What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How do I set permissions for the Amazon Web Services (AWS) API key to use certain sensors in PRTG?

Votes:

0

I use an Amazon CloudWatch sensor. In my AWS account, I activated CloudWatch metrics, but the sensor shows the error message You are not authorized to perform this operation.

Furthermore, I want to use the AWS Cost sensor. I know that the sensor requires permissions for the API key, but I do not know how to set the respective rights in my AWS account.

What do I have to do?

amazon api-key aws aws-cost-sensor cloudwatch help permissions prtg

Created on Jun 28, 2012 8:13:37 AM by Daniel Zobel [Product Manager]

Last change on Jan 3, 2023 7:54:47 AM by Brandy Greger [Paessler Support]



Best Answer

Accepted Answer

Votes:

1

This article applies as of PRTG 22

Setting permissions for the AWS API key

There are several sensors with which you can monitor single Amazon web services or your Amazon Web Services (AWS) account:

All these sensors need sufficient rights to query data from the AWS API. Follow these steps to give the sensors listed above the required permissions:

Step 1: Create a new policy

  1. Log in to your AWS account and go to the Identity and Access Management (IAM) console.
  2. Click the Policies tab and create a new policy.
  3. In step 1 of the Create policy dialog, select the JSON tab and enter the following definition:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1338559359622",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeRegions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559372809",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:DescribeAlarms"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559399560",
            "Action": [
                "elasticache:DescribeCacheClusters"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559439473",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559468079",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559518608",
            "Action": [
                "sns:ListPlatformApplications",
                "sns:ListTopics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559548992",
            "Action": [
                "sqs:ListQueues"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1450719990448",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1450720132953",
            "Action": [
                "lambda:ListFunctions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CostExplorerRead",
            "Effect": "Allow",
            "Action": [
                "ce:GetCostAndUsage",
                "ce:GetCostForecast",
                "ce:GetDimensionValues",
                "ce:GetCostAndUsageWithResources",
                "ce:GetUsageForecast"
            ],
            "Resource": "*"
        }
    ]
}

4. In step 2 of the Create policy dialog, give the new policy a meaningful name, for example, MonitoringPolicy.

Create new policy
Click to enlarge.

5. Click Create policy to save the new policy.

Step 2: Create a new group and attach the new policy

  1. Click the Groups tab.
  2. Create a new group and give it a meaningful name, for example, MonitoringGroup.
  3. On the Attach Policy page, map the new policy to the new group by enabling the check box next to the Policy Name.
  4. Click Next Step to review your settings.

Step 3: Add a new user to the new group

  1. Click the Users tab and create a new user.
  2. Click Add user to groups to add the new user to the new MonitoringGroup.

    Add new user
    Click to enlarge.

  3. Select Programmic Access to give the new user the required permissions for the API key.
  4. To review and confirm the permissions you set, click the Policies tab and select Policy summary.

    Service details
    Click to enlarge.

Step 4: Generate the access key and the secret key

  1. Click the Users tab and select the user that you created in Step 3: Add a new user to the new group.
  2. On the Security Credentials tab, select Create Access Key.
  3. Download and store the .csv file that contains the Access Key and the Secret Key.
    Note: The Access Key and the Secret Key are only displayed in the IAM once.
  4. Enter these AWS credentials on the Settings tab of the AWS Cost sensor’s parent device or group in the Credentials for AWS section.

More

Created on Jul 24, 2018 9:05:33 AM by Brandy Greger [Paessler Support]

Last change on Jun 20, 2023 7:49:54 AM by Fruzsina Ébelle [Paessler Support]



10 Replies

Votes:

0

Hi is it Possible to use AWS tags to scope the sensors?

Created on Dec 7, 2017 11:32:22 AM



Votes:

0

In what way would you scope them? Can you give me some more information?

Created on Dec 8, 2017 3:47:39 AM by Benjamin Day [Paessler Support] (1,441) 2 1



Accepted Answer

Votes:

1

This article applies as of PRTG 22

Setting permissions for the AWS API key

There are several sensors with which you can monitor single Amazon web services or your Amazon Web Services (AWS) account:

All these sensors need sufficient rights to query data from the AWS API. Follow these steps to give the sensors listed above the required permissions:

Step 1: Create a new policy

  1. Log in to your AWS account and go to the Identity and Access Management (IAM) console.
  2. Click the Policies tab and create a new policy.
  3. In step 1 of the Create policy dialog, select the JSON tab and enter the following definition:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1338559359622",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeRegions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559372809",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:DescribeAlarms"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559399560",
            "Action": [
                "elasticache:DescribeCacheClusters"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559439473",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559468079",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559518608",
            "Action": [
                "sns:ListPlatformApplications",
                "sns:ListTopics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1338559548992",
            "Action": [
                "sqs:ListQueues"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1450719990448",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "Stmt1450720132953",
            "Action": [
                "lambda:ListFunctions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CostExplorerRead",
            "Effect": "Allow",
            "Action": [
                "ce:GetCostAndUsage",
                "ce:GetCostForecast",
                "ce:GetDimensionValues",
                "ce:GetCostAndUsageWithResources",
                "ce:GetUsageForecast"
            ],
            "Resource": "*"
        }
    ]
}

4. In step 2 of the Create policy dialog, give the new policy a meaningful name, for example, MonitoringPolicy.

Create new policy
Click to enlarge.

5. Click Create policy to save the new policy.

Step 2: Create a new group and attach the new policy

  1. Click the Groups tab.
  2. Create a new group and give it a meaningful name, for example, MonitoringGroup.
  3. On the Attach Policy page, map the new policy to the new group by enabling the check box next to the Policy Name.
  4. Click Next Step to review your settings.

Step 3: Add a new user to the new group

  1. Click the Users tab and create a new user.
  2. Click Add user to groups to add the new user to the new MonitoringGroup.

    Add new user
    Click to enlarge.

  3. Select Programmic Access to give the new user the required permissions for the API key.
  4. To review and confirm the permissions you set, click the Policies tab and select Policy summary.

    Service details
    Click to enlarge.

Step 4: Generate the access key and the secret key

  1. Click the Users tab and select the user that you created in Step 3: Add a new user to the new group.
  2. On the Security Credentials tab, select Create Access Key.
  3. Download and store the .csv file that contains the Access Key and the Secret Key.
    Note: The Access Key and the Secret Key are only displayed in the IAM once.
  4. Enter these AWS credentials on the Settings tab of the AWS Cost sensor’s parent device or group in the Credentials for AWS section.

More

Created on Jul 24, 2018 9:05:33 AM by Brandy Greger [Paessler Support]

Last change on Jun 20, 2023 7:49:54 AM by Fruzsina Ébelle [Paessler Support]



Votes:

1

Hi. I have a member account (not a payer one). May I use the sensor too? This message is being displayed, after I set the policy, group, user and have CE enabled: "You do not have permission to perform this request on the resource "GetCostAndUsage"."

Created on May 8, 2020 9:40:27 PM



Votes:

0

Hello there,

Are you able to set the permissions as described in this article?

Created on May 11, 2020 6:42:25 AM by Sasa Ignjatovic [Paessler Support]



Votes:

0

Same problem: "You do not have permission to perform this request on the resource "GetCostAndUsage"."

"Sid": "CostExplorerRead",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetDimensionValues",
        "ce:GetCostAndUsageWithResources",
        "ce:GetUsageForecast"

Is there some other permission to set?

Created on Jul 7, 2020 1:11:29 PM



Votes:

0

Hello Paolo,

I assume you are trying to use the AWS Cost Sensor. If that is the case, did you made sure that all requirements mentioned in the Remarks section are met?

Additionally, you can check if the Cost Explorer is enabled, and if your user account already has the right "aws-portal:ViewBilling : Allow or deny IAM users permission to view the Billing and Cost Management console pages."

Created on Jul 8, 2020 7:20:34 AM by Sasa Ignjatovic [Paessler Support]



Votes:

1

Have the exact same issue: You do not have permission to perform this request on the resource "GetCostAndUsage".

When I run the simulation from within IAM for the GetCostAndUsage api call, it sayes: allowed. So not a rights issue?

Could this be something with the AWS region?

Created on Jul 2, 2021 8:07:37 AM



Votes:

0

Hi Fanman,

Did you already check if the Cost Explorer is enabled, and the account has the right "aws-portal: ViewBilling"?

Created on Jul 7, 2021 6:34:04 AM by Sasa Ignjatovic [Paessler Support]



Votes:

1

For anyone who may have used the JSON definition in the "Best Answer" reply from Paessler Support, note that this definition has been updated since it was originally posted. In my case, old AWS sensors worked, but new/updated ones including the beta sensors didn't. It was because they require additional AWS permissions, and I had only allowed the original list of permissions posted in the JSON definition in this article. Updating the AWS permissions using the currently posted JSON definition fixed my issue.

Created on Dec 28, 2021 6:45:22 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.