Grafana is an open source software to create visualization of time-series data. This can graph AWS CloudWatch Metrics too.
As a security best practice when using Grafana on an EC2 Instance it is recommended to use an IAM Role. Using a credentials file may expose access to your AWS Account if ever other people gain access to your Grafana Server.
Follow the step-by-step instructions below on how to attach an IAM Role to your Grafana EC2 Instance and set Grafana to access CloudWatch.
- Creation of IAM Role for Grafana EC2 Instance
- Adding CloudWatch Data Source
- Testing CloudWatch Data Source
Creation of IAM Role for Grafana EC2 Instance
Create an IAM policy with the below permission in JSON. Name this GrafanaAccessPolicy
.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadingMetricsFromCloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Sid": "AllowReadingTagsInstancesRegionsFromEC2",
"Effect": "Allow",
"Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
"Resource": "*"
},
{
"Sid": "AllowReadingResourcesForTags",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
}
]
}
Then create an IAM Role with the following properties.
Trusted Entity Type | EC2 |
Policies | GrafanaAccessPolicy |
Role name | GrafanaAccessRole |