---
title: Amazon Managed Grafana (2026): Workspace Best Practices for Grafana 12.4 — Seats, Auth, Network, and Dashboard Ops
description: Amazon Managed Grafana waste is rarely the $9 Editor seat itself — it is ten Editors who only view dashboards, orphan service accounts, and workspaces still on Grafana 9 while AWS shipped create + in-place upgrade to 12.4 in April/May 2026. Here is the workspace ops playbook: seats, IAM Identity Center, NAC/VPC, CMK, and a checklist you can run this week.
url: https://www.factualminds.com/blog/amazon-managed-grafana-workspace-best-practices-2026/
datePublished: 2026-07-17T00:00:00.000Z
dateModified: 2026-07-17T00:00:00.000Z
author: palaniappan-p
category: DevOps & CI/CD
tags: aws, observability, grafana, devops, cost-optimization, engineering-guide
---

# Amazon Managed Grafana (2026): Workspace Best Practices for Grafana 12.4 — Seats, Auth, Network, and Dashboard Ops

> Amazon Managed Grafana waste is rarely the $9 Editor seat itself — it is ten Editors who only view dashboards, orphan service accounts, and workspaces still on Grafana 9 while AWS shipped create + in-place upgrade to 12.4 in April/May 2026. Here is the workspace ops playbook: seats, IAM Identity Center, NAC/VPC, CMK, and a checklist you can run this week.

**Most Amazon Managed Grafana bills do not explode because Grafana is “expensive.”** They explode because every engineer is an Editor, three forgotten service accounts still bill at $9 each, and the workspace is still on Grafana 9 while AWS shipped **Grafana 12.4** create support in **April 2026** and **in-place upgrades** in **May 2026**. This post is the workspace ops playbook — seats, auth, network, encryption, dashboards — for teams that have already decided AMG is the right pane. It is not a second decision matrix for whether you need AMP/AMG at all.

If you have not named the gap CloudWatch + Application Signals fails to close, stop here and read [Observability beyond CloudWatch (2026)](/blog/aws-observability-beyond-cloudwatch-otel-prometheus-grafana-2026/) first. The rest of this guide assumes you earned the second stack.

> **Reproduce this** — Clone the artifact pack at [`examples/architecture-blog-2026/amazon-managed-grafana/`](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/). Open [`amg-seat-cost-model.csv`](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/amg-seat-cost-model.csv) for seat scenarios, run [`workspace-create.sh`](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/workspace-create.sh) after setting `GRAFANA_WORKSPACE_ROLE_ARN`, and work the [`amg-best-practices-checklist.md`](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/amg-best-practices-checklist.md) this week.

> **Benchmark pattern (not a cited client)** — Modeled 10-person Grafana access: all Editors at $9 → **$90/mo**. Reassign to 2 Editors + 8 Viewers → **$58/mo** (~**36%** lower on that slice). Same people, same workspace — only RBAC changed. Numbers from the [seat cost CSV](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/amg-seat-cost-model.csv) using the mid-2026 public pricing model (Editor $9 / Viewer $5 / Enterprise plugins +$45 per active user per workspace). Confirm current rates on the [Amazon Managed Grafana pricing](https://aws.amazon.com/grafana/pricing/) page.

## When this post applies

| You are here                                             | Do this instead                                                                                                         |
| -------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| CloudWatch dashboards answer every on-call question      | Stay on CloudWatch; do not open an AMG workspace                                                                        |
| PromQL-native / Grafana habit / multi-source correlation | Continue below                                                                                                          |
| AMP bill is the pain, not the Grafana UI                 | Fix scrape/cardinality first — [cardinality guide](/blog/prometheus-cardinality-explosion-amp-cloudwatch-cost-control/) |

**Opinionated take:** One shared AMG workspace with folder-level permissions beats five “team” workspaces. Licenses are **per workspace per month**; the same Viewer logging into two workspaces pays twice.

## Workspace design: version, IAM, and the five-workspace ceiling

When you create a workspace you choose Grafana **9, 10, or 12**. For anything new in mid-2026, choose **12** (12.4+): Drilldown apps for Prometheus/Loki/Tempo/Pyroscope-style exploration, Scenes-powered dashboards, and a stronger CloudWatch plugin (PPL/SQL on Logs, Metrics Insights cross-account, log anomaly detection). In-place upgrade to 12.4 is supported via console, SDK, or CLI — smoke-test critical dashboards before you click upgrade on the on-call workspace.

Other create-time decisions that are hard to undo casually:

- **Service managed vs customer managed** IAM — prefer service-managed unless you need fine-grained policies across many accounts. Org member accounts need delegated-admin patterns for service-managed multi-account access.
- **Account access** — current account vs organization-level data source reach.
- **Plugin admin** — enable only if workspace admins must install/uninstall plugins; leaving it off reduces accidental plugin sprawl.
- **Grafana alerting** — turn on for ops workspaces, but run **10.4+** (v8/v9 can emit multiple notifications for Grafana alerts).
- **Region quota** — as many as **five workspaces per Region** per account. Treat that as a design constraint, not a target.

Example create (AWS CLI; Grafana **12.4**, IAM Identity Center, service-managed permissions). Context: AWS CLI v2, role pre-created, Identity Center available in the account.

```bash
# See full script: examples/architecture-blog-2026/amazon-managed-grafana/workspace-create.sh
aws grafana create-workspace \
  --account-access-type CURRENT_ACCOUNT \
  --workspace-role-arn "$GRAFANA_WORKSPACE_ROLE_ARN" \
  --authentication-providers AWS_SSO \
  --permission-type SERVICE_MANAGED \
  --grafana-version "12.4" \
  --configuration '{"plugins": {"pluginAdminEnabled": true}}'
```

## Auth and RBAC: Viewer by default

Authenticate with **AWS IAM Identity Center**, **SAML**, or both. Identity Center is the default path for most AWS-centric shops; SAML fits enterprises that already federate Grafana through Okta/Azure AD and want assertion-driven roles.

Role policy that actually controls the bill:

1. **Viewer** for anyone who only opens dashboards during incidents ($5/active user/workspace/month).
2. **Editor** for people who build and edit dashboards ($9).
3. **Admin** for a tiny set who manage users, data sources, and plugins ($9 Editor license tier).

AWS bills **active** users — someone who logged in or made an API request in the month. Each workspace still needs a **minimum of one Editor** license even if nobody logs in. Enterprise plugins add **$45** per active user when you need Grafana Labs enterprise data sources.

**API users and service accounts are seats.** Dashboard-as-code should use one dedicated service account with the least privilege that works. Disable the rest.

## Network and data plane: NAC is not VPC

| Control                  | What it does                                        | When you need it                                      |
| ------------------------ | --------------------------------------------------- | ----------------------------------------------------- |
| Network Access Control   | Restricts clients that can hit the workspace URL    | Almost always for production internet-facing UIs      |
| VPC connection           | Lets Grafana reach private data sources             | AMP/OpenSearch/custom endpoints in private subnets    |
| Dual-stack (IPv4 + IPv6) | Workspace addressing on both stacks (Grafana ≥10.4) | Only when you have a real IPv6 requirement (May 2026) |

Before dual-stack: allow `sso.signin.aws` in firewalls/IdP configs, confirm IPv6 pathing, and ensure VPC subnets have IPv6 CIDRs if the workspace uses a VPC. Switching back to IPv4-only drops IPv6 clients immediately.

## Security and compliance notes

- **Encryption at rest** defaults to AWS-owned keys. **Customer-managed KMS** keys have been available since **February 2026** for commercial Regions (not GovCloud). Choose CMK at create time when policy demands customer-controlled keys.
- **GovCloud (US)** AMG availability landed **January 2026**; **FedRAMP High** authorization for GovCloud was announced **July 2026**. Enterprise plugins are not part of the GovCloud feature set — plan data-source strategy accordingly.

## Data sources that earn the seat cost

AMG is worth the license when one pane correlates:

- **Amazon CloudWatch** (metrics, Logs with PPL/SQL on Grafana 12.4 plugin paths)
- **Amazon Managed Service for Prometheus** (PromQL-native teams)
- **AWS X-Ray**
- OpenSearch / third-party sources your SREs already live in

Enterprise plugins are a deliberate upsell: pay **+$45/user** only for a named source you cannot reach with open plugins. “We might need Splunk later” is not a reason to enable them on day one.

AMP **ingestion** cost is orthogonal — fix scrape intervals and cardinality in [the AMP cost guide](/blog/prometheus-cardinality-explosion-amp-cloudwatch-cost-control/), not by deleting Grafana panels.

## Dashboard and alerting ops

- Prefer **folders + permissions** over a second workspace for team isolation.
- Enable **Grafana alerting** on 10.4+; wire notification channels once; test for duplicate Slack/PagerDuty routes.
- Provision dashboards via API/service account from git; do not hand-edit production JSON without a backup folder.
- After a **12.4** upgrade, re-check Drilldown/Scenes-rendered dashboards and any CloudWatch Logs panels that move to PPL/SQL.

## Best practices checklist (Monday morning)

Work the full list in [`amg-best-practices-checklist.md`](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/amg-best-practices-checklist.md). The short version:

1. Inventory Editors → reassign view-only users to **Viewer**.
2. List API users and **service accounts** → disable orphans.
3. Confirm Grafana version; schedule **12.4** upgrade if still on 9/10.
4. Turn on **Network Access Control** for public endpoints.
5. Confirm VPC path for private data sources.
6. Decide CMK / GovCloud requirements explicitly — do not inherit console defaults silently.
7. Re-read the [tier decision matrix](https://www.factualminds.com/examples/architecture-blog-2026/observability-stack/observability-tier-decision-matrix.md) for any workload that still should not be on AMG.

> **What broke** — Composite failure on a modeled 12-seat platform workspace: every engineer granted Editor, two CI service accounts left enabled after the pipeline moved to a single deploy key, and no Network Access Control on an internet-reachable URL. Seat line alone: 12 × $9 = **$108**, plus **$18** for the two orphan Editor service accounts, before any Enterprise plugins. Fix: 2 Editors + 10 Viewers (**$68**), disable the orphan accounts (**−$18**), enable NAC. Nothing was “wrong” with Grafana — the workspace was configured like a shared admin password.

## What to do this week

1. Export or list active AMG users and roles; reassign anyone who has not edited a dashboard in 30 days to **Viewer**.
2. Disable unused **service accounts** and API users.
3. If the workspace is below 12.4, book a maintenance window for in-place upgrade after a dashboard smoke test.
4. Enable **NAC** (and VPC if data sources are private).
5. Run the [checklist](https://www.factualminds.com/examples/architecture-blog-2026/amazon-managed-grafana/amg-best-practices-checklist.md) and archive the seat CSV with this month’s numbers.

Need a workspace review or help wiring AMG into an existing AMP/CloudWatch estate? [Talk to our AWS observability engineers](/contact-us/) or see [AWS managed services](/services/aws-managed-services/).

## What this post doesn't cover

- **Whether to adopt AMP/AMG vs Application Signals** — see [Observability beyond CloudWatch (2026)](/blog/aws-observability-beyond-cloudwatch-otel-prometheus-grafana-2026/).
- **AMP cardinality and scrape-interval cost** — see [Prometheus cardinality on AWS](/blog/prometheus-cardinality-explosion-amp-cloudwatch-cost-control/).
- **Self-hosted Grafana HA on EKS** (operators, persistence, upgrade toil) — out of scope; AMG’s value prop is not running that fleet.
- **Loki/Tempo/Grafana OnCall deep dives** — not covered here.
- **Exact current pricing** — confirm Editor/Viewer/Enterprise rates and free-trial terms on the [AMG pricing page](https://aws.amazon.com/grafana/pricing/); figures in this post and the CSV are the mid-2026 public model.

---

**Related:** [Observability beyond CloudWatch](/blog/aws-observability-beyond-cloudwatch-otel-prometheus-grafana-2026/) · [CloudWatch metrics, logs, and alarms best practices](/blog/aws-cloudwatch-observability-metrics-logs-alarms-best-practices/) · [Customer-facing SLA/SLO design](/blog/customer-facing-sla-slo-design-aws/) · [AWS managed services](/services/aws-managed-services/)

**If you only do one thing:** Open your AMG workspace user list today and move every dashboard-only engineer from Editor to Viewer — then disable any service account that has not been used by CI this month.

## More in This Track

Part of the **reliability-observability** Engineering Guides series.

- Previous: [Part 6 — Chaos engineering with AWS FIS](/blog/aws-chaos-engineering-resilience-program-fis-2026/)
- Start of track: [Part 1 — Observability beyond CloudWatch](/blog/aws-observability-beyond-cloudwatch-otel-prometheus-grafana-2026/)
- Browse: [Engineering Guides hub](/resources/engineering-guides/)

## FAQ

### When should we NOT use Amazon Managed Grafana?
Skip Amazon Managed Grafana when CloudWatch dashboards already answer your questions and your telemetry lives entirely in AWS — you do not need a second visualization layer and its per-active-user billing. AMG earns its place when you need one pane across AWS and third-party sources, when the team is already Grafana-native (PromQL dashboards over Amazon Managed Service for Prometheus), or when you need Grafana alerting/folders that CloudWatch dashboards do not cover. If you cannot name the specific gap CloudWatch fails to close, stay on CloudWatch and read our observability tier decision post before standing up a workspace.

### Should we create new workspaces on Grafana 12.4 or stay on 10?
Create new workspaces on Grafana 12.4. AWS announced create support for 12.4 in April 2026 and in-place upgrades in May 2026, bringing Drilldown apps, Scenes-powered dashboards, and CloudWatch plugin improvements (PPL/SQL queries, log anomaly detection). Stay on 10 only while you finish a smoke-tested upgrade for critical dashboards — do not default new environments to an older major version out of habit. If you still run Grafana alerting on version 8 or 9, plan the move: those versions can send multiple notifications for Grafana alerts; AWS recommends 10.4 or later for alerting workspaces.

### What goes wrong with Grafana API users and service accounts on AMG?
API keys and service accounts bill like human seats. An Admin/Editor API user or service account costs $9 per active month; a Viewer-tier one costs $5 — and they stay billable until you delete or disable them. The common failure is a CI pipeline that created three Editor service accounts for dashboard sync, then moved to another mechanism without disabling the old accounts. You pay for ghosts. Inventory service accounts monthly the same way you audit human Editors, and prefer one dedicated service account with the minimum role the pipeline needs.

### Does Network Access Control replace a VPC connection for Amazon Managed Grafana?
No. Network Access Control (NAC) restricts who can reach the Grafana workspace endpoint (CIDRs / prefix lists). A VPC connection is how the workspace reaches private data sources inside your VPC. Use NAC for internet-facing workspaces so the UI is not open to the world; use VPC when Prometheus, OpenSearch, or other sources are not publicly reachable. Many production setups need both. Dual-stack (IPv4+IPv6) is available for Grafana 10.4+ as of May 2026 — only enable it if you need IPv6, and verify firewall rules for sso.signin.aws and IPv6 CIDRs on VPC subnets first.

### How do we cut Amazon Managed Grafana cost without deleting the workspace?
Reassign dashboard-only engineers from Editor ($9) to Viewer ($5), disable orphan API users and service accounts, avoid a second workspace for the same people (licenses are per workspace), and skip Enterprise plugins (+$45/user) until you have a named third-party data source that requires them. In our mid-2026 seat model, moving a 10-person all-Editor slice to 2 Editors + 8 Viewers drops that slice from $90 to $58 per month (~36%). Confirm current rates on the AWS pricing page — figures here are the public mid-2026 model. AMP ingestion cost is a separate lever; do not confuse seat hygiene with scrape cardinality.

### When do we need a customer-managed KMS key for Amazon Managed Grafana?
Use a customer-managed KMS key when compliance or internal policy requires you to own and rotate the encryption key for data at rest. AWS-owned keys are the default and are fine for many teams. CMK support shipped in February 2026 and is available in commercial Regions where AMG is GA, excluding AWS GovCloud (US). If you are in GovCloud for FedRAMP High, plan encryption expectations against the GovCloud feature set (Enterprise plugins are also unavailable there) rather than copying a commercial-account CMK checklist blindly.

---

*Source: https://www.factualminds.com/blog/amazon-managed-grafana-workspace-best-practices-2026/*
