IAM Policy Code to Use
Create a Sysdig-specific Identity Access Management (IAM) policy to be used for granting programmatic access to Sysdig. Copy the code snippet and paste into this policy. This enables Sysdig to collect metadata and CloudWatch metrics from the services.
CloudWatch Metric Streams
Sysdig requires additional permissions to collect metadata and display the correct status for the Amazon Web Sercice (AWS) CloudWatch Metric Stream integration. If you are setting up CloudWatch Metric Steams manually, and prefer to authenticate with the access keys, use the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:GetObjectAttributes",
"cloudwatch:GetMetricStream",
"cloudwatch:ListMetricStreams",
"cloudwatch:ListTagsForResource",
"firehose:DescribeDeliveryStream"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
CloudWatch API
Creating a Sysdig-specific IAM policy enables Sysdig to collect metadata and CloudWatch metrics from the following services, as applicable to your environment:
Dynamodb
EC2 hosts
ECS
Elasticache
RDS
SQS
If you want to use your own AWS Simple Storage Service (S3) bucket to store Sysdig capture files, you can append those code snippets to this IAM Policy as well. See Storage: Configure AWS Capture File Storage (Optional) for details.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:ListTables",
"dynamodb:Describe*",
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"elasticache:DescribeCacheClusters",
"elasticache:ListTagsForResource",
"elasticloadbalancing:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
See Change the AWS Services that are Polled for more detail.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.