Skip to content
share library_books

Monitoring AWS

Which IAM permissions are needed to fetch Amazon EC2, EBS and ELB metrics

When you create an AWS app, you need to provide the access key and secret for a user that can fetch metrics for EC2, EBS and/or ELB, depending on which of those you select to be monitored. We recommend creating a separate IAM user for this, with the minimum permissions:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

The Describe* permissions are needed to identify the resources which need to be monitored (Instances and Addresses for EC2, Volumes for EBS and LoadBalancers for ELB), while GetMetricStatistics will allow SPM to fetch the actual metrics from CloudWatch.


Metric Name Key Agg Type Description
'reads' Sum Double
'writes' aws.ec2.disk.write.bytes Sum Double
'rejected requests' aws.elb.requests.rejected Sum Double
'pending requests count' aws.elb.requests.pending Max Long
'network out' Sum Double
'network in' Sum Double
'5xx' aws.elb.reponse.code.5xx Sum Double
'4xx' aws.elb.reponse.code.4xx Sum Double
'consumed read/write ops' Sum Double
'requests count' aws.elb.requests Sum Double
'2xx' aws.elb.backend.response.code.2xx Sum Double
'4xx' aws.elb.backend.response.code.4xx Sum Double
'3xx' aws.elb.backend.response.code.3xx Sum Double
'5xx' aws.elb.backend.response.code.5xx Sum Double
'connection errors' aws.elb.backend.connection.errors Sum Double