Setup grafana with Cloudwatch without IAM user

1. Install grafana
2. Create a Grafana policy:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "AllowReadingMetricsFromCloudWatch",
               "Effect": "Allow",
               "Action": [
                   "cloudwatch:ListMetrics",
                   "cloudwatch:GetMetricStatistics",
                   "cloudwatch:GetMetricData"
               ],
               "Resource": "*"
           },
           {
               "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
               "Effect": "Allow",
               "Action": [
                   "ec2:DescribeTags",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions"
               ],
               "Resource": "*"
           }
       ]
   }

3. Create a Grafana_role role and assign the above policy to it. Also, in trust entities use this json:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::xxx:role/Grafana_role", # use arn from Grafana_role
           "Service": "ec2.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }

4. Attach role Grafana_role to the running EC2 Grafana instance
5. Go to datasources in Grafana and add new Cloudwatch datasource, put the arn of Grafana_role and you can add graphs. There is an option to test connection