# Amazon Managed Grafana — workspace ops checklist (2026)

Use this after you have decided AMG is the right visualization layer
([decision framework](https://www.factualminds.com/blog/aws-observability-beyond-cloudwatch-otel-prometheus-grafana-2026/)).
Confirm pricing and feature availability on the [AMG pricing](https://aws.amazon.com/grafana/pricing/)
and [User Guide](https://docs.aws.amazon.com/grafana/latest/userguide/what-is-Amazon-Managed-Service-Grafana.html) pages.

## Version & lifecycle

- [ ] New workspaces created on **Grafana 12.x** (12.4+ as of April 2026), not 9/10 by habit
- [ ] Existing 9/10 workspaces have an in-place upgrade plan to 12.4 (supported May 2026) after a dashboard smoke test
- [ ] Grafana alerting enabled only on workspaces running **10.4+** (v8/v9 can double-notify)
- [ ] Workspace count stays inside the **5 per Region** account limit; no “one workspace per squad” without a seat-cost reason

## Auth & seats

- [ ] Auth via **IAM Identity Center** and/or **SAML** (not ad-hoc shared passwords)
- [ ] Default role for new users is **Viewer** ($5); Editor/Admin ($9) only for dashboard authors
- [ ] At least one Editor exists (AWS minimum); not ten Editors “just in case”
- [ ] API users and **service accounts** inventoried — each bills as an active user until deleted/disabled
- [ ] Orphan CI service accounts disabled after pipeline changes
- [ ] Enterprise plugins ($45/user) justified by a named third-party data source, not “maybe later”

## Network & data plane

- [ ] **Network Access Control** enabled for internet-facing workspaces (prefix lists / CIDRs)
- [ ] VPC connection configured when data sources live in private subnets
- [ ] Dual-stack (IPv4+IPv6) only if required; Grafana ≥10.4; firewall allows `sso.signin.aws`; VPC subnets have IPv6 CIDRs if dual-stack + VPC
- [ ] Data-source IAM is least-privilege (prefer service-managed unless you need customer-managed policies)

## Security & compliance

- [ ] Customer-managed **KMS** key used when policy requires customer-controlled encryption at rest (not available in GovCloud)
- [ ] Regulated / federal workloads use GovCloud AMG where FedRAMP High applies (Enterprise plugins unavailable in GovCloud)
- [ ] Workspace tags used for ownership and IAM tag-based access where applicable

## Dashboards & alerting

- [ ] Plugin admin enabled only if operators must install/uninstall plugins
- [ ] Folder permissions match team boundaries; no org-wide Editor
- [ ] Dashboard-as-code uses a single dedicated service account (Viewer or Editor as needed), not personal API keys
- [ ] Alert notification channels tested; no silent duplicate routes to Slack/PagerDuty
- [ ] Cross-account AWS data sources use org/delegated-admin patterns documented in AMG IAM docs

## Cost hygiene (monthly)

- [ ] Active-user report reviewed: Editors who only view → reassigned to Viewer
- [ ] Seat model spreadsheet updated: [amg-seat-cost-model.csv](./amg-seat-cost-model.csv)
- [ ] Idle workspaces deleted (minimum 1 Editor/workspace still bills)
- [ ] AMP ingestion cost reviewed separately — seats are not the only observability bill ([AMP levers](../observability-stack/amp-cost-control.md))
