ヘルプ アマゾン ウェブ サービス ポリシーと許可

当社管理ポリシーとカスタム ポリシー

ポリシーと許可

IAMユーザーの作成や、クロス アカウントIAMロールの利用によって、ユーザー アクセスを提供する場合、Site24x7の権限を付与する必要があります。どのAWSリソースにアクセスできるかは、この権限によって決まります。

Site24x7では、AWSサービスやリソースにアクセスする場合、読み込み専用権限が必要です。これには、デフォルトの読み込み専用ポリシー割り当て、当社カスタム ポリシー割り当て、独自ポリシー作成の選択肢があります。

デフォルト読み込み専用アクセスポリシー(推奨)

パフォーマンス確認の死角をなくし、Site24x7の監視能力を全面活用するには、デフォルトの読み込み専用ポリシー ドキュメントを、作成したIAMのユーザーやロールに割り当てることを推奨します。このポリシーは、一般的なAWSサービスすべてへの、読み取り専用権限を設定するものです。

  • 現在、Kinesis Video Stream使用量を監視するための読み取りアクション権限は、管理ポリシー"ReadOnlyAccess"に存在しません。監視を行うには、管理ポリシー"AmazonKinesisVideoStreamsReadOnlyAccess"を"ReadOnlyAccess"ポリシーとともに適用するか、ビジュアルエディターで新規ポリシーを構築してください、
  • Route 53リゾルバーを監視するための読み取り専用権限が、管理ポリシー"ReadOnlyAccess"内に存在しません。監視を行うには、ビジュアルエディターで新規ポリシーを構築するか、必要権限をもつロールを新規作成してください。

これら、設定済みポリシーは、AWS本体で保守・更新されています。当社が新しいAWSサービスへの対応を決めれば、ユーザー側でポリシー ドキュメントの権限更新作業は不要です。

Site24x7のカスタム ポリシーを利用(JSON)

独自IAMポリシーの作成(ビジュアル エディター)

デフォルトの読み取り専用ポリシーを採用できない場合や、より細かな権限の統制が必要な場合、IAMのビジュアル エディターで独自ポリシーを作成することができます。サポートするAWSサービスと、それぞれで必要なアクションは、次の通りです。

AWSサービス名 読み取りレベルアクション 一部必要な書き込みレベルアクション
CloudWatch

"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
DynamoDB

"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:DescribeLimits",
"lambda:ListEventSourceMappings"
EC2

"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:GetConsoleOutput",
"ec2:DescribeImages",
"ec2:DescribeVolumeStatus",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVolumes",
"ec2:DescribeAccountAttributes",
"ec2:DescribeElasticGpus",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeAutoScalingGroups",
CloudWatchAgentAdminPolicy,
CloudWatchAgentServerPolicy

"ec2:RebootInstances",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:StopInstances",
"ec2:StartInstances"
Elastic Beanstalk (EBS)

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

 "elasticbeanstalk:RestartAppServer"
ELB

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"
Gateway Load Balancer

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"ec2Instance:describeVpcEndpoints",
"ec2Instance:describeVpcEndpointServiceConfigurations"
RDS

"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeEvents"
"rds:StartCluster"
"rds:StopCluster"
"rds:FailoverDBCluster"
"rds:RebootDBInstance"

"rds:StartDBInstance",
"rds:RebootDBInstance",
"rds:StopDBInstance"
S3

"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetBucketLogging"
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"
SNS

"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:GetSMSAttributes"

 sns:Publish
Lambda

"lambda:ListFunctions",
"lambda:ListTags",
"lambda:GetFunctionConfiguration",
"lambda:GetAccountSettings",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"lambda:GetPolicy"

 "lambda:InvokeFunction"
Lambda logs logs:Describe*
logs:Get*
ElastiCache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource",
"elasticache:DescribeServiceUpdates",
"elasticache:DescribeReplicationGroups"

 elasticache:RebootCacheCluster
Simple Queue Service (SQS)

"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:GetQueueAttributes"

 sqs:SendMessage
Amazon CloudFront

"cloudfront:GetDistribution",
"cloudfront:ListPublicKeys",
"cloudfront:ListTagsForResource",
"cloudfront:ListInvalidations",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig"
Amazon Kinesis Data Streams

"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesis:DescribeStream"

 kinesis:PutRecord"
Amazon Kinesis Video Streams

"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kinesisvideo:DescribeStream"
Amazon Kinesis Firehose

"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"firehose:DescribeDeliveryStream"
Amazon Kinesis Data Analytics

"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"kinesisanalytics:DescribeApplication

 kinesisanalytics:StopApplication
kinesisanalytics:StartApplication
Route 53

Route 53 Health Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckStatus",
"route53:ListHealthChecks",
"route53:GetHealthCheck",
"route53:ListGeoLocations",
"route53:ListTagsForResource"

Route 53 Hosted Zone & Record Set Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"route53:GetTrafficPolicy",
"route53:ListTagsForResource",
"route53:ListQueryLoggingConfigs",
"route53domains:ListDomains",
"route53domains:GetDomainDetail",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

Route 53 Resolver:
"route53resolver:ListResolverEndpointIpAddresses",
"route53resolver:ListResolverRules",
"route53resolver:GetResolverRule",
"route53resolver:ListResolverRuleAssociations",
"route53resolver:ListResolverEndpoints"
Elastic Beanstalk

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

 "elasticbeanstalk:RestartAppServer"
Direct Connect

"directconnect:DescribeConnections",
"directconnect:DescribeTags",
"directconnect:DescribeVirtualGateways",
"directconnect:DescribeVirtualInterfaces"
VPC-Virtual Private Network (VPN) connection

"ec2:DescribeVpnConnections",
"ec2:DescribeAddresses"
API Gateway "apigateway:GET" apigateway:POST
Amazon Elastic Container Service (ECS)

"ecs:ListServices",
"ecs:ListAccountSettings",
"ecs:ListTagsForResource",
"ecs:DescribeServices",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListTasks",
"ecs:DescribeTasks"
Amazon Redshift

"redshift:DescribeClusters",
"redshift:DescribeClusterParameters",
"redshift:DescribeLoggingStatus",
"redshift:DescribeEvents",
"redshift:DescribeStorage"

 redshift:RebootCluster
Elastic File System (EFS)

"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"
Simple Email Service (SES)

"ses:DescribeConfigurationSet",
"ses:DescribeReceiptRuleSet",
"ses:GetSendQuota",
"ses:GetIdentityPolicies",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetTemplate",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetAccountSendingEnabled",
"ses:ListIdentityPolicies",
"ses:ListIdentities",
"ses:ListConfigurationSets",
"ses:ListReceiptRuleSets",
"ses:ListReceiptFilters",
"ses:ListTemplates"

ses:SendEmail
ses:SendTemplatedEmail
Step Functions

"states:ListStateMachines",
"states:DescribeStateMachine",
"states:ListActivities",
"states:DescribeExecution",
"states:ListExecutions",
"states:GetExecutionHistory",
"states:ListTagsForResource"

 "states:StartExecution"
Web Application Firewall (WAF)

"waf-regional:ListWebACLs",
"waf-regional:ListRules",
"waf-regional:GetWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:GetGeoMatchSet",
"waf-regional:GetIPSet",
"waf-regional:GetXssMatchSet",
"waf-regional:GetByteMatchSet",
"waf-regional:GetRegexMatchSet",
"waf-regional:GetSqlInjectionMatchSet",
"waf-regional:GetSizeConstraintSet",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf:ListRules",
"waf:GetWebACL",
"waf:ListTagsForResource",
"waf:ListWebACLs",
"waf:GetByteMatchSet",
"waf:GetIPSet",
"waf:GetXssMatchSet",
"waf:GetRegexMatchSet",
"waf:GetSizeConstraintSet",
"waf:ListActivatedRulesInRuleGroup",
"wafv2:ListLoggingConfigurations",
"wafv2:GetWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"waf-regional:ListResourcesForWebACL"
Key Management Service (KMS)

"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:ListGrants",
"kms:ListKeyPolicies"
CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeScalingParameters",
"cloudsearch:DescribeAnalysisSchemes",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeExpressions",
"cloudsearch:DescribeSuggesters"
Elasticsearch

"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"es:ListTags",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"es:DescribePackages"
Elastic MapReduce

"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceFleets",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListInstances"

 elasticmapreduce:addJobFlowSteps
WorkSpaces

"workspaces:DescribeTags",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeIpGroups",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceImages"

 workspaces:StartWorkspaces
workspaces:RebootWorkspaces
workspaces:RebuildWorkspaces
workspaces:StopWorkspaces
Certificate Manager (ACM)

"acm:ListCertificates",
"acm:ListTagsForCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate"
Lightsail Instance

"lightsail:GetInstances",
"lightsail:GetInstance",
"lightsail:GetActiveNames",
"lightsail:GetOperationsForResource",
"lightsail:GetInstanceMetricData"

 lightsail:StartInstance
lightsail:StopInstance
lightsail:RebootInstance
Lightsail Database

"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetOperationsForResource",
"lightsail:GetRelationalDatabaseMetricData"

 lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Lightsail Load Balancer

"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperationsForResource",
"lightsail:GetLoadBalancerMetricData"

 lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Elastic Kubernetes Service (EKS)

"eks:DescribeCluster",
"eks:ListClusters",
"cloudwatch:ListMetrics"
Storage Gateway

"storagegateway:DescribeGatewayInformation",
"storagegateway:ListGateways",
"storagegateway:ListTagsForResource",
"storagegateway:ListTapes",
"storagegateway:ListFileShares",
"storagegateway:ListVolumes",
"storagegateway:DescribeAvailabilityMonitorTest",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:ListLocalDisks",
"storagegateway:DescribeVTLDevices",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
Amazon MQ

"mq:DescribeBroker",
"mq:DescribeConfiguration",
"mq:DescribeConfigurationRevision",
"mq:DescribeUser",
"mq:ListTags",
"mq:ListBrokers",
"mq:DescribeBrokerEngineTypes",
"cloudwatch:ListMetrics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 mq:RebootBroker
Transit Gateway

"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeAddresses"

 ec2:SearchTransitGatewayRoutes
ec2:SearchTransitGatewayMulticastGroups
Data Migration Service (DMS)

"dms:DescribeAccountAttributes",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationTasks",
"dms:DescribeTableStatistics",
"dms:DescribeCertificates",
"dms:DescribeConnections",
"dms:DescribeEndpoints",
"dms:ListTagsForResource",
"dms:DescribeEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 dms:StartReplicationTask
dms:StopReplicationTask
Amazon FSx

"fsx:ListTagsForResource",
"fsx:DescribeBackups",
"fsx:DescribeDataRepositoryTasks",
"fsx:DescribeFileSystems"

 fsx:CreateDataRepositoryTask
fsx:CreateBackup
GuardDuty

"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings"
Lambda@Edge

"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"cloudfront:ListPublicKeys",
"cloudfront:ListDistributions"

 lambda:InvokeFunction
DocumentDB

"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:DescribeCertificates",
"rds:DescribeEvents",
"rds:DescribeGlobalClusters",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:GetLogEvents",
Amazon Secure File Transfer Protocol (SFTP)

"transfer:DescribeUser",
"transfer:DescribeServer",
"transfer:ListUsers",
"transfer:ListServers",
"transfer:ListTagsForResource"
"logs:DescribeLogGroups"
"logs:DescribeLogStreams",
"logs:GetLogEvents"
AWS Systems Manager

"ssm:ListCommands",
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations"
Service Quotas

"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListServiceQuotas"

"servicequotas:RequestServiceQuotaIncrease"
Amazon AppStream 2.0

"appstream:DescribeFleets",
"appstream:ListAssociatedStacks",
"appstream:DescribeImages",
"appstream:DescribeUserStackAssociations",
"appstream:DescribeUsers",
"appstream:DescribeSessions",
"appstream:DescribeApplicationFleetAssociations",
"appstream:DescribeApplications",
"appstream:ListTagsForResource"
"appstream:StopFleet",
"appstream:StartFleet"

下記手順にしたがい、ビジュアル エディターで新規ポリシーを作成してください。

  • AWS IAMコンソールにログインし、ポリシーを選択して、新規ポリシーの作成をクリック。
  • ビジュアルエディターのタブを選択。
  • サービス選択欄で、検索欄にCloudWatchと入力し、リストからこれを選びます。
  • アクセス レベルグループのセクションで、読み込みを選択。セクションを開き、下記のアクションを選択してください。
  • その他のサービスについても、同じ手順を繰り返します。終了したら、ポリシーのレビューをクリックします。
“create

読み込み専用アクセスのカスタム ポリシー

Site24x7が用意するカスタム ポリシーを利用し、AWSリソースへのアクセスを規定することもできます。下記JSONをコピーし、JSONエディターに貼り付け、レビューしてください。ポリシー名や説明を入力し、ポリシー作成をクリックします。

これによって、ポリシーがSite24x7 IAMのユーザーやロールに適用されます。

    {
   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "sqs:Get*",
                "sqs:List*",
                "autoscaling:Describe*",
                "elasticloadbalancing:Describe*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "s3:Get*",
                "s3:List*",
                "rds:Describe*",
                "rds:List*",
                "kinesisanalytics:Describe*",
                "kinesisanalytics:Get*",
                "kinesisanalytics:List*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "kinesisvideo:Get*",
                "kinesisvideo:List*",
                "kinesisvideo:Describe*",
                "firehose:Describe*",
                "firehose:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "directconnect:Describe*",
                "apigateway:GET",
                "ecs:DescribeServices",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeClusters",
                "redshift:Describe*",
                "elasticfilesystem:Describe*",
                "ses:Get*",
                "ses:List*",
                "ses:Describe*",
                "lambda:List*",
                "lambda:Get*",
                "logs:Describe*",
                "logs:Get*",
                "route53domains:Get*",
                "route53domains:List*",
                "route53:Get*",
                "route53:List*",
                "route53resolver:Get*",
                "route53resolver:List*",
                "states:List*",
                "states:Describe*",
                "states:GetExecutionHistory",
                "sns:Get*",
                "sns:List*",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "waf:Get*",
                "waf:List*",
                "waf-regional:List*",
                "waf-regional:Get*",
                "cloudsearch:Describe*",
                "cloudsearch:List*",
                "es:Describe*",
                "es:List*",
                "es:Get*",
                "workspaces:Describe*",
                "ds:Describe*",
                "elasticmapreduce:List*",
                "elasticmapreduce:Describe*",
                "acm:GetCertificate",
                "acm:Describe*",
                "acm:List*",
                "lightsail:Get*",
                "eks:Describe*",
                "eks:List*",
                "mq:Describe*",
                "mq:List*",
                "ec2:Get*",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:SearchTransitGatewayMulticastGroups",
                "storagegateway:List*",
                "storagegateway:Describe*",
                "guardduty:GetFindings",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "dms:Describe*",
                "dms:List*",
                "dms:TestConnection",
                "fsx:Describe*",
                "fsx:ListTagsForResource",
                "inspector:List*",
                "inspector:Describe*",
                "transfer:Describe*",
                "transfer:List*",
                "ssm:ListCommands",
                "ssm:DescribeInstanceInformation",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

このポリシーの最終更新日は、2022年1月19日です。

このポリシーは、Site24x7チームが作成・保守しています。対応するAWSサービスのすべてに、読み取り専用権限を設定するものです。本ポリシーは、Site24x7が新しいAWSサービスに対応するたびに更新されるため、常に、最新版を使うよう、お願いいたします。

オートメーション用カスタム ポリシー

下記JSONでカスタムIAMポリシーを作成すると、Site24x7はこれをもとに、アラート イベントに対応するようになります。

{
"Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ec2:RebootInstances",
            "sns:Publish",
            "ec2:StartInstances",
            "kinesisanalytics:StopApplication",
            "kinesisanalytics:StartApplication",
            "kinesis:PutRecord",
            "rds:RebootDBInstance",
            "elasticache:RebootCacheCluster",
            "lambda:InvokeFunction",
            "redshift:RebootCluster",
            "ses:SendEmail",
            "apigateway:POST",
            "elasticbeanstalk:RestartAppServer",
            "sqs:SendMessage",
            "rds:StopDBInstance",
            "ec2:StopInstances",
            "rds:StartDBInstance",
            "states:StartExecution",
            "elasticmapreduce:addJobFlowSteps",
            "workspaces:StartWorkspaces",
            "workspaces:RebootWorkspaces",
            "workspaces:RebuildWorkspaces",
            "workspaces:StopWorkspaces",
            "lightsail:StartRelationalDatabase",
            "lightsail:StopRelationalDatabase",
            "lightsail:RebootRelationalDatabase",
            "lightsail:StartInstance",
            "lightsail:StopInstance",
            "lightsail:RebootInstance",
            "mq:RebootBroker",
            "dms:StartReplicationTask",
            "dms:StopReplicationTask",
            "fsx:CreateDataRepositoryTask",
            "fsx:CreateBackup"
         ],
         "Resource":"*"
      }
   ]
}

このJSONには、限定的な、EC2RDSインスタンスの停止・開始・リブート権限と、 ElastiCacheクラスターのリブートLambda機能の実行 SNSトピックSQSキューへのメッセージ公開権限が、規定されています。Site24x7からの利用を望まないアクションがある場合は、JSONを編集し、権限を変更か削除してください。