This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    IAM Policy Code to Use

    Best Practice: Create a Sysdig-specific IAM policy to be used for granting programmatic access to Sysdig. Copy/paste the code snippet below into this policy. It enables Sysdig to collect metadata and CloudWatch metrics from the following services, as applicable to your environment:

    • Dynamodb

    • EC2 hosts

    • ECS

    • Elasticache

    • RDS

    • SQS

    If you want to use your own AWS S3 bucket to store Sysdig capture files, you can append those code snippets to this IAM Policy as well. See Storage: Configure AWS Capture File Storage (Optional) for details.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "autoscaling:Describe*",
                    "cloudwatch:Describe*",
                    "cloudwatch:Get*",
                    "cloudwatch:List*",
                    "dynamodb:ListTables",
                                    "dynamodb:Describe*",
                    "ec2:Describe*",
                    "ecs:Describe*",
                    "ecs:List*",
                    "elasticache:DescribeCacheClusters",
                    "elasticache:ListTagsForResource",
                    "elasticloadbalancing:Describe*",
                    "rds:Describe*",
                    "rds:ListTagsForResource",
                    "sqs:ListQueues",
                    "sqs:GetQueueAttributes",
                    "sqs:ReceiveMessage"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    

    See Changing the AWS Services that are Polled for more detail.