Skip to main content

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

Most Amazon Managed Grafana bills do not explode because Grafana is “expensive. ” They explode because every engineer is an Editor, three forgotten service accounts still bill at $9 each, and the workspace is still on Grafana 9 while AWS shipped Grafana 12. 4 create support in April 2026 and in-p...

Key Facts

  • 4 in April/May 2026
  • Here is the workspace ops playbook: seats, IAM Identity Center, NAC/VPC, CMK, and a checklist you can run this week
  • Most Amazon Managed Grafana bills do not explode because Grafana is “expensive
  • They explode because every engineer is an Editor, three forgotten service accounts still bill at $9 each, and the workspace is still on Grafana 9 while AWS shipped Grafana 12
  • 4 create support in April 2026 and in-place upgrades in May 2026

Entity Definitions

CloudWatch
CloudWatch is an AWS service discussed in this article.
Amazon CloudWatch
Amazon CloudWatch is an AWS service discussed in this article.
IAM
IAM is an AWS service discussed in this article.
VPC
VPC is an AWS service discussed in this article.
EKS
EKS is an AWS service discussed in this article.
OpenSearch
OpenSearch is an AWS service discussed in this article.
compliance
compliance is a cloud computing concept discussed in this article.

Amazon Managed Grafana (2026): Workspace Best Practices for Grafana 12.4 — Seats, Auth, Network, and Dashboard Ops

DevOps & CI/CDPalaniappan P7 min read

Quick summary: Amazon Managed Grafana waste is rarely the $9 Editor seat itself — it is ten Editors who only view dashboards, orphan service accounts, and workspaces still on Grafana 9 while AWS shipped create + in-place upgrade to 12.4 in April/May 2026. Here is the workspace ops playbook: seats, IAM Identity Center, NAC/VPC, CMK, and a checklist you can run this week.

Key Takeaways

  • 4 in April/May 2026
  • Here is the workspace ops playbook: seats, IAM Identity Center, NAC/VPC, CMK, and a checklist you can run this week
  • Most Amazon Managed Grafana bills do not explode because Grafana is “expensive
  • They explode because every engineer is an Editor, three forgotten service accounts still bill at $9 each, and the workspace is still on Grafana 9 while AWS shipped Grafana 12
  • 4 create support in April 2026 and in-place upgrades in May 2026
Amazon Managed Grafana (2026): Workspace Best Practices for Grafana 12.4 — Seats, Auth, Network, and Dashboard Ops
Table of Contents

Most Amazon Managed Grafana bills do not explode because Grafana is “expensive.” They explode because every engineer is an Editor, three forgotten service accounts still bill at $9 each, and the workspace is still on Grafana 9 while AWS shipped Grafana 12.4 create support in April 2026 and in-place upgrades in May 2026. This post is the workspace ops playbook — seats, auth, network, encryption, dashboards — for teams that have already decided AMG is the right pane. It is not a second decision matrix for whether you need AMP/AMG at all.

If you have not named the gap CloudWatch + Application Signals fails to close, stop here and read Observability beyond CloudWatch (2026) first. The rest of this guide assumes you earned the second stack.

Reproduce this — Clone the artifact pack at examples/architecture-blog-2026/amazon-managed-grafana/. Open amg-seat-cost-model.csv for seat scenarios, run workspace-create.sh after setting GRAFANA_WORKSPACE_ROLE_ARN, and work the amg-best-practices-checklist.md this week.

Benchmark pattern (not a cited client) — Modeled 10-person Grafana access: all Editors at $9 → $90/mo. Reassign to 2 Editors + 8 Viewers → $58/mo (~36% lower on that slice). Same people, same workspace — only RBAC changed. Numbers from the seat cost CSV using the mid-2026 public pricing model (Editor $9 / Viewer $5 / Enterprise plugins +$45 per active user per workspace). Confirm current rates on the Amazon Managed Grafana pricing page.

When this post applies

You are hereDo this instead
CloudWatch dashboards answer every on-call questionStay on CloudWatch; do not open an AMG workspace
PromQL-native / Grafana habit / multi-source correlationContinue below
AMP bill is the pain, not the Grafana UIFix scrape/cardinality first — cardinality guide

Opinionated take: One shared AMG workspace with folder-level permissions beats five “team” workspaces. Licenses are per workspace per month; the same Viewer logging into two workspaces pays twice.

Workspace design: version, IAM, and the five-workspace ceiling

When you create a workspace you choose Grafana 9, 10, or 12. For anything new in mid-2026, choose 12 (12.4+): Drilldown apps for Prometheus/Loki/Tempo/Pyroscope-style exploration, Scenes-powered dashboards, and a stronger CloudWatch plugin (PPL/SQL on Logs, Metrics Insights cross-account, log anomaly detection). In-place upgrade to 12.4 is supported via console, SDK, or CLI — smoke-test critical dashboards before you click upgrade on the on-call workspace.

Other create-time decisions that are hard to undo casually:

  • Service managed vs customer managed IAM — prefer service-managed unless you need fine-grained policies across many accounts. Org member accounts need delegated-admin patterns for service-managed multi-account access.
  • Account access — current account vs organization-level data source reach.
  • Plugin admin — enable only if workspace admins must install/uninstall plugins; leaving it off reduces accidental plugin sprawl.
  • Grafana alerting — turn on for ops workspaces, but run 10.4+ (v8/v9 can emit multiple notifications for Grafana alerts).
  • Region quota — as many as five workspaces per Region per account. Treat that as a design constraint, not a target.

Example create (AWS CLI; Grafana 12.4, IAM Identity Center, service-managed permissions). Context: AWS CLI v2, role pre-created, Identity Center available in the account.

# See full script: examples/architecture-blog-2026/amazon-managed-grafana/workspace-create.sh
aws grafana create-workspace \
  --account-access-type CURRENT_ACCOUNT \
  --workspace-role-arn "$GRAFANA_WORKSPACE_ROLE_ARN" \
  --authentication-providers AWS_SSO \
  --permission-type SERVICE_MANAGED \
  --grafana-version "12.4" \
  --configuration '{"plugins": {"pluginAdminEnabled": true}}'

Auth and RBAC: Viewer by default

Authenticate with AWS IAM Identity Center, SAML, or both. Identity Center is the default path for most AWS-centric shops; SAML fits enterprises that already federate Grafana through Okta/Azure AD and want assertion-driven roles.

Role policy that actually controls the bill:

  1. Viewer for anyone who only opens dashboards during incidents ($5/active user/workspace/month).
  2. Editor for people who build and edit dashboards ($9).
  3. Admin for a tiny set who manage users, data sources, and plugins ($9 Editor license tier).

AWS bills active users — someone who logged in or made an API request in the month. Each workspace still needs a minimum of one Editor license even if nobody logs in. Enterprise plugins add $45 per active user when you need Grafana Labs enterprise data sources.

API users and service accounts are seats. Dashboard-as-code should use one dedicated service account with the least privilege that works. Disable the rest.

Network and data plane: NAC is not VPC

ControlWhat it doesWhen you need it
Network Access ControlRestricts clients that can hit the workspace URLAlmost always for production internet-facing UIs
VPC connectionLets Grafana reach private data sourcesAMP/OpenSearch/custom endpoints in private subnets
Dual-stack (IPv4 + IPv6)Workspace addressing on both stacks (Grafana ≥10.4)Only when you have a real IPv6 requirement (May 2026)

Before dual-stack: allow sso.signin.aws in firewalls/IdP configs, confirm IPv6 pathing, and ensure VPC subnets have IPv6 CIDRs if the workspace uses a VPC. Switching back to IPv4-only drops IPv6 clients immediately.

Security and compliance notes

  • Encryption at rest defaults to AWS-owned keys. Customer-managed KMS keys have been available since February 2026 for commercial Regions (not GovCloud). Choose CMK at create time when policy demands customer-controlled keys.
  • GovCloud (US) AMG availability landed January 2026; FedRAMP High authorization for GovCloud was announced July 2026. Enterprise plugins are not part of the GovCloud feature set — plan data-source strategy accordingly.

Data sources that earn the seat cost

AMG is worth the license when one pane correlates:

  • Amazon CloudWatch (metrics, Logs with PPL/SQL on Grafana 12.4 plugin paths)
  • Amazon Managed Service for Prometheus (PromQL-native teams)
  • AWS X-Ray
  • OpenSearch / third-party sources your SREs already live in

Enterprise plugins are a deliberate upsell: pay +$45/user only for a named source you cannot reach with open plugins. “We might need Splunk later” is not a reason to enable them on day one.

AMP ingestion cost is orthogonal — fix scrape intervals and cardinality in the AMP cost guide, not by deleting Grafana panels.

Dashboard and alerting ops

  • Prefer folders + permissions over a second workspace for team isolation.
  • Enable Grafana alerting on 10.4+; wire notification channels once; test for duplicate Slack/PagerDuty routes.
  • Provision dashboards via API/service account from git; do not hand-edit production JSON without a backup folder.
  • After a 12.4 upgrade, re-check Drilldown/Scenes-rendered dashboards and any CloudWatch Logs panels that move to PPL/SQL.

Best practices checklist (Monday morning)

Work the full list in amg-best-practices-checklist.md. The short version:

  1. Inventory Editors → reassign view-only users to Viewer.
  2. List API users and service accounts → disable orphans.
  3. Confirm Grafana version; schedule 12.4 upgrade if still on 9/10.
  4. Turn on Network Access Control for public endpoints.
  5. Confirm VPC path for private data sources.
  6. Decide CMK / GovCloud requirements explicitly — do not inherit console defaults silently.
  7. Re-read the tier decision matrix for any workload that still should not be on AMG.

What broke — Composite failure on a modeled 12-seat platform workspace: every engineer granted Editor, two CI service accounts left enabled after the pipeline moved to a single deploy key, and no Network Access Control on an internet-reachable URL. Seat line alone: 12 × $9 = $108, plus $18 for the two orphan Editor service accounts, before any Enterprise plugins. Fix: 2 Editors + 10 Viewers ($68), disable the orphan accounts (−$18), enable NAC. Nothing was “wrong” with Grafana — the workspace was configured like a shared admin password.

What to do this week

  1. Export or list active AMG users and roles; reassign anyone who has not edited a dashboard in 30 days to Viewer.
  2. Disable unused service accounts and API users.
  3. If the workspace is below 12.4, book a maintenance window for in-place upgrade after a dashboard smoke test.
  4. Enable NAC (and VPC if data sources are private).
  5. Run the checklist and archive the seat CSV with this month’s numbers.

Need a workspace review or help wiring AMG into an existing AMP/CloudWatch estate? Talk to our AWS observability engineers or see AWS managed services.

What this post doesn’t cover

  • Whether to adopt AMP/AMG vs Application Signals — see Observability beyond CloudWatch (2026).
  • AMP cardinality and scrape-interval cost — see Prometheus cardinality on AWS.
  • Self-hosted Grafana HA on EKS (operators, persistence, upgrade toil) — out of scope; AMG’s value prop is not running that fleet.
  • Loki/Tempo/Grafana OnCall deep dives — not covered here.
  • Exact current pricing — confirm Editor/Viewer/Enterprise rates and free-trial terms on the AMG pricing page; figures in this post and the CSV are the mid-2026 public model.

Related: Observability beyond CloudWatch · CloudWatch metrics, logs, and alarms best practices · Customer-facing SLA/SLO design · AWS managed services

If you only do one thing: Open your AMG workspace user list today and move every dashboard-only engineer from Editor to Viewer — then disable any service account that has not been used by CI this month.

More in This Track

Part of the reliability-observability Engineering Guides series.

PP
Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Recommended Reading

Explore All Articles »
7 min

Observability Beyond CloudWatch (2026): When to Add Application Signals, ADOT, Managed Prometheus, and Grafana — and When Not To

The reflex to bolt Amazon Managed Prometheus + Grafana onto every workload is how observability bills quietly double. CloudWatch Application Signals now gives you an auto-discovered service map, SLOs, and traces with near-zero setup; AMP only earns its keep when you are PromQL-native or drowning in high-cardinality metrics — where ingestion (not retention) is the cost driver. Here is the decision matrix, an ADOT dual-export config, and the three levers that actually cut the AMP bill.