Create a Sysdig-specific IAM policy to be used for granting programmatic access to Sysdig. Copy the code snippet and paste into this policy. It enables Sysdig to collect metadata and CloudWatch metrics from the services.
CloudWatch Metric Streams
Sysdig requires additional permissions to collect additional metadata from and display the correct status for the AWS CloudWatch Metric Stream integration. If you are setting up CloudWatch Metric Steams manually and you prefer authenticating using the access keys, use the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:GetObjectAttributes",
"cloudwatch:GetMetricStream",
"cloudwatch:ListMetricStreams",
"cloudwatch:ListTagsForResource",
"firehose:DescribeDeliveryStream"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
CloudWatch API
Creating a Sysdig-specific IAM policy enables Sysdig to collect metadata and CloudWatch metrics from the following services, as applicable to your environment:
Dynamodb
EC2 hosts
ECS
Elasticache
RDS
SQS
If you want to use your own AWS S3 bucket to store Sysdig capture files, you can append those code snippets to this IAM Policy as well. See Storage: Configure AWS Capture File Storage (Optional) for details.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:ListTables",
"dynamodb:Describe*",
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"elasticache:DescribeCacheClusters",
"elasticache:ListTagsForResource",
"elasticloadbalancing:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
See Changing the AWS Services that are Polled for more detail.