Grafana monitoring for AWS CloudWatch via EC2 IAM Role

Grafana is an open source software to create visualization of time-series data. This can graph AWS CloudWatch Metrics too.

As a security best practice when using Grafana on an EC2 Instance it is recommended to use an IAM Role. Using a credentials file may expose access to your AWS Account if ever other people gain access to your Grafana Server.

Follow the step-by-step instructions below on how to attach an IAM Role to your Grafana EC2 Instance and set Grafana to access CloudWatch.

Creation of IAM Role for Grafana EC2 Instance

Create an IAM policy with the below permission in JSON. Name this GrafanaAccessPolicy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadingMetricsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }
  ]
}

Then create an IAM Role with the following properties.

Trusted Entity TypeEC2
PoliciesGrafanaAccessPolicy
Role nameGrafanaAccessRole
Continue reading Grafana monitoring for AWS CloudWatch via EC2 IAM Role