21.5.5 Creating an IAM Role and Policy for CloudWatch Monitoring

Use the AWS Management Console to create an IAM role for using CloudWatch to monitor your DB Systems and HeatWave Clusters.

This task requires the following:

• Access to AWS Management Console.
• An AWS account with rights to create and manage IAM roles. This is the account for receiving the metrics emitted by the monitoring service.

Do the following to create an IAM role:

1. Open the AWS Management Console and sign in with your credentials.
2. In the AWS Management Console home page, click Services, and click Security, Identity, & Compliance, and then click IAM.
3. In the navigation pane of the Console, under Access management, click Roles, and then click Create role button.
4. In the Trusted entity type panel, select Custom Trust Policy, and modify the trust policy to allow the monitoring service to assume this role (see Manage AWS Access on the <IDDetails> you should use.):

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "612981981079"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "StringLike": {
                       "sts:ExternalId":"<IDDetails>"
                   }
               }
           }
       ]
   }

   Click Next.
5. On the Add permissions page, skip to the next step by clicking Next.
6. On the Name, review, and create page, do the following:
   1. Enter a Role name, for example OracleHeatWaveMonitoringRole, and an optional Description if you like.
   2. Review the Trust policy, and click Create role.
7. On the IAM > Roles page, search for the role you just created using its name, and then click on it.
8. Modify the Permissions for your role:
   1. On the information page for the role, on the Permissions tab, click on the Add permissions button and select Create inline policy,
   2. On the Specify permissions page, in the Policy editor pane, select the JSON tab, and replace the shown policy with the following:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "logs:CreateLogGroup",
                      "logs:CreateLogStream",
                      "logs:PutLogEvents",
                      "logs:PutRetentionPolicy"
                  ],
                  "Resource": "arn:aws:logs:*:*:log-group:/OracleHeatWave/metrics:*"
              }
          ]
      }

      This permission settings allows the DB System to publish custom metrics to the OracleHeatWave namespace in CloudWatch, create log groups /OracleHeatWave/metrics:* and log streams, and perform basic logging operations. Click Next after you have finished the editing.
9. On the Review and create page, review the policy, provide a Policy name for it (for example, OracleHeatWaveMonitoringPermissions), and click Create policy.
10. In the Summary section, copy the role's ARN. You will need it later.

After you create the role, enter the role ARN in an existing DB System, or create a new DB System and enter the ARN to the Monitoring configuration. See Editing a DB System and Creating a DB System.