When using the mon-put-instance-data.pl script for CloudWatch monitoring, your IAM role needs specific permissions to publish metrics. The minimal required permissions include:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}For more comprehensive monitoring, consider these additional permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}Here's how to create and attach the policy to an IAM role using AWS CLI:
# Create the policy
aws iam create-policy --policy-name CloudWatchMonitoringPolicy \
--policy-document file://cloudwatch-monitoring-policy.json
# Create the role (if needed)
aws iam create-role --role-name CloudWatchMonitoringRole \
--assume-role-policy-document file://ec2-trust-policy.json
# Attach the policy to the role
aws iam attach-role-policy --role-name CloudWatchMonitoringRole \
--policy-arn arn:aws:iam::[ACCOUNT_ID]:policy/CloudWatchMonitoringPolicyAfter setting up, test with the monitoring script:
./mon-put-instance-data.pl --mem-util --mem-used --mem-avail \
--disk-path=/ --disk-space-util --disk-space-used --disk-space-avail \
--aws-iam-role=CloudWatchMonitoringRoleIf you encounter permission errors:
- Verify the role is attached to the EC2 instance
- Check CloudTrail logs for denied actions
- Ensure the trust policy allows EC2 to assume the role
When configuring IAM roles for the mon-put-instance-data.pl Perl script (part of AWS CloudWatch Monitoring Scripts), we need to balance security with functionality. The script primarily requires permissions to push custom metrics to CloudWatch.
Here's the essential policy document that grants just enough permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
For production environments, consider this more restrictive policy that follows principal of least privilege:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"System/Linux",
"Custom/YourApp"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DescribeInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Environment": [
"Production",
"Staging"
]
}
}
}
]
}
1. Create the IAM role via AWS CLI:
aws iam create-role --role-name CloudWatchMonitoringRole \\
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'2. Attach the policy to the role:
aws iam put-role-policy --role-name CloudWatchMonitoringRole \\
--policy-name CloudWatchPutMetricsPolicy \\
--policy-document file://cloudwatch-policy.jsonAfter assigning the role to your EC2 instance, test with:
./mon-put-instance-data.pl --mem-util --aws-iam-role=CloudWatchMonitoringRole \\
--namespace=Custom/YourAppPermission denied errors: Verify the instance profile is correctly associated with the EC2 instance. Check the IAM role's trust policy allows EC2 service to assume it.
Missing namespace permissions: If you specified a custom namespace in the policy, ensure your script uses the exact same namespace value.