Setting  User Permissions in AWS Account

To install the AWS Connector you require an AWS account, for more information, see AWS Documentation. You can either use your main account with your AWS CloudWatch Connector or, create a new user from your main AWS account, and give this user privileges to deploy and work with the AWS CloudWatch Connector.

To set user permissions:

  1. Create a new policy.

  2. From the AWS Dashboard, select AWS Cloudwatch Connector.
  3. Select Policies.
  4. Select Create Policy.

  5. Go to the JSON tab.

    From the JSON editor, paste the following JSON document:

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Sid": "VisualEditor0",

    "Effect": "Allow",

    "Action": [

    "cloudformation:DescribeStacks",

    "cloudformation:UpdateStack",

    "cloudformation:CreateStack",

    "cloudformation:DeleteStack",

    "cloudformation:DescribeStackResources"],

    "Resource":[

    "arn:aws:cloudformation:*:*:stack/*/*"

    ]

    },

    {

    "Sid":"VisualEditor1",

    "Effect":"Allow",

    "Action":[

    "cloudformation:ListStacks"],

    "Resource": "*"

    }

    ]

    }

  6. Select Review Policy.

  7. Save the Policy.

    1. On the field Name, enter CloudFormationBasicExecution.
    2. Select Create Policy. A message is displayed of the policy is successfully created.

  8. Create a policy from the AWS Dashboard:

    1. Select Policies.
    2. Select Create Policy

    3. Go to the JSON tab.

      From the JSON editor, paste the following JSON document:

      {

      "Version": "2012-10-17",

      "Statement": [

      {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "lambda:CreateFunction",

      "lambda:AddPermission",

      "lambda:DeleteFunction",

      "lambda:UpdateFunctionCode",

      "lambda:DeleteEventSourceMapping",

      "lambda:InvokeAsync",

      "lambda:UpdateFunctionConfiguration",

      "lambda:UpdateEventSourceMapping",

      "lambda:RemovePermission",

      "lambda:InvokeFunction",

      "lambda:CreateEventSourceMapping",

      "iam:PutRolePolicy",

      "iam:AddRoleToInstanceProfile",

      "iam:PutGroupPolicy",

      "iam:DeleteRole",

      "iam:PassRole",

      "iam:DeleteRolePolicy",

      "iam:CreatePolicy",

      "iam:AttachGroupPolicy",

      "iam:PutUserPolicy",

      "iam:DeleteGroup",

      "iam:CreateRole",

      "iam:AttachRolePolicy",

      "iam:CreateGroup",

      "iam:AttachUserPolicy",

      "iam:AddUserToGroup",

      "logs:DeleteSubscriptionFilter",

      "logs:PutSubscriptionFilter",

      "logs:DeleteLogStream",

      "logs:CreateLogStream",

      "logs:CreateLogGroup",

      "logs:DeleteLogGroup",

      "logs:PutLogEvents",

      "logs:PutRetentionPolicy",

      "kinesis:PutRecords",

      "kinesis:RemoveTagsFromStream",

      "kinesis:AddTagsToStream",

      "kinesis:CreateStream",

      "kinesis:PutRecord",

      "kinesis:DeleteStream",

      "ec2:DeleteRouteTable",

      "ec2:CreateNetworkInterfacePermission",

      "ec2:CreateRoute",

      "ec2:RevokeSecurityGroupEgress",

      "ec2:CreateTags",

      "ec2:DisassociateRouteTable",

      "ec2:CreateNetworkInterface",

      "ec2:DescribeSecurityGroups",

      "ec2:DeleteFlowLogs",

      "ec2:AssociateRouteTable",

      "ec2:CreateTrafficMirrorFilterRule",

      "ec2:DeleteNetworkInterface",

      "ec2:CreateRouteTable",

      "ec2:CreateFlowLogs",

      "ec2:CreateTrafficMirrorFilter",

      "ec2:DeleteTags",

      "ec2:DescribeNetworkInterfaces",

      "ec2:CreateSecurityGroup",

      "ec2:AuthorizeSecurityGroupEgress",

      "ec2:DetachNetworkInterface",

      "ec2:DeleteRoute",

      "ec2:DeleteSecurityGroup",

      "events:RemoveTargets",

      "events:PutRule",

      "events:DeleteRule",

      "events:PutTargets",

      "s3:DeleteObject",

      "s3:PutObject"

      ],

      "Resource": "*"

      }

      ]

      }

    4. Select Review Policy.

    5. Save the Policy.

    6. On the field name, enter LimitedPermission.

    7. Select Create Policy. A message is displayed of the policy is successfully created.

    8. Create a user.

      1. On the AWS Dashboard, select IAM.

      2. Select Users.

      3. Select Add User.

    9. Specify a name for the new user.

    10. Go to Access Type and select Programmatic Access and AWS Management Console Access.

    11. Select your Console password.

      1. Select Auto Generated Password and AWS creates a random password.

      2. Select Custom password and select your custom password.

      3. Users can change the password on the first time login. For more information, see, Require Password Reset.

    12. Select Next.

      You are taken to Permissions.

    13. Select Attach existing policies directly.

    14. Click the checkboxes of the following policies:

      1. CloudFormationBasicExecution created above, and the following AWS managed policies

      2. LimitedPermission created above, and the following AWS managed policies

      3. AmazonEC2ReadOnlyAccess

      4. CloudWatchEventsReadOnlyAccess

      5. AmazonKinesisReadOnlyAccess

      6. AmazonS3ReadOnlyAccess

      7. CloudWatchLogsReadOnlyAccess

      8. IAMReadOnlyAccess

      9. AWSLambdaReadOnlyAccess

    15. Go to Tags > ReviewCreate User.

      A message is displayed, indicating the user creation was successful.

    16. Note the Access Key ID and the Secret Access Key. They are required for deployment.