帮助手册

策略和权限

无论您是通过创建 IAM 用户还是通过跨账户 IAM 角色提供访问权限,都需要为 Site24x7 提供权限。这些权限决定了可以访问哪些特定 AWS 资源。

Site24x7 需要对您的 AWS 服务和资源具有只读权限。您可以分配默认只读策略、分配我们的自定义策略,或创建您自己的策略。

默认只读访问策略(推荐)

为确保没有性能盲点并充分利用 Site24x7 的全套监控功能,我们强烈建议您将默认只读策略文档分配给所创建的 IAM 用户/角色。该策略提供对所有主流 AWS 服务的完全只读访问权限。

注意
  • 托管策略"ReadOnlyAccess"中目前不包含监控 Kinesis 视频流使用情况所需的只读权限。要进行监控,您可以将托管策略"AmazonKinesisVideoStreamsReadOnlyAccess"与"ReadOnlyAccess"策略一起应用,或在可视化编辑器中从头创建新策略。
  • 托管策略"ReadOnlyAccess"中不包含监控 Route 53 Resolver 所需的只读权限。要进行监控,请在可视化编辑器中从头创建新策略,或创建具有必要权限的角色。

这些预定义策略由 AWS 团队自行维护和更新,因此当我们为新 AWS 服务引入监控支持时,您无需更新策略文档中的权限。

以下列出了受支持的 AWS 服务以及每项服务所需的各项操作。

AWS 服务 读取级操作 部分写入级操作
CloudWatch

"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"

  
CloudWatch Logs

"logs:Start*"
"logs:Get*"
"logs:Describe*"

  
DynamoDB

"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:DescribeLimits",
"lambda:ListEventSourceMappings"

  
EC2

"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:GetConsoleOutput",
"ec2:DescribeImages",
"ec2:DescribeVolumeStatus",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVolumes",
"ec2:DescribeAccountAttributes",
"ec2:DescribeElasticGpus",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeAutoScalingGroups"

"ec2:RebootInstances",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:StopInstances",
"ec2:StartInstances"
Elastic Beanstalk (EBS)

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

 "elasticbeanstalk:RestartAppServer"
ELB

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"

  
Gateway Load Balancer

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"ec2Instance:describeVpcEndpoints",
"ec2Instance:describeVpcEndpointServiceConfigurations"

  
RDS

"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeEvents",
"rds:StartCluster",
"rds:StopCluster",
"rds:FailoverDBCluster",
"rds:RebootDBInstance"

"rds:StartDBInstance",
"rds:RebootDBInstance",
"rds:StopDBInstance"
S3

"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetBucketLogging"
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"

  
SNS

"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:GetSMSAttributes"

 sns:Publish
Lambda

"lambda:ListFunctions",
"lambda:ListTags",
"lambda:GetFunctionConfiguration",
"lambda:GetAccountSettings",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"lambda:GetPolicy"

 "lambda:InvokeFunction"
Lambda logs logs:Describe*,
logs:Get*		  
Amazon Inspector "inspector2:ListFindings"  
ElastiCache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource",
"elasticache:DescribeServiceUpdates",
"elasticache:DescribeReplicationGroups"

 elasticache:RebootCacheCluster
Simple Queue Service (SQS)

"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:GetQueueAttributes"

 sqs:SendMessage
Amazon CloudFront

"cloudfront:GetDistribution",
"cloudfront:ListPublicKeys",
"cloudfront:ListTagsForResource",
"cloudfront:ListInvalidations",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig"

  
Amazon Kinesis Data Streams

"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesis:DescribeStream"

 kinesis:PutRecord"
Amazon Kinesis Video Streams

"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kinesisvideo:DescribeStream"

  
Amazon Kinesis Firehose

"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"firehose:DescribeDeliveryStream"

  
Amazon Kinesis Data Analytics

"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"kinesisanalytics:DescribeApplication

 kinesisanalytics:StopApplication
kinesisanalytics:StartApplication
Route 53

Route 53 Health Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckStatus",
"route53:ListHealthChecks",
"route53:GetHealthCheck",
"route53:ListGeoLocations",
"route53:ListTagsForResource"

Route 53 Hosted Zone & Record Set Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"route53:GetTrafficPolicy",
"route53:ListTagsForResource",
"route53:ListQueryLoggingConfigs",
"route53domains:ListDomains",
"route53domains:GetDomainDetail",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

Route 53 Resolver:
"route53resolver:ListResolverEndpointIpAddresses",
"route53resolver:ListResolverRules",
"route53resolver:GetResolverRule",
"route53resolver:ListResolverRuleAssociations",
"route53resolver:ListResolverEndpoints"

  
Elastic Beanstalk

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

 "elasticbeanstalk:RestartAppServer"
Direct Connect

"directconnect:DescribeConnections",
"directconnect:DescribeTags",
"directconnect:DescribeVirtualGateways",
"directconnect:DescribeVirtualInterfaces"

  
VPC-Virtual Private Network (VPN) connection

"ec2:DescribeVpnConnections",
"ec2:DescribeAddresses"

  
API Gateway "apigateway:GET" apigateway:POST 
Amazon Elastic Container Service (ECS)

"ecs:ListServices",
"ecs:ListAccountSettings",
"ecs:ListTagsForResource",
"ecs:DescribeServices",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListTasks",
"ecs:DescribeTasks"

  
Amazon Redshift

"redshift:DescribeClusters",
"redshift:DescribeClusterParameters",
"redshift:DescribeLoggingStatus",
"redshift:DescribeEvents",
"redshift:DescribeAccountAttributes"

 redshift:RebootCluster
Elastic File System (EFS)

"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"

  
Simple Email Service (SES)

"ses:DescribeConfigurationSet",
"ses:DescribeReceiptRuleSet",
"ses:GetSendQuota",
"ses:GetIdentityPolicies",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetTemplate",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetAccountSendingEnabled",
"ses:ListIdentityPolicies",
"ses:ListIdentities",
"ses:ListConfigurationSets",
"ses:ListReceiptRuleSets",
"ses:ListReceiptFilters",
"ses:ListTemplates"

ses:SendEmail
ses:SendTemplatedEmail
Step Functions

"states:ListStateMachines",
"states:DescribeStateMachine",
"states:ListActivities",
"states:DescribeExecution",
"states:ListExecutions",
"states:GetExecutionHistory",
"states:ListTagsForResource"

 "states:StartExecution"
Web Application Firewall (WAF)

"waf-regional:ListWebACLs",
"waf-regional:ListRules",
"waf-regional:GetWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:GetGeoMatchSet",
"waf-regional:GetIPSet",
"waf-regional:GetXssMatchSet",
"waf-regional:GetByteMatchSet",
"waf-regional:GetRegexMatchSet",
"waf-regional:GetSqlInjectionMatchSet",
"waf-regional:GetSizeConstraintSet",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf:ListRules",
"waf:GetWebACL",
"waf:ListTagsForResource",
"waf:ListWebACLs",
"waf:GetByteMatchSet",
"waf:GetIPSet",
"waf:GetXssMatchSet",
"waf:GetRegexMatchSet",
"waf:GetSizeConstraintSet",
"waf:ListActivatedRulesInRuleGroup",
"wafv2:ListLoggingConfigurations",
"wafv2:GetWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"waf-regional:ListResourcesForWebACL"
"cloudfront:listDistributionsByWebACLId"

  
Key Management Service (KMS)

"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:ListGrants",
"kms:ListKeyPolicies"

  
CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeScalingParameters",
"cloudsearch:DescribeAnalysisSchemes",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeExpressions",
"cloudsearch:DescribeSuggesters"

  
Elasticsearch

"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"es:ListTags",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"es:DescribePackages"

  
Elastic MapReduce

"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceFleets",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListInstances"

 elasticmapreduce:addJobFlowSteps 
WorkSpaces

"workspaces:DescribeTags",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeIpGroups",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceImages"

 workspaces:StartWorkspaces
workspaces:RebootWorkspaces
workspaces:RebuildWorkspaces
workspaces:StopWorkspaces
Certificate Manager (ACM)

"acm:ListCertificates",
"acm:ListTagsForCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate"

  
Lightsail Instance

"lightsail:GetInstances",
"lightsail:GetInstance",
"lightsail:GetActiveNames",
"lightsail:GetOperationsForResource",
"lightsail:GetInstanceMetricData"

 lightsail:StartInstance
lightsail:StopInstance
lightsail:RebootInstance
Lightsail Database

"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetOperationsForResource",
"lightsail:GetRelationalDatabaseMetricData"

 lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Lightsail Load Balancer

"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperationsForResource",
"lightsail:GetLoadBalancerMetricData"

 lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Elastic Kubernetes Service (EKS)

"eks:DescribeCluster",
"eks:ListClusters",
"cloudwatch:ListMetrics"

  
Storage Gateway

"storagegateway:DescribeGatewayInformation",
"storagegateway:ListGateways",
"storagegateway:ListTagsForResource",
"storagegateway:ListTapes",
"storagegateway:ListFileShares",
"storagegateway:ListVolumes",
"storagegateway:DescribeAvailabilityMonitorTest",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:ListLocalDisks",
"storagegateway:DescribeVTLDevices",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

  
Amazon MQ

"mq:DescribeBroker",
"mq:DescribeConfiguration",
"mq:DescribeConfigurationRevision",
"mq:DescribeUser",
"mq:ListTags",
"mq:ListBrokers",
"mq:DescribeBrokerEngineTypes",
"cloudwatch:ListMetrics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 mq:RebootBroker
Transit Gateway

"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeAddresses"

 ec2:SearchTransitGatewayRoutes
ec2:SearchTransitGatewayMulticastGroups
Data Migration Service (DMS)

"dms:DescribeAccountAttributes",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationTasks",
"dms:DescribeTableStatistics",
"dms:DescribeCertificates",
"dms:DescribeConnections",
"dms:DescribeEndpoints",
"dms:ListTagsForResource",
"dms:DescribeEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 dms:StartReplicationTask
dms:StopReplicationTask
Amazon FSx

"fsx:ListTagsForResource",

"fsx:DescribeBackups",

"fsx:DescribeDataRepositoryTasks",

"fsx:DescribeFileSystems",

"fsx:DescribeVolumes",

"fsx:DescribeStorageVirtualMachines"

 fsx:CreateDataRepositoryTask
fsx:CreateBackup
GuardDuty

"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings"

  
Lambda@Edge

"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"cloudfront:ListPublicKeys",
"cloudfront:ListDistributions"

 lambda:InvokeFunction
DocumentDB

"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:DescribeCertificates",
"rds:DescribeEvents",
"rds:DescribeGlobalClusters",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:GetLogEvents",

  
Amazon Secure File Transfer Protocol (SFTP)

"transfer:DescribeUser",
"transfer:DescribeServer",
"transfer:ListUsers",
"transfer:ListServers",
"transfer:ListTagsForResource"
"logs:DescribeLogGroups"
"logs:DescribeLogStreams",
"logs:GetLogEvents"

  
AWS Systems Manager

"ssm:ListCommands",
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations"

  
Service Quotas

"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListServiceQuotas"

"servicequotas:RequestServiceQuotaIncrease"
Amazon AppStream 2.0

"appstream:DescribeFleets",
"appstream:ListAssociatedStacks",
"appstream:DescribeImages",
"appstream:DescribeUserStackAssociations",
"appstream:DescribeUsers",
"appstream:DescribeSessions",
"appstream:DescribeApplicationFleetAssociations",
"appstream:DescribeApplications",
"appstream:ListTagsForResource"

"appstream:StopFleet"
"appstream:StartFleet
AWS AppSync

"Appsync:getGraphqlApi",
"Appsync:getApiCache",
"Appsync:getSchemaCreationStatus",
"Appsync:listTagsForResource",
"Appsync:listDataSources",
"Appsync:listTypes",
"Appsync:listResolvers",
"Appsync:getFunction",
"Appsync:listGraphqlApis",
"Appsync:getType",
"Appsync:describeLogStreams",
"Appsync:getLogEvents",
"Appsync:getLogStreams",
"Appsync:listApiKeys"

  
AWS Health

"health:DescribeAffectedEntities",
"health:DescribeEventAggregates",
"health:DescribeEventDetails",
"health:DescribeEvents"

  
AWS Backup

"backup:ListCopyJobs",
"backup:ListTags",
"backup:ListBackupJobs",
"backup:ListProtectedResources",
"backup:DescribeGlobalSettings",
"backup-gateway:ListHypervisors",
"backup:DescribeRegionSettings",
"backup:ListRestoreJobs",
"backup:ListBackupVaults",
"backup:DescribeBackupVault",
"backup:ListBackupPlans",
"backup-gateway:ListGateways",
"backup-gateway:ListVirtualMachines",
"backup:ListRecoveryPointsByBackupVault",
"backup:GetBackupPlan",
"backup:ListBackupSelections"

  
Amazon EBS volume

"ec2:DescribeVolumes"

"ec2:DescribeVolumes"
"ec2:DescribeSnapshots"
AWS Batch

"batch:DescribeJobDefinitions",
"batch:DescribeJobDefinitions",
"batch:DescribeJobQueues",
"batch:DescribeJobs",
"batch:ListJobs",
"batch:TerminateJob",
"batch:CancelJob"

"batch:TerminateJob"
"batch:CancelJob"
Amazon EBS snapshot

"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"

  
AWS Secrets Manager

"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets",
"secretsmanager:GetResourcePolicy"

 "secretsmanager:RotateSecret"
AWS Elastic IP

"ec2: describeAddresses",
"ec2: DescribeAddressesResult",
"ec2: GetAddresses"

  
AWS Trusted Advisor

"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorCheckSummaries",
"support:DescribeTrustedAdvisorChecks"

 "support:RefreshTrustedAdvisorCheck"
Amazon VPC 
"ec2:Describe*"
"logs:Start*"
"logs:Get*"
"logs:Describe*"

如果使用 Athena 通过 S3 查询日志,您还需要添加以下权限:

"athena:Start*"
"athena:Get*"
"athena:List*"
"athena:Create*"
"athena:Update*"		  
Amazon RDS Proxy

"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:DescribeDBProxyTargetGroups",
"rds:DescribeDBProxyTargets"

  
Amazon MSK

"kafka:ListClustersV2",
"kafka:DescribeClusterV2",
"kafka:ListNodes",
"kafka:ListReplicators",
"kafka:DescribeReplicator",
"kafkaconnect:ListConnector",
"kafkaconnect:DescribeConnector",
"kafkaconnect:DescribeCustomPlugin",
"kafkaconnect:DescribeWorkerConfiguration"

  
AWS Glue

"glue:ListJobs",
"glue:ListCrawlers",
"glue:GetTriggers",
"glue:GetJobRuns",
"glue:ListCrawls",
"glue:GetJobRun",
"glue:GetCrawler",
"glue:GetJob",
"glue:GetTags",
"glue:GetClassifier",
"glue:GetConnection",
"glue:GetCrawlerMetrics",
"glue:GetCrawlers",
"glue:GetJobs",
"glue:GetClassifiers"

"glue:StartJobRun"

"glue:StartCrawler"
RabbitMQ

"mq:DescribeBroker",
"mq:DescribeConfiguration",
"mq:DescribeConfigurationRevision",
"mq:DescribeUser",
"mq:ListTags",
"mq:ListBrokers",
"mq:DescribeBrokerEngineTypes",
"cloudwatch:ListMetrics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

  
AWS DRS

"drs:DescribeSourceServers",
"drs:ListStagingAccounts",
"drs:ListTagsForResource",
"drs:GetReplicationConfiguration",
"drs:GetLaunchConfiguration",
"drs:DescribeRecoveryInstances"

  
Amazon Cognito

"cognito-idp:ListIdentityProviders",
"cognito-idp:ListTagsForResource",
"cognito-idp:ListUserPools",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUsers",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeIdentityProvider",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:ListIdentities",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:ListTagsForResource",
"cognito-identity:DescribeIdentity"

  
AWS Organizations

"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribeOrganizationalUnit",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource",
"organizations:ListDelegatedAdministrators"

  
Amazon CloudWatch Logs

"logs:GetDataProtectionPolicy",
"logs:DescribeLogGroups",
"logs:ListLogAnomalyDetectors",
"logs:DescribeLogStreams",
"logs:DescribeSubscriptionFilters",
"logs:GetLogEvents",
"logs:DescribeAccountPolicies",
"logs:DescribeMetricFilters",
"logs:DescribeFieldIndexes",
"logs:ListTagsForResource"

  
AWS PrivateLink

"ec2:Describe*”,
"logs:Start*”,
"logs:Get*”,
"logs:Describe*" 

  
Amazon Elasticache Valkey

"elasticache:DescribeServerlessCaches",

"elasticache:DescribeCacheSubnetGroups",

"elasticache:ListTagsForResource",

"elasticache:DescribeCacheClusters",

"elasticache:DescribeReplicationGroups",

"elasticache:DescribeServerlessCacheSnapshots",

"elasticache:DescribeSnapshots",

"elasticache:DescribeEvents",

"elasticache:DescribeUpdateActions"

  
Amazon Elastic Container Registry

"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:DescribeImages",
"ecr:DescribeRegistry",
"ecr:DescribePullThroughCacheRules",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr-public:DescribeRepositories",
"ecr-public:DescribeImages",
"ecr-public:ListTagsForResource",
"ecr-public:GetRepositoryPolicy"

  
Amazon DLM

"dlm:GetLifecyclePolicies",
"dlm:GetLifecyclePolicy"

  

创建您自己的自定义 IAM 策略(可视化编辑器)

如果您的组织不允许分配默认只读策略,或者您希望对所提供的权限进行更精确的控制,可以使用 IAM 控制台中的点击式可视化编辑器创建您自己的策略。

请按照以下步骤使用可视化编辑器创建新策略:

  1. 登录 AWS IAM 控制台
  2. 从左侧导航窗格中选择访问管理 > 策略
  3. 单击创建策略
  4. 选择可视化编辑器选项卡。
  5. 选择服务下拉列表中搜索并选择 CloudWatch
  6. 访问级别部分,选择读取。选择适用的读取操作。
  7. 根据您的需求配置资源请求条件部分。
  8. 单击 +添加更多权限,根据需要对其他受支持服务重复上述过程。完成配置后单击下一步
  9. 审核并创建页面中,输入策略名称描述
  10. 单击创建策略

Site24x7 的只读操作自定义策略(JSON)

您还可以使用我们的自定义策略文档为您的 AWS 资源提供访问权限。将下面的策略 JSON 粘贴到 JSON 编辑器中,进行审核,填写适当的名称和描述,然后单击创建策略。

完成后,将策略附加到 Site24x7 IAM 用户或角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"Statement1",
         "Effect":"Allow",
         "Action":[
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "dynamodb:Describe*",
            "dynamodb:List*",
            "ec2:Describe*",
            "sqs:Get*",
            "sqs:List*",
            "autoscaling:Describe*",
            "elasticloadbalancing:Describe*",
            "cloudfront:Get*",
            "cloudfront:List*",
            "s3:Get*",
            "s3:List*",
            "rds:Describe*",
            "rds:List*",
            "kinesisanalytics:Describe*",
            "kinesisanalytics:Get*",
            "kinesisanalytics:List*",
            "kinesis:Describe*",
            "kinesis:Get*",
            "kinesis:List*",
            "kinesisvideo:Get*",
            "kinesisvideo:List*",
            "kinesisvideo:Describe*",
            "firehose:Describe*",
            "firehose:List*",
            "elasticache:Describe*",
            "elasticache:List*",
            "elasticbeanstalk:Describe*",
            "elasticbeanstalk:List*",
            "directconnect:Describe*",
            "apigateway:GET",
            "ecs:DescribeServices",
            "ecs:DescribeContainerInstances",
            "ecs:DescribeClusters",
            "redshift:Describe*",
            "elasticfilesystem:Describe*",
            "ses:Get*",
            "ses:List*",
            "ses:Describe*",
            "lambda:List*",
            "lambda:Get*",
            "logs:Describe*",
            "logs:Get*",
            "route53domains:Get*",
            "route53domains:List*",
            "route53:Get*",
            "route53:List*",
            "route53resolver:Get*",
            "route53resolver:List*",
            "states:List*",
            "states:Describe*",
            "states:GetExecutionHistory",
            "sns:Get*",
            "sns:List*",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "waf:Get*",
            "waf:List*",
            "waf-regional:List*",
            "waf-regional:Get*",
            "cloudsearch:Describe*",
            "cloudsearch:List*",
            "es:Describe*",
            "es:List*",
            "es:Get*",
            "workspaces:Describe*",
            "ds:Describe*",
            "elasticmapreduce:List*",
            "elasticmapreduce:Describe*",
            "acm:GetCertificate",
            "acm:Describe*",
            "acm:List*",
            "lightsail:Get*",
            "eks:Describe*",
            "eks:List*",
            "mq:Describe*",
            "mq:List*",
            "ec2:Get*",
            "ec2:SearchTransitGatewayRoutes",
            "ec2:SearchTransitGatewayMulticastGroups",
            "storagegateway:List*",
            "storagegateway:Describe*",
            "guardduty:GetFindings",
            "guardduty:ListDetectors",
            "guardduty:ListFindings",
            "dms:Describe*",
            "dms:List*",
            "dms:TestConnection",
            "fsx:Describe*",
            "fsx:ListTagsForResource",
            "inspector:List*",
            "inspector:Describe*",
            "transfer:Describe*",
            "transfer:List*",
            "ssm:ListCommands",
            "ssm:DescribeInstanceInformation",
            "ssm:ListCommandInvocations",
            "glue:List*",
            "glue:Get*",
            "appstream:Describe*",
            "appstream:List*",
            "appsync:List*",
            "appsync:Get*",
            "health:Describe*",
            "batch:Describe*",
            "batch:List*",
            "secretsmanager:DescribeSecret",
            "secretsmanager:ListSecrets",
            "secretsmanager:GetResourcePolicy",
            "support:DescribeTrustedAdvisorCheckResult",
            "support:DescribeTrustedAdvisorCheckSummaries",
            "support:DescribeTrustedAdvisorChecks",
            "kafka:ListClustersV2",
            "kafka:Describe*",
            "kafka:ListNodes",
            "kafka:ListReplicators",
            "kafkaconnect:List*",
            "kafkaconnect:DescribeConnector",
            "kafkaconnect:DescribeCustomPlugin",
            "kafkaconnect:DescribeWorkerConfiguration",
            "drs:Describe*",
            "drs:List*",
            "drs:Get*",
            "cognito-idp:List*",
            "cognito-idp:Describe*",
            "cognito-identity:List*",
            "cognito-identity:Describe*",
            "cognito-identity:GetIdentityPoolRoles",
            "logs:Start*",
            "organizations:List*",
            "organizations:Describe*",
            "logs:List*",
            "elasticache:DescribeServerlessCaches",
            "elasticache:DescribeCacheSubnetGroups",
            "elasticache:ListTagsForResource",
            "elasticache:DescribeCacheClusters",
            "elasticache:DescribeReplicationGroups",
            "elasticache:DescribeServerlessCacheSnapshots",
            "elasticache:DescribeSnapshots",
            "elasticache:DescribeEvents",
            "elasticache:DescribeUpdateActions",
            "logs:GetDataProtectionPolicy",
            "logs:DescribeLogGroups",
            "logs:ListLogAnomalyDetectors",
            "logs:DescribeLogStreams",
            "logs:DescribeSubscriptionFilters",
            "logs:GetLogEvents",
            "logs:DescribeAccountPolicies",
            "logs:DescribeMetricFilters",
            "logs:DescribeFieldIndexes",
            "logs:ListTagsForResource",
            "dlm:GetLifecyclePolicies",
            "dlm:GetLifecyclePolicy",
            "ecr:DescribeRepositories",
            "ecr:ListTagsForResource",
            "ecr:DescribeImages",
            "ecr:DescribeRegistry",
            "ecr:DescribePullThroughCacheRules",
            "ecr:GetRepositoryPolicy",
            "ecr:GetLifecyclePolicy",
            "ecr:GetLifecyclePolicyPreview",
            "ecr-public:DescribeRepositories",
            "ecr-public:DescribeImages",
            "ecr-public:ListTagsForResource",
            "ecr-public:GetRepositoryPolicy",
            "athena:Start*",
            "athena:Get*",
            "athena:List*",
            "athena:Create*",
            "athena:Update*"
         ],
         "Resource":[
            "*"
         ]
      }
   ]
}

此策略最后更新于 2026 年 3 月 3 日。

注意

该策略由 Site24x7 团队创建和维护,为监控支持下的所有 AWS 服务提供只读访问权限。此外,当新增 AWS 集成时,该策略可能会发生变化,请确保您使用的是最新版本。

Site24x7 的部分写入级操作自定义策略(JSON)

使用以下 JSON 创建新的自定义 IAM 策略,以帮助 Site24x7 响应告警事件执行相应操作。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "sns:Publish",
                "ec2:StartInstances",
                "kinesisanalytics:StopApplication",
                "kinesisanalytics:StartApplication",
                "kinesis:PutRecord",
                "rds:RebootDBInstance",
                "elasticache:RebootCacheCluster",
                "lambda:InvokeFunction",
                "redshift:RebootCluster",
                "ses:SendEmail",
                "apigateway:POST",
                "elasticbeanstalk:RestartAppServer",
                "sqs:SendMessage",
                "rds:StopDBInstance",
                "ec2:StopInstances",
                "rds:StartDBInstance",
                "states:StartExecution",
                "elasticmapreduce:addJobFlowSteps",
                "workspaces:StartWorkspaces",
                "workspaces:RebootWorkspaces",
                "workspaces:RebuildWorkspaces",
                "workspaces:StopWorkspaces",
                "lightsail:StartRelationalDatabase",
                "lightsail:StopRelationalDatabase",
                "lightsail:RebootRelationalDatabase",
                "lightsail:StartInstance",
                "lightsail:StopInstance",
                "lightsail:RebootInstance",
                "mq:RebootBroker",
                "dms:StartReplicationTask",
                "dms:StopReplicationTask",
                "fsx:CreateDataRepositoryTask",
                "fsx:CreateBackup",
                "transfer:StartServer",
                "transfer:StopServer",
                "servicequotas:RequestServiceQuotaIncrease",
                "appstream:StopFleet",
                "appstream:StartFleet",
                "batch:TerminateJob",
                "batch:CancelJob",
                "secretsmanager:RotateSecret",
                "support:RefreshTrustedAdvisorCheck",
                "glue:StartJobRun",
                "glue:StartCrawler"
            ],
            "Resource": "*"
        }
    ]
}

此策略最后更新于 2025 年 8 月 12 日。

以上策略 JSON 包含部分写入级权限。这些权限用于自动化操作,例如停止/启动/重启 EC2RDS 实例重启 ElastiCache 集群调用 Lambda 函数启动/停止分析应用程序以及向 SNS 主题SQS 队列发布消息,以及更多操作。如果您不希望 Site24x7 执行某些操作,可以手动编辑或从 JSON 中删除相应权限。

本文档对您有帮助吗?

您愿意帮助我们改进文档吗?请告诉我们哪些方面可以做得更好。


很抱歉本文档未能让您满意。我们希望了解可以从哪些方面改进您的体验。


感谢您抽出时间分享反馈。我们将利用您的反馈来改进在线帮助资源。

短链接已复制!