Amazon RDS and Aurora: IAM Policy
The pganalyze collector requires an appropriate IAM policy and role to collect the following data from Amazon RDS or Aurora instances using the AWS API.
| Action | Purpose |
|---|---|
cloudwatch:GetMetricStatistics, logs:GetLogEvents | For system metrics data shown in System page in pganalyze, such as I/O utilization. When Enhanced Monitoring is turned on, logs:GetLogEventswill be used to obtain CPU, Memory, Storage and Network information through the RDSOSMetrics log group. |
rds:DownloadDBLogFilePortion, rds:DescribeDBLogFiles | This allows the collector to download RDS log files, which will be used for Log Insightsand various other features based on it, such as Automated EXPLAIN. |
rds:DescribeDBParameters | For config parameter data shown in Config Settings page in pganalyze. Knowing the current database config parameters helps pganalyze generate better insights and recommendations. |
rds:DescribeDBInstances, rds:DescribeDBClusters | For RDS or Aurora metadata to discover general instance information. |
Below is a typical IAM policy for the collector. Adjust the actions and/or resources as necessary to tailor the permissions to your needs.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
},
{
"Action": [
"rds:DescribeDBParameters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:pg:*"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:db:*"
},
{
"Action": [
"rds:DescribeDBClusters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:cluster:*"
}
]
}Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →