R12.1-2025Jul03
Creating AWS Access Policy and Role for Monitored Accounts
Follow the steps to create AWS Access Policy and Role for Monitored Accounts.
- Go to Policies in Identity and Access Management (IAM).
- Create a new resource access policy to grant read access to the services for monitoring purposes.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"autoscaling-plans:Describe*",
"autoscaling-plans:GetScalingPlanResourceForecastData",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ec2:SearchTransitGatewayRoutes",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListFirewalls",
"network-firewall:ListRuleGroups",
"network-firewall:ListTagsForResource",
"elasticloadbalancing:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Once the policy is created, you need to attach this policy to the role.
Follow the steps below to configure the role (NetBrainAccessRole):
- Go to Roles in Identity and Access Management (IAM).
- Create a new role by selecting Trusted entity type as Custom trust Policy. Add a Trust policy to allow the user from the gateway account to assume this role.
The following is a sample of trust relationship JSON statements. Replace the placeholders for Account ID, Role Name, and External ID with the values specific to your configuration.Code"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": [
"arn:aws:iam::<12-digit gateway account number>:user/<user name created in gateway account>"
]
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "<External ID generated from tenant>"
}
}
}
] - Attach the policy (created previously) to the role.
