IAM Policy Code to Use

Create a Sysdig-specific IAM policy to be used for granting programmatic access to Sysdig. Copy the code snippet and paste into this policy. It enables Sysdig to collect metadata and CloudWatch metrics from the services.

CloudWatch Metric Streams

Sysdig requires additional permissions to collect additional metadata from and display the correct status for the AWS CloudWatch Metric Stream integration. If you are setting up CloudWatch Metric Steams manually and you prefer authenticating using the access keys, use the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketTagging",
                "s3:GetObject",
                "s3:GetObjectAttributes",
                "cloudwatch:GetMetricStream",
                "cloudwatch:ListMetricStreams",
                "cloudwatch:ListTagsForResource",
                "firehose:DescribeDeliveryStream"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

CloudWatch API

Creating a Sysdig-specific IAM policy enables Sysdig to collect metadata and CloudWatch metrics from the following services, as applicable to your environment:

  • Dynamodb

  • EC2 hosts

  • ECS

  • Elasticache

  • RDS

  • SQS

If you want to use your own AWS S3 bucket to store Sysdig capture files, you can append those code snippets to this IAM Policy as well. See Storage: Configure AWS Capture File Storage (Optional) for details.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "dynamodb:ListTables",
                                "dynamodb:Describe*",
                "ec2:Describe*",
                "ecs:Describe*",
                "ecs:List*",
                "elasticache:DescribeCacheClusters",
                "elasticache:ListTagsForResource",
                "elasticloadbalancing:Describe*",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "sqs:ReceiveMessage"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

See Changing the AWS Services that are Polled for more detail.