A newer version is available. For the latest information, see the
current release documentation.
IAM permissions required for Functionbeat deployment
editIAM permissions required for Functionbeat deployment
editThe role used to deploy Functionbeat to AWS must have the minimum privileges required to deploy and run the Lambda function.
The following sections show example policies that grant the required permissions.
CloudWatch logs
editThe following policy grants the permissions required to deploy and run a Lambda function that collects events from CloudWatch logs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:UpdateStack", "cloudformation:ValidateTemplate", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DeleteSubscriptionFilter", "logs:DescribeLogGroups", "logs:PutSubscriptionFilter", "s3:CreateBucket", "s3:DeleteObject", "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }
SQS and Kinesis
editThe following policy grants the permissions required to deploy and run a Lambda function that reads from SQS queues or Kinesis data streams.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:UpdateStack", "cloudformation:ValidateTemplate", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:CreateFunction", "lambda:CreateEventSourceMapping", "lambda:DeleteFunction", "lambda:DeleteEventSourceMapping", "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "logs:DescribeLogGroups", "logs:CreateLogGroup", "s3:CreateBucket", "s3:DeleteObject", "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }