application-signals-mcp:CallReadOnlyTool is a Read access-level action in the application-signals-mcp service. Grants permission to invoke read-only Application Signals MCP tools (list_monitored_services, get_service_detail, query_service_metrics, list_service_operations, get_slo, list_slos, search_transaction_spans, query_sampled_traces, list_slis, get_enablement_guide, list_change_events, list_group_services, audit_group_health, get_group_dependencies, get_group_changes, list_grouping_attribute_definitions, audit_services, audit_slos, audit_service_operations, analyze_canary_failures)
ARNs that application-signals-mcp:CallReadOnlyTool can be scoped to in an IAM policy.
Keys you can use in the Condition block of a policy that grants application-signals-mcp:CallReadOnlyTool.
Filters access by tag key-value pairs attached to the resource
A minimal policy that allows application-signals-mcp:CallReadOnlyTool. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowApplicationsignalsmcpCallReadOnlyTool",
"Effect": "Allow",
"Action": "application-signals-mcp:CallReadOnlyTool",
"Resource": "*"
}
]
}