I’m trying to figure out what access rights checkmk actually needs to communicate with AWS.
The plugin works fine with the ReadOnlyAccess policy, but that policy feels a bit like a nuclear option.
I tried with these:
Without having looked into the matter i think the following is the case:
Get all information granted to obtain with the ReadOnlyAccess policy.
filter out in the agent what is needed/required to be monitored, drop the rest.
In my mind this is done just to the fact that gathering/grab all can be done with a single call.
If one (as a plugin-developer) were to have to query each section separately it will produce more (individual) calls per subsection, making an agent more complicated.
This approach makes sense in having all data obtainable available for possible future extension of a/the agent. (tbh, i also do this in a plugin/special agent i have written)
I do understand your concerns as to the amount of information obtained by the agent, however it is still under the ReadOnlyAccess policy, so from the monitoring side no alterations can be done.
Thanks for the insights, and yeah, main worry is if monitoring tools really need access to read customer data, or if it can be restricted from them somehow
As the plugin itself is supplied by CMK, besides my ‘interpretation/assumption’ as to the why i’m just gonna ping @Sara who could explain (or let it be explained by colleagues) this from the CMK-side.