DescribeNetworkInterfaces" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*" } ] }SBC SA Policy Statement{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeVolumes", "ec2:DescribeTags", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "*" } ] }- Click Review Policy.
- Enter a name for the policy and a description, then click Create Policy.
The Create Policy window displays.
- The user will get an indication that the policy was created and will return to the policy window.
The Create Policy Successful window displays.
- Click Roles.
The Roles window displays.
- Click on Create Role.
The Create role window will appear.
- Select EC2 as the service that will use this role, then click on Next: Permissions.
The Attach permissions policies window will appear.
- In the search window next to Filter Policies, type the name of the policy you just created, then select it from the list.
- Click on Next: tags.
The Add tags window appears.
- If desired, enter a tag. Click on Next: Review.
The Create Role Review page is displayed.
- Enter a Role Name and then click Create Role.
- The Create role window reappears.
- You can verify that your role was created by typing the name of the created role in the search area.
Overview
Content Tools