Integrations and managed policies

In order to use infrastructure integrations, you need to grant New Relic permission to read the relevant data from your account. Amazon Web Services (AWS) uses managed policies to grant these permissions.

Recommendation: Grant an account-wide ReadOnlyAccess managed policy from AWS. AWS automatically updates this policy when new services are added or existing services are modified. New Relic infrastructure integrations have been designed to function with ReadOnlyAccess policies. For instructions, see Connect AWS integrations to infrastructure.

Exception: The Trusted Advisor integration is not covered by the ReadOnlyAccess policy. It requires the additional AWSSupportAccess managed policy. This is also the only integration that requires full access permissions (support:*) in order to correctly operate. We notified Amazon about this limitation. Once it's resolved we'll update documentation with more specific permissions required for this integration.

Optional policy

If you cannot use the ReadOnlyAccess managed policy from AWS, you can create your own customized policy based on the list of permissions. This allows you to specify the optimal permissions required to fetch data from AWS for each integration. While this option is available, it is not recommended because it must be manually updated when you add or modify your integrations.

New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom policy, it is your responsibility to maintain it and ensure proper data is being collected.

There are two ways to set up your customized policy: You can either use our CloudFormation template, or create own yourself by adding the permissions you need.

Our CloudFormation template contains all the permissions for all our AWS integrations.

A user different than root can be used in the managed policy.

CloudFormation template
AWSTemplateFormatVersion: 2010-09-09
Outputs:
  NewRelicRoleArn:
    Description: NewRelicRole to monitor AWS Lambda
    Value: !GetAtt 
      - NewRelicIntegrationsTemplate
      - Arn
Parameters:
  NewRelicAccountNumber:
    Type: String
    Description: The Newrelic account number to send data
    AllowedPattern: '[0-9]+'
Resources:
  NewRelicIntegrationsTemplate:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub NewRelicTemplateTest
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::754728514883:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref NewRelicAccountNumber
      Policies:
        - PolicyName: NewRelicIntegrations
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'elasticloadbalancing:DescribeLoadBalancers'
                  - 'elasticloadbalancing:DescribeTargetGroups'
                  - 'elasticloadbalancing:DescribeTags'
                  - 'elasticloadbalancing:DescribeLoadBalancerAttributes'
                  - 'elasticloadbalancing:DescribeListeners'
                  - 'elasticloadbalancing:DescribeRules'
                  - 'elasticloadbalancing:DescribeTargetGroupAttributes'
                  - 'elasticloadbalancing:DescribeInstanceHealth'
                  - 'elasticloadbalancing:DescribeLoadBalancerPolicies'
                  - 'elasticloadbalancing:DescribeLoadBalancerPolicyTypes'
                  - 'apigateway:GET'
                  - 'apigateway:HEAD'
                  - 'apigateway:OPTIONS'
                  - 'autoscaling:DescribeLaunchConfigurations'
                  - 'autoscaling:DescribeAutoScalingGroups'
                  - 'autoscaling:DescribePolicies'
                  - 'autoscaling:DescribeTags'
                  - 'autoscaling:DescribeAccountLimits'
                  - 'budgets:ViewBilling'
                  - 'budgets:ViewBudget'
                  - 'cloudfront:ListDistributions'
                  - 'cloudfront:ListStreamingDistributions'
                  - 'cloudfront:ListTagsForResource'
                  - 'cloudtrail:LookupEvents'
                  - 'dynamodb:DescribeLimits'
                  - 'dynamodb:ListTables'
                  - 'dynamodb:DescribeTable'
                  - 'dynamodb:ListGlobalTables'
                  - 'dynamodb:DescribeGlobalTable'
                  - 'dynamodb:ListTagsOfResource'
                  - 'ec2:DescribeVolumeStatus'
                  - 'ec2:DescribeVolumes'
                  - 'ec2:DescribeVolumeAttribute'
                  - 'ec2:DescribeInstanceStatus'
                  - 'ec2:DescribeInstances'
                  - 'ec2:DescribeVpnConnections'
                  - 'ecs:ListServices'
                  - 'ecs:DescribeServices'
                  - 'ecs:DescribeClusters'
                  - 'ecs:ListClusters'
                  - 'ecs:ListTagsForResource'
                  - 'elasticfilesystem:DescribeMountTargets'
                  - 'elasticfilesystem:DescribeFileSystems'
                  - 'elasticache:DescribeCacheClusters'
                  - 'elasticache:ListTagsForResource'
                  - 'es:ListDomainNames'
                  - 'es:DescribeElasticsearchDomain'
                  - 'es:DescribeElasticsearchDomains'
                  - 'es:ListTags'
                  - 'elasticbeanstalk:DescribeEnvironments'
                  - 'elasticbeanstalk:DescribeInstancesHealth'
                  - 'elasticbeanstalk:DescribeConfigurationSettings'
                  - 'elasticloadbalancing:DescribeLoadBalancers'
                  - 'elasticmapreduce:ListInstances'
                  - 'elasticmapreduce:ListClusters'
                  - 'elasticmapreduce:DescribeCluster'
                  - 'elasticmapreduce:ListInstanceGroups'
                  - 'health:DescribeAffectedEntities'
                  - 'health:DescribeEventDetails'
                  - 'health:DescribeEvents'
                  - 'iam:ListSAMLProviders'
                  - 'iam:ListOpenIDConnectProviders'
                  - 'iam:ListServerCertificates'
                  - 'iam:GetAccountAuthorizationDetails'
                  - 'iam:ListVirtualMFADevices'
                  - 'iam:GetAccountSummary'
                  - 'iot:ListTopicRules'
                  - 'iot:GetTopicRule'
                  - 'iot:ListThings'
                  - 'firehose:DescribeDeliveryStream'
                  - 'firehose:ListDeliveryStreams'
                  - 'kinesis:ListStreams'
                  - 'kinesis:DescribeStream'
                  - 'kinesis:ListTagsForStream'
                  - 'rds:ListTagsForResource'
                  - 'rds:DescribeDBInstances' 
                  - 'rds:DescribeDBClusters' 
                  - 'redshift:DescribeClusters' 
                  - 'redshift:DescribeClusterParameters'
                  - 'route53:ListHealthChecks'
                  - 'route53:GetHostedZone'
                  - 'route53:ListHostedZones'
                  - 'route53:ListResourceRecordSets'
                  - 'route53:ListTagsForResources'
                  - 's3:GetLifecycleConfiguration'
                  - 's3:GetBucketTagging'
                  - 's3:ListAllMyBuckets'
                  - 's3:GetBucketWebsite'
                  - 's3:GetBucketLogging'
                  - 's3:GetBucketCORS'
                  - 's3:GetBucketVersioning'
                  - 's3:GetBucketAcl'
                  - 's3:GetBucketNotification'
                  - 's3:GetBucketPolicy'
                  - 's3:GetReplicationConfiguration'
                  - 's3:GetMetricsConfiguration'
                  - 's3:GetAccelerateConfiguration'
                  - 's3:GetAnalyticsConfiguration'
                  - 's3:GetBucketLocation'
                  - 's3:GetBucketRequestPayment'
                  - 's3:GetEncryptionConfiguration'
                  - 's3:GetInventoryConfiguration'
                  - 's3:GetIpConfiguration'
                  - 'ses:ListConfigurationSets'
                  - 'ses:GetSendQuota'
                  - 'ses:DescribeConfigurationSet'
                  - 'ses:ListReceiptFilters'
                  - 'ses:ListReceiptRuleSets'
                  - 'ses:DescribeReceiptRule'
                  - 'ses:DescribeReceiptRuleSet'
                  - 'sns:GetTopicAttributes'
                  - 'sns:ListTopics'
                  - 'sqs:ListQueues'
                  - 'sqs:ListQueueTags'
                  - 'sqs:GetQueueAttributes'
                  - 'tag:GetResources'
                  - 'ec2:DescribeInternetGateways'
                  - 'ec2:DescribeVpcs'
                  - 'ec2:DescribeNatGateways'
                  - 'ec2:DescribeVpcEndpoints'
                  - 'ec2:DescribeSubnets'
                  - 'ec2:DescribeNetworkAcls'
                  - 'ec2:DescribeVpcAttribute'
                  - 'ec2:DescribeRouteTables'
                  - 'ec2:DescribeSecurityGroups'
                  - 'ec2:DescribeVpcPeeringConnections'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'lambda:GetAccountSettings'
                  - 'lambda:ListFunctions'
                  - 'lambda:ListAliases'
                  - 'lambda:ListTags'
                  - 'lambda:ListEventSourceMappings'
                  - 'cloudwatch:GetMetricStatistics'
                  - 'cloudwatch:ListMetrics'
                  - 'cloudwatch:GetMetricData'
                  - 'support:*'
                Resource: '*'

To create your own policy using available permissions:

  1. Add the permissions for all integrations.
  2. Add permissions that are specific to the integrations you need

The following permissions are used by New Relic to retrieve data for specific AWS integrations:

Required by all integrations

If an integration is not listed on this page, these permissions are all you need.

All integrations Permissions
CloudWatch

cloudwatch:GetMetricStatistics

cloudwatch:ListMetrics

cloudwatch:GetMetricData
Resource Tagging API

tag:GetResources
ALB permissions

Additional ALB permissions:

  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeLoadBalancerAttributes
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeRules
  • elasticloadbalancing:DescribeTargetGroupAttributes
  • elasticloadbalancing:DescribeInstanceHealth
  • elasticloadbalancing:DescribeLoadBalancerPolicies
  • elasticloadbalancing:DescribeLoadBalancerPolicyTypes
API Gateway permissions

Additional API Gateway permissions:

  • apigateway:GET
  • apigateway:HEAD
  • apigateway:OPTIONS
Auto Scaling permissions

Additional Auto Scaling permissions:

  • autoscaling:DescribeLaunchConfigurations
  • autoscaling:DescribeAutoScalingGroups
  • autoscaling:DescribePolicies
  • autoscaling:DescribeTags
  • autoscaling:DescribeAccountLimits
Billing permissions

Additional Billing permissions:

  • budgets:ViewBilling
  • budgets:ViewBudget
Cloudfront permissions

Additional Cloudfront permissions:

  • cloudfront:ListDistributions
  • cloudfront:ListStreamingDistributions
  • cloudfront:ListTagsForResource
CloudTrail permissions

Additional CloudTrail permissions:

  • cloudtrail:LookupEvents
DynamoDB permissions

Additional DynamoDB permissions:

  • dynamodb:DescribeLimits
  • dynamodb:ListTables
  • dynamodb:DescribeTable
  • dynamodb:ListGlobalTables
  • dynamodb:DescribeGlobalTable
  • dynamodb:ListTagsOfResource
EBS permissions

Additional EBS permissions:

  • ec2:DescribeVolumeStatus
  • ec2:DescribeVolumes
  • ec2:DescribeVolumeAttribute
EC2 permissions

Additional EC2 permissions:

  • ec2:DescribeInstanceStatus
  • ec2:DescribeInstances
ECS/ECR permissions

Additional ECS/ECR permissions:

  • ecs:ListServices
  • ecs:DescribeServices
  • ecs:DescribeClusters
  • ecs:ListClusters
  • ecs:ListTagsForResource
EFS permissions

Additional EFS permissions:

  • elasticfilesystem:DescribeMountTargets
  • elasticfilesystem:DescribeFileSystems
ElastiCache permissions

Additional ElastiCache permissions:

  • elasticache:DescribeCacheClusters
  • elasticache:ListTagsForResource
ElasticSearch permissions

Additional ElasticSearch permissions:

  • es:ListDomainNames
  • es:DescribeElasticsearchDomain
  • es:DescribeElasticsearchDomains
  • es:ListTags
Elastic Beanstalk permissions

Additional Elastic Beanstalk permissions:

  • elasticbeanstalk:DescribeEnvironments
  • elasticbeanstalk:DescribeInstancesHealth
  • elasticbeanstalk:DescribeConfigurationSettings
ELB permissions

Additional ELB permissions:

  • elasticloadbalancing:DescribeLoadBalancers
EMR permissions

Additional EMR permissions:

  • elasticmapreduce:ListInstances
  • elasticmapreduce:ListClusters
  • elasticmapreduce:DescribeCluster
  • elasticmapreduce:ListInstanceGroups
Health permissions

Additional Health permissions:

  • health:DescribeAffectedEntities
  • health:DescribeEventDetails
  • health:DescribeEvents
IAM permissions

Additional IAM permissions:

  • iam:ListSAMLProviders
  • iam:ListOpenIDConnectProviders
  • iam:ListServerCertificates
  • iam:GetAccountAuthorizationDetails
  • iam:ListVirtualMFADevices
  • iam:GetAccountSummary
IoT permissions

Additional IoT permissions:

  • iot:ListTopicRules
  • iot:GetTopicRule
  • iot:ListThings
Kinesis Firehose permissions

Additional Kinesis Firehose permissions:

  • firehose:DescribeDeliveryStream
  • firehose:ListDeliveryStreams
Kinesis Streams permissions

Additional Kinesis Streams permissions:

  • kinesis:ListStreams
  • kinesis:DescribeStream
  • kinesis:ListTagsForStream
Lambda permissions

Additional Lambda permissions:

  • lambda:GetAccountSettings
  • lambda:ListFunctions
  • lambda:ListAliases
  • lambda:ListTags
  • lambda:ListEventSourceMappings
RDS, RDS Enhanced Monitoring permissions

Additional RDS and RDS Enhanced Monitoring permissions:

  • rds:ListTagsForResource
  • rds:DescribeDBInstances
  • rds:DescribeDBClusters
Redshift permissions

Additional Redshift permissions:

  • redshift:DescribeClusters
  • redshift:DescribeClusterParameters
Route 53 permissions

Additional Route 53 permissions:

  • route53:ListHealthChecks
  • route53:GetHostedZone
  • route53:ListHostedZones
  • route53:ListResourceRecordSets
  • route53:ListTagsForResources
S3 permissions

Additional S3 permissions:

  • s3:GetLifecycleConfiguration
  • s3:GetBucketTagging
  • s3:ListAllMyBuckets
  • s3:GetBucketWebsite
  • s3:GetBucketLogging
  • s3:GetBucketCORS
  • s3:GetBucketVersioning
  • s3:GetBucketAcl
  • s3:GetBucketNotification
  • s3:GetBucketPolicy
  • s3:GetReplicationConfiguration
  • s3:GetMetricsConfiguration
  • s3:GetAccelerateConfiguration
  • s3:GetAnalyticsConfiguration
  • s3:GetBucketLocation
  • s3:GetBucketRequestPayment
  • s3:GetEncryptionConfiguration
  • s3:GetInventoryConfiguration
  • s3:GetIpConfiguration
Simple Email Service (SES) permissions

Additional SES permissions:

  • ses:ListConfigurationSets
  • ses:GetSendQuota
  • ses:DescribeConfigurationSet
  • ses:ListReceiptFilters
  • ses:ListReceiptRuleSets
  • ses:DescribeReceiptRule
  • ses:DescribeReceiptRuleSet
SNS permissions

Additional SNS permissions:

  • sns:GetTopicAttributes
  • sns:ListTopics
SQS permissions

Additional SQS permissions:

  • sqs:ListQueues
  • sqs:GetQueueAttributes
  • sqs:ListQueueTags
Trusted Advisor permissions

Additional Trusted Advisor permissions:

  • support:*

See also the note about the Trusted Advisor integration and recommended policies.

VPC permissions

Additional VPC permissions:

  • ec2:DescribeInternetGateways
  • ec2:DescribeVpcs
  • ec2:DescribeNatGateways
  • ec2:DescribeVpcEndpoints
  • ec2:DescribeSubnets
  • ec2:DescribeNetworkAcls
  • ec2:DescribeVpcAttribute
  • ec2:DescribeRouteTables
  • ec2:DescribeSecurityGroups
  • ec2:DescribeVpcPeeringConnections
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeVpnConnections
X-Ray monitoring permissions

Additional X-ray monitoring permissions:

  • xray:BatchGet*
  • xray:Get*

For more help

If you need more help, check out these support and learning resources: