You can monitor up to a total of 32 attributes—14 pre-defined and 18 user-defined as key value pairs. The following attributes (or tag names) are available as match criteria for dynamic address groups.
Attribute Format
Architecture Architecture.<Architecture string>
Guest OS GuestOS.<guest OS name>
Image ID ImageId.<ImageId string>
Instance ID InstanceId.<InstanceId string>
Instance State InstanceState.<instance state>
Instance Type InstanceType.<instance type>
Key Name KeyName.<KeyName string>
Placement—Tenancy, Group Name, Availability Placement.Tenancy.<string> Placement.GroupName.<string> Placement.AvailabilityZone.<string>
Private DNS Name PrivateDnsName.<Private DNS Name>
Public DNS Name PublicDnsName.<Public DNS Name>
Subnet ID SubnetID.<subnetID string>
Tag (key, value) aws-tag.<key>.<value> Maximum of 5 of these tags are supported per instance
VPC ID VpcId.<VpcId string>
IAM Permissions Required for Monitoring the AWS VPC
In order to enable VM Monitoring the user’s AWS login credentials tied to the AWS Access Key and Secret Access Key must have permissions for the attributes listed above. These privileges allow the firewall to initiate API calls for monitoring the virtual machines in the AWS VPC.
The IAM policy associated with the user must either have global read-only access such as AmazonEC2ReadOnlyAccess, or must include individual permissions for all of the monitored attributes. The following IAM policy example lists the permissions for initiating the API actions for monitoring the resources in the AWS VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}

Related Documentation