The following permissions are being created with the IAM role included in CloudFormation stack:
[ // Read data and correlate logs from CloudWatch "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess", // Lambda monitoring "arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess", // Enriching data on Step Functions "arn:aws:iam::aws:policy/AWSStepFunctionsReadOnlyAccess", // Enriching data from X-Ray "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess", // Showing metrics for AWS resources from CloudWatch Metrics and Events "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess", // AppSync monitoring "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs", "arn:aws:iam::aws:policy/AWSAppSyncAdministrator" ]
[ // Subscribing logs directly from CloudWatch Logs to Epsagon "logs:PutSubscriptionFilter", "logs:DeleteSubscriptionFilter", // Enabling auto-tracing for Lambda functions through Epsagon "lambda:UpdateFunctionConfiguration", // Enriching AWS Batch jobs data "batch:Describe*", // ECS monitoring "ecs:Describe*", "ecs:List*", // EC2 metadata for ECS monitoring "ec2:Describe*", "ec2:Get*", "application-autoscaling:Describe*", "autoscaling:Describe*", "elasticloadbalancing:Describe*", "iam:PassRole" ]
If needed, we can customize the permissions to fit your needs. Contact us for more information.
The IAM role is using the AWS best practices of cross-account permissions, and being enforced with an external ID that is unique to your account.
Other resources that are optionally being created, include:
- EpsagonCloudTrail - Send events to Epsagon on updates and changes in ECS, Lambda, and other resources. This includes: EpsagonCloudTrailToCloudWatchLogsRole, EpsagonTrailBucketPolicy, EpsagonLogGroup, EpsagonTrailBucket
- EpsagonReporter - Automatically send a notification to Epsagon upon stack create completion. It is not a real resource.
Updated about a year ago