Permissions

The following permissions are being created with the IAM role included in CloudFormation stack:

[
  // Read data and correlate logs from CloudWatch
  "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess",
  // Lambda monitoring
  "arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess",
  // Enriching data on Step Functions
  "arn:aws:iam::aws:policy/AWSStepFunctionsReadOnlyAccess",
  // Enriching data from X-Ray
  "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess",
  // Showing metrics for AWS resources from CloudWatch Metrics and Events
  "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess",
  // AppSync monitoring
  "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
  "arn:aws:iam::aws:policy/AWSAppSyncAdministrator"
]
[
  // Subscribing logs directly from CloudWatch Logs to Epsagon
  "logs:PutSubscriptionFilter",
  "logs:DeleteSubscriptionFilter",
  // Enabling auto-tracing for Lambda functions through Epsagon
  "lambda:UpdateFunctionConfiguration",
  // Enriching AWS Batch jobs data
  "batch:Describe*",
  // ECS monitoring
  "ecs:Describe*",
  "ecs:List*",
  // EC2 metadata for ECS monitoring
  "ec2:Describe*",
  "ec2:Get*",
  "application-autoscaling:Describe*",
  "autoscaling:Describe*",
  "elasticloadbalancing:Describe*",
  "iam:PassRole"
]

📘

Custom permissions

If needed, we can customize the permissions to fit your needs. Contact us for more information.

The IAM role is using the AWS best practices of cross-account permissions, and being enforced with an external ID that is unique to your account.

Other resources that are optionally being created, include:

  1. EpsagonCloudTrail - Send events to Epsagon on updates and changes in ECS, Lambda, and other resources. This includes: EpsagonCloudTrailToCloudWatchLogsRole, EpsagonTrailBucketPolicy, EpsagonLogGroup, EpsagonTrailBucket
  2. EpsagonReporter - Automatically send a notification to Epsagon upon stack create completion. It is not a real resource.

Did this page help you?