IAM poilcy for an user to access Enhanced Monitoring for RDS.

0

I am trying to create an IAM user that will have least privileges to be able to view enhanced monitoring for a particular RDS database. I have created a ROLE (Enhanced Monitoring) and attached a managed policy to it:'AmazonRDSEnhancedMonitoringRole'. This role is passed to RDS database using the passrole permission. The policy that I am attaching to this IAM user is as below:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "cloudwatch:PutMetricData",
            "rds:*",
            "cloudwatch:GetMetricData",
            "iam:ListRoles",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:DeleteAnomalyDetector",
            "cloudwatch:ListMetrics",
            "cloudwatch:DescribeAnomalyDetectors",
            "cloudwatch:ListMetricStreams",
            "cloudwatch:DescribeAlarmsForMetric",
            "cloudwatch:ListDashboards",
            "ec2:*",
            "cloudwatch:PutAnomalyDetector",
            "cloudwatch:GetMetricWidgetImage"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "cloudwatch:*"
        ],
        "Resource": [
            "arn:aws:cloudwatch:*:accountnumber:insight-rule/*",
            "arn:aws:iam::accountnumber:role/Enhanced-Monitoring",
            "arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
        ]


      }
    ]
}

As you can see, I have given almost every permission to this user, but still I am getting 'Not Authorized' error on the IAM user RDS dashboard for enhanced monitoring, although cloudwatch logs are displaying normally.

I am following this guide (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) for enhanced monitoring of RDS. Refer to example 2 on this page.

1 Answer
0

Hello there,

I understand that you are trying to create an IAM user that will have least privileges to be able to view enhanced monitoring for a particular RDS database but you are getting a 'Not Authorized' error on the IAM user RDS dashboard although cloudwatch logs are diplaying normally.

The general approach to this problem would be to turn on the “Enhanced Monitoring” option for your Amazon RDS DB Instance and set a granularity and Enhanced Monitoring will collect vital operating system metrics and process information, at the defined granularity.

To set up and enable Enhanced Monitoring, see reference [1].

You can also consider protecting against the confused deputy problem, see reference [1] - Protecting against the confused deputy problem. Make sure that you have the necessary permissions to pass the role to the service.

To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.

References: 

[1] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.Enabling.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions