I Investigated Actions That Can Be Set in Resource-Based Policies for Amazon Managed Service for Prometheus

Amazon Managed Service for Prometheus

Yuichi Shiina

2026.01.16

This page has been translated by machine translation. View original

Hello. I'm Shiina from the Operations department.

Introduction

Amazon Managed Service for Prometheus supports resource-based policies.
For details, please refer to the blog below.

I recently had the opportunity to investigate resource-based policies, so I have compiled some notes on what to be aware of when configuring them.

Conclusion

In the Action element of resource-based policies, you can only specify Prometheus compatible APIs (aps:RemoteWrite, aps:GetSeries, aps:GetLabels, aps:GetMetricMetadata, aps:QueryMetrics, etc.).
Based on my testing, it is not possible to specify non-compatible APIs or wildcards (*).

Testing

I tested setting resource-based policies on an Amazon Managed Service for Prometheus workspace using three patterns for the Action element:

Prometheus compatible APIs only
Including Prometheus non-compatible APIs
Using wildcards (*)

Prerequisites

Amazon Managed Service for Prometheus workspace already created
Resource-based policy configuration using AWS CLI commands

Prometheus Compatible APIs Only

Let's set up a resource-based policy with Prometheus compatible APIs (aps:RemoteWrite, aps:GetSeries, aps:GetLabels, aps:GetMetricMetadata).
Please refer to the documentation^[1] for Prometheus compatible APIs.

Command

aws amp put-resource-policy \
  --workspace-id ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
  --policy file://amp-resource-policy1.json

Resource-based policy

amp-resource-policy1.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
      },
      "Action": [
        "aps:RemoteWrite",
        "aps:GetSeries",
        "aps:GetLabels",
        "aps:GetMetricMetadata"
      ],
      "Resource": "arn:aws:aps:ap-northeast-1:XXXXXXXXXXXX:workspace/ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX"
    }
  ]
}

Output

{
    "policyStatus": "CREATING",
    "revisionId": "XXXXXXXXXXX"
}

A status indicating that the resource-based policy is being created was returned.

After a while, let's check the resource-based policy.
Command

aws amp describe-resource-policy \
  --workspace-id ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX

Output

{
    "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::XXXXXXXXXXXX:root\"},\"Action\":[\"aps:RemoteWrite\",\"aps:GetSeries\",\"aps:GetLabels\",\"aps:GetMetricMetadata\"],\"Resource\":\"arn:aws:aps:ap-northeast-1:XXXXXXXXXXXX:workspace/ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX\"}]}",
    "policyStatus": "ACTIVE",
    "revisionId": "XXXXXXXXXXX"
}

I confirmed that the resource-based policy was successfully configured.

Including Prometheus Non-compatible APIs

Let's try setting a resource-based policy with a Prometheus non-compatible API (CreateWorkspace).

Command

aws amp put-resource-policy \
  --workspace-id ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
  --policy file://amp-resource-policy2.json

Resource-based policy

amp-resource-policy2.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
      },
      "Action": "aps:CreateWorkspace",
      "Resource": "arn:aws:aps:ap-northeast-1:XXXXXXXXXXXX:workspace/ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX"
    }
  ]
}

Output

An error occurred (ValidationException) when calling the PutResourcePolicy operation: Resource policy contains actions that are not supported

A validation error was returned because the resource-based policy contained actions that are not supported.

Using Wildcards (*)

Let's try setting a resource-based policy with a wildcard (*).

Command

aws amp put-resource-policy \
  --workspace-id ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX \
  --policy file://amp-resource-policy3.json

Resource-based policy

amp-resource-policy3.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
        },
        "Action": "aps:*",
        "Resource": "arn:aws:aps:ap-northeast-1:XXXXXXXXXXXX:workspace/ws-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX"
    }
  ]
}

Output

An error occurred (ValidationException) when calling the PutResourcePolicy operation: Resource policy contains actions that are not supported

A validation error was returned because wildcards include Prometheus non-compatible APIs.

Summary

In the Action element of resource-based policies, you can only specify Prometheus compatible APIs. I found that it is not possible to specify non-compatible APIs or wildcards (*).
This is different from the APIs that can be specified in the Action element of IAM policies, so care should be taken not to confuse them.
Please be aware of this when setting up resource-based policies, such as when collecting metrics across accounts.

I hope this article was helpful.