AWS IAM Policies and Roles
This topic outlines the required AWS IAM policies and roles for the Obliq AI SRE Agent platform to work properly.
Overview
The Avesha Agents platform requires specific AWS permissions to:
- Monitor EC2 instances and their status
- Collect CloudWatch metrics for monitoring and alerting
- Assume roles for cross-account access
- Manage AWS resources securely
Required IAM Policy
Core Monitoring Policy
The following IAM policy provides the minimum required permissions for the Obliq AI SRE Agent platform:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeAccountAttributes",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*"
}
]
}
Permission Breakdown
EC2 Permissions
| EC2 Permission | Description |
|---|---|
ec2:DescribeInstances | Access to instance information, status, and metadata |
ec2:DescribeRegions | List available AWS regions for multi-region monitoring |
ec2:DescribeAccountAttributes | Access to account-level information and limits |
CloudWatch Permissions
| CloudWatch Permission | Description |
|---|---|
cloudwatch:GetMetricStatistics | Retrieve historical metric data for analysis |
cloudwatch:ListMetrics | Discover available metrics for monitoring |
cloudwatch:GetMetricData | Get real-time and batch metric data |
Security Token Service
| Security Token Service | Description |
|---|---|
sts:AssumeRoleWithWebIdentity | Assume IAM roles using web identity tokens (for EKS integration) |
Create an AWS IAM Policy
Option 1: Create Custom IAM Policy
- Create a custom IAM policy using the following command:
aws iam create-policy \
--policy-name AveshaAgentsMonitoring \
--policy-document file://avesha-agents-policy.json
- Attach the newly created custom IAM policy to IAM user or role using the following commands:
# For IAM User
aws iam attach-user-policy \
--user-name your-username \
--policy-arn arn:aws:iam::ACCOUNT-ID:policy/AveshaAgentsMonitoring
# For IAM Role
aws iam attach-role-policy \
--role-name your-role-name \
--policy-arn arn:aws:iam::ACCOUNT-ID:policy/AveshaAgentsMonitoring
Option 2: Use AWS Managed Policies
If you prefer to use AWS managed policies, you can combine them using the following commands:
# Attach CloudWatch ReadOnly policy
aws iam attach-role-policy \
--role-name your-role-name \
--policy-arn arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
# Attach EC2 ReadOnly policy
aws iam attach-role-policy \
--role-name your-role-name \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
info
Managed policies may include additional permissions beyond what is required.
Option 3: Inline Policy
You can also attach the policy directly to an IAM role or user using the following command:
aws iam put-role-policy \
--role-name your-role-name \
--policy-name AveshaAgentsInline \
--policy-document file://avesha-agents-policy.json
Configure IAM Roles
Configure an EC2 Instances Role
To run Obliq AI SRE Agent on EC2 instances, configure this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Configure IAM Roles for EKS Service Accounts
For Kubernetes deployments using IAM Roles for Service Accounts, create separate trust policies for each service.
CloudWatch Service Trust Policy
For the aws-ec2-cloudwatch-alarms service, configure the following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::YOUR-ACCOUNT-ID:oidc-provider/oidc.eks.YOUR-REGION.amazonaws.com/id/YOUR-OIDC-ID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.YOUR-REGION.amazonaws.com/id/YOUR-OIDC-ID:aud": "sts.amazonaws.com",
"oidc.eks.YOUR-REGION.amazonaws.com/id/YOUR-OIDC-ID:sub": "system:serviceaccount:avesha:aws-ec2-cloudwatch-alarms"
}
}
}
]
}
Replace the following placeholders with your actual values:
YOUR-ACCOUNT-ID: Your AWS account IDYOUR-REGION: Your EKS cluster region (for example,us-east-1)YOUR-OIDC-ID: Your EKS cluster's OIDC provider ID
Configure AWS MCP Service Trust Policy
For the aws-mcp service, configure the following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::YOUR-ACCOUNT-ID:oidc-provider/oidc.eks.YOUR-REGION.amazonaws.com/id/YOUR-OIDC-ID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.YOUR-REGION.amazonaws.com/id/YOUR-OIDC-ID:aud": "sts.amazonaws.com",
"oidc.eks.YOUR-REGION.amazonaws.com/id/YOUR-OIDC-ID:sub": "system:serviceaccount:avesha:aws-mcp"
}
}
}
]
}
Replace the following placeholders with your actual values:
YOUR-ACCOUNT-ID: Your AWS account IDYOUR-REGION: Your EKS cluster region (for example,us-east-1)YOUR-OIDC-ID: Your EKS cluster's OIDC provider ID
Service-Specific Permissions
AWS MCP Service
The AWS MCP service requires additional permissions for enhanced monitoring that are shown in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:DescribeAlarms",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*"
}
]
}
CloudWatch MCP Service
For CloudWatch-specific monitoring, configure the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmHistory",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": "*"
}
]
}
Security Best Practices
Principle of Least Privilege
- Only grant the minimum permissions necessary
- Regularly review and audit IAM policies
- Use resource-level permissions when possible
- Implement temporary credentials for short-term access
Resource Restrictions
Consider restricting access to specific resources as shown in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"arn:aws:ec2:us-east-1:ACCOUNT-ID:instance/*",
"arn:aws:cloudwatch:us-east-1:ACCOUNT-ID:metric/*"
]
}
]
}
Conditional Access
Configure conditions for additional security as shown in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Environment": "production"
},
"IpAddress": {
"aws:SourceIp": "YOUR-IP-RANGE"
}
}
}
]
}
Troubleshooting
Common Permission Issues
| Issue | Resolution |
|---|---|
| "Access Denied" errors | Check if the IAM policy is properly attached. |
| Missing metrics | Verify CloudWatch permissions are granted. |
| Cross-account access | Ensure that proper role assumption permissions are in place. |
Debug Commands
# Test EC2 permissions
aws ec2 describe-instances --region us-east-1
# Test CloudWatch permissions
aws cloudwatch list-metrics --namespace AWS/EC2
# Check IAM policy attachments
aws iam list-attached-role-policies --role-name your-role-name
# Verify policy content
aws iam get-policy-version \
--policy-arn arn:aws:iam::ACCOUNT-ID:policy/AveshaAgentsMonitoring \
--version-id v1
IAM Policy Simulator
Use the AWS IAM Policy Simulator to test permissions:
- Go to IAM Policy Simulator.
- Select the user/role to test.
- Choose the actions to simulate.
- Review the results.
Monitoring and Auditing
CloudTrail Integration
Enable CloudTrail to monitor API calls using the following command:
aws cloudtrail create-trail \
--name avesha-agents-trail \
--s3-bucket-name your-log-bucket \
--include-global-service-events
IAM Access Analyzer
Use IAM Access Analyzer to identify unused permissions using the following command:
aws accessanalyzer create-analyzer \
--analyzer-name avesha-agents-analyzer \
--type ACCOUNT