>
    Strata Copilot
    IAM Permissions Required for Monitoring the AWS VPC
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on AWS
    4. IAM Permissions Required for Monitoring the AWS VPC
    Download PDF
    VM-Series

    IAM Permissions Required for Monitoring the AWS VPC

    Table of Contents

    IAM Permissions Required for Monitoring the AWS VPC

    Learn the prerequisites IAM permissions required to monitor the AWS VPC.
    Where Can I Use This?What Do I Need?
    • AWS
    • AWS account
    • Amazon Machine Image (AMI) ID
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for AWS
    To enable VM Monitoring, the user’s AWS login credentials tied to the AWS Access Key and Secret Access Key must have permissions for the attributes listed above. These privileges allow the firewall to initiate API calls for monitoring the virtual machines in the AWS VPC.
    The IAM policy associated with the user must either have global read-only access such as AmazonEC2ReadOnlyAccess, or must include individual permissions for all monitored attributes. The following IAM policy example lists the permissions for initiating the API actions for monitoring the resources in the AWS VPC:
    { “Version”: “2012-10-17",
  “Statement”: [
        {
            “Sid”: “VisualEditor0”,
            “Effect”: “Allow”,
            “Action”: [
                “elasticloadbalancing:DescribeLoadBalancerAttributes”,
                “elasticloadbalancing:DescribeLoadBalancers”,
                “elasticloadbalancing:DescribeTags”,
                “ec2:DescribeInstances”,
                “ec2:DescribeNetworkInterfaces”,
                “ec2:DescribeVpcs”,
                “ec2:DescribeVpcEndpoints”,
                “ec2:DescribeSubnets”
            ],
            “Resource”: “*”
        }
    ]
}

    © 2026 Palo Alto Networks, Inc. All rights reserved.