AWS Cloudwatch -- With AssumeRole

This is an AWS recommended method for cross account access sharing.

To connect using AssumeRole, we recommend setting up a call with our team as it requires multiple to & fro.

1. Share your AWS Account Number with Doctor Droid team.
2. Create a new role in your account with the following Trust Policy. ({{Role_ARN}} to be shared by Doctor Droid team)

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::{{Role_ARN}}"
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }
   

3. Attach the following Policy to the role:

   PolicyName: CloudWatchReadOnlyAccessPolicy
             PolicyDocument:
               Version: '2012-10-17'
               Statement:
                 - Effect: Allow
                   Action:
                     - 'cloudwatch:Describe*'
                     - 'cloudwatch:Get*'
                     - 'cloudwatch:List*'
                     - 'logs:Get*'
                     - 'logs:Describe*'
                     - 'logs:List*'
                     - 'logs:StartQuery'
                     - 'logs:StopQuery'                  
                     - 'logs:GetQueryResults'
                     - 'logs:FilterLogEvents'
                   Resource: '*'
   

4. Share the ARN of the role created with Doctor Droid team.