# Prerequisites, IAM policies, and permissions needed to access CloudWatch Application Insights Prerequisites, IAM policies, and permissions To get started with CloudWatch Application Insights, verify that you have met the following prerequisites, have created an IAM policy, and have attached permissions if needed. **Topics** + [ # Prerequisites to configure an application for monitoring ](appinsights-prereqs.md) + [ # IAM policy for CloudWatch Application Insights ](appinsights-iam.md) + [ # IAM role permissions for account-based application onboarding ](appinsights-account-based-onboarding-permissions.md) # Prerequisites to configure an application for monitoring Prequisites You must complete the following prerequisites to configure an application with CloudWatch Application Insights: + **AWS Systems Manager enablement** – Install Systems Manager Agent (SSM Agent) on your Amazon EC2 instances, and enable the instances for SSM. For information about how to install the SSM Agent, see [Setting up AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html) in the *AWS Systems Manager User Guide*. + **EC2 instance role** – You must attach the following Amazon EC2 instance roles to enable Systems Manager + You must attach the `AmazonSSMManagedInstanceCore` role to enable Systems Manager. For more information, see [AWS Systems Manager identity-based policy examples](https://docs.aws.amazon.com/systems-manager/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html). + You must attach the `CloudWatchAgentServerPolicy` policy to enable instance metrics and logs to be emitted through CloudWatch. For more information, see [Create IAM roles and users for use with CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html). + **AWS resource groups** – To onboard your applications to CloudWatch Application Insights, create a resource group that includes all of the associated AWS resources used by your application stack. This includes application load balancers, Amazon EC2 instances running IIS and web front‐end, .NET worker tiers, and SQL Server databases. For more information about application components and technology stacks supported by Application Insights, see [Supported application components](appinsights-what-is.md#appinsights-components). CloudWatch Application Insights automatically includes Auto Scaling groups using the same tags or CloudFormation stacks as your resource group, because Auto Scaling groups are not supported by CloudFormation resource groups. For more information, see [Getting Started with AWS Resource Groups](https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted.html). + **IAM permissions** – For users who don't have administrative access, you must create an AWS Identity and Access Management (IAM) policy that allows Application Insights to create a service-linked role and attach it to the user's identity. For more information about how to create the IAM policy, see [IAM policy for CloudWatch Application Insights](appinsights-iam.md). + **Service-linked role** – Application Insights uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is created for you when you create your first Application Insights application in the Application Insights console. For more information, see [Using service-linked roles for CloudWatch Application Insights](CHAP_using-service-linked-roles-appinsights.md). + **Performance Counter metrics support for EC2 Windows instances** – To monitor Performance Counter metrics on your Amazon EC2 Windows instances, Performance Counters must be installed on the instances. For Performance Counter metrics and corresponding Performance Counter set names, see [Performance Counter metrics](application-insights-performance-counter.md). For more information about Performance Counters, see [Performance Counters](https://docs.microsoft.com/en-us/windows/win32/perfctrs/performance-counters-portal). + **Amazon CloudWatch agent** – Application Insights installs and configures the CloudWatch agent. If you have CloudWatch agent installed, Application Insights retains your configuration. To avoid a merge conflict, remove the configuration of resources that you want to use in Application Insights from the existing CloudWatch agent configuration file. For more information, see [Manually create or edit the CloudWatch agent configuration file](CloudWatch-Agent-Configuration-File-Details.md). # IAM policy for CloudWatch Application Insights IAM policy To use CloudWatch Application Insights, you must create an [AWS Identity and Access Management (IAM) policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and attach it to your user, group, or role. For more information about users, groups, and roles, see [IAM Identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html). The IAM policy defines the user permissions. **To create an IAM policy using the console** To create an IAM policy using the IAM console, perform the following steps. 1. Go to the [IAM console](https://console.aws.amazon.com/iam/home). In the left navigation pane, select **Policies**. 1. At the top of the page, select **Create policy**. 1. Select the **JSON** tab. 1. Copy and paste the following JSON document under the **JSON** tab. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "applicationinsights:*", "iam:CreateServiceLinkedRole", "iam:ListRoles", "resource-groups:ListGroups" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ 1. Select **Review Policy**. 1. Enter a **Name** for the policy, for example, “AppInsightsPolicy.” Optionally, enter a **Description**. 1. Select **Create Policy**. 1. In the left navigation pane, select **User groups**, **Users**, or **Roles**. 1. Select the name of the user group, user, or role to which you would like to attach the policy. 1. Select **Add permissions**. 1. Select **Attach existing policies directly**. 1. Search for the policy that you just created, and select the check box to the left of the policy name. 1. Select **Next: Review**. 1. Make sure that the correct policy is listed, and select **Add permissions**. 1. Make sure that you log in with the user associated with the policy that you just created when you use CloudWatch Application Insights. **To create an IAM policy using the AWS CLI** To create an IAM policy using the AWS CLI, run the [create-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html) operation from the command line using the JSON document above as a file in your current folder. **To create an IAM policy using AWS Tools for Windows PowerShell** To create an IAM policy using the AWS Tools for Windows PowerShell, run the [New-IAMPolicy](https://docs.aws.amazon.com/powershell/latest/reference/items/New-IAMPolicy.html) cmdlt using the JSON document above as a file in your current folder. # IAM role permissions for account-based application onboarding Permissions If you want to onboard all of the resources in your account, and you choose not to use the [Application Insights managed policy](security-iam-awsmanpol-appinsights.md) for full access to Application Insights functionality, you must attach the following permissions to your IAM role so that Application Insights can discover all of the resources in your account: ``` "ec2:DescribeInstances" "ec2:DescribeNatGateways" "ec2:DescribeVolumes" "ec2:DescribeVPCs" "rds:DescribeDBInstances" "rds:DescribeDBClusters" "sqs:ListQueues" "elasticloadbalancing:DescribeLoadBalancers" "autoscaling:DescribeAutoScalingGroups" "lambda:ListFunctions" "dynamodb:ListTables" "s3:ListAllMyBuckets" "sns:ListTopics" "states:ListStateMachines" "apigateway:GET" "ecs:ListClusters" "ecs:DescribeTaskDefinition" "ecs:ListServices" "ecs:ListTasks" "eks:ListClusters" "eks:ListNodegroups" "fsx:DescribeFileSystems" "route53:ListHealthChecks" "route53:ListHostedZones" "route53:ListQueryLoggingConfigs" "route53resolver:ListFirewallRuleGroups" "route53resolver:ListFirewallRuleGroupAssociations" "route53resolver:ListResolverEndpoints" "route53resolver:ListResolverQueryLogConfigs" "route53resolver:ListResolverQueryLogConfigAssociations" "logs:DescribeLogGroups" "resource-explorer:ListResources" ```