AWS Configuration

CloudMonitor for AWS requires access to your CloudWatch data within an AWS account to work.  At minimum, you need to provide AWS API credentials to our app with access to read CloudWatch alerts.  We suggest for your security that the credentials given to our application be limited to this functionality, and for convenience, we ask you to consider providing access to retrieve the account name for the credentials provided, so we can match the account name in the console to the account name you see in-app without the need for manually editing the account name.

To make this work, you need to create an IAM user account. When you create the account, gather and save the AWS access keys created for the account.  Once created, following the rule of least privilege, assign the account a policy with the minimum necessary rights.

Once this is completed, use the AWS access keys created in our app in the setup screen to enable the app to work.

Below is a sample IAM policy detailing the permissions needed:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1542303774000",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1542303906000",
      "Effect": "Allow",
      "Action": [
        "iam:ListAccountAliases"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1542304020000",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Or, right-click and download this policy as a JSON file via this link.