In order to use Infrastructure integrations, you need to grant New Relic permission to read the relevant data from your account. Amazon Web Services (AWS) uses managed policies to grant these permissions.
Recommended policy
New Relic highly recommends granting an account-wide ReadOnlyAccess
managed policy from AWS. AWS automatically updates this policy when new services are added or existing services are modified. New Relic Infrastructure integrations have been designed to function with ReadOnlyAccess
policies. For instructions, see Connect AWS integrations to Infrastructure.
Trusted Advisor is currently the only integration that is not covered by ReadOnlyAccess
policy and requires the additional AWSSupportAccess
managed policy. This is also the only integration that requires full access permissions (support:*
) in order to correctly operate. We notified Amazon about this limitation. Once it's resolved we'll update documentation with more specific permissions required for this integration.
Optional policy
If you're unable to use the ReadOnlyAccess
managed policy from AWS, you can create your own customized policy based on the list of permissions, which specifies the optimal permissions required to fetch data from AWS for each integration. While this option is available, it is not recommended because it must be manually updated when you add or modify your integrations.
New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom policy, it is your responsibility to maintain it and ensure proper data is being collected.
Here is an example of how to set the permissions:
- Cloud formation template
-
AWSTemplateFormatVersion: 2010-09-09 Outputs: NewRelicRoleArn: Description: NewRelicRole to monitor AWS Lambda Value: !GetAtt - NewRelicIntegrationsTemplate - Arn Parameters: NewRelicAccountNumber: Type: String Description: The Newrelic account number to send data AllowedPattern: '[0-9]+' Resources: NewRelicIntegrationsTemplate: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub NewRelicTemplateTest AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::754728514883:root' Action: 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref NewRelicAccountNumber Policies: - PolicyName: NewRelicIntegrations PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'elasticloadbalancing:DescribeLoadBalancers' - 'elasticloadbalancing:DescribeTargetGroups' - 'elasticloadbalancing:DescribeTags' - 'elasticloadbalancing:DescribeLoadBalancerAttributes' - 'elasticloadbalancing:DescribeListeners' - 'elasticloadbalancing:DescribeRules' - 'elasticloadbalancing:DescribeTargetGroupAttributes' - 'elasticloadbalancing:DescribeInstanceHealth' - 'elasticloadbalancing:DescribeLoadBalancerPolicies' - 'elasticloadbalancing:DescribeLoadBalancerPolicyTypes' - 'apigateway:GET' - 'apigateway:HEAD' - 'apigateway:OPTIONS' - 'autoscaling:DescribeLaunchConfigurations' - 'autoscaling:DescribeAutoScalingGroups' - 'autoscaling:DescribePolicies' - 'autoscaling:DescribeTags' - 'autoscaling:DescribeAccountLimits' - 'budgets:ViewBilling' - 'budgets:ViewBudget' - 'cloudfront:ListDistributions' - 'cloudfront:ListStreamingDistributions' - 'cloudfront:ListTagsForResource' - 'cloudtrail:LookupEvents' - 'dynamodb:DescribeLimits' - 'dynamodb:ListTables' - 'dynamodb:DescribeTable' - 'dynamodb:ListGlobalTables' - 'dynamodb:DescribeGlobalTable' - 'dynamodb:ListTagsOfResource' - 'ec2:DescribeVolumeStatus' - 'ec2:DescribeVolumes' - 'ec2:DescribeVolumeAttribute' - 'ec2:DescribeInstanceStatus' - 'ec2:DescribeInstances' - 'ec2:DescribeVpnConnections' - 'ecs:ListServices' - 'ecs:DescribeServices' - 'ecs:DescribeClusters' - 'ecs:ListClusters' - 'ecs:ListTagsForResource' - 'elasticfilesystem:DescribeMountTargets' - 'elasticfilesystem:DescribeFileSystems' - 'elasticache:DescribeCacheClusters' - 'elasticache:ListTagsForResource' - 'es:ListDomainNames' - 'es:DescribeElasticsearchDomain' - 'es:DescribeElasticsearchDomains' - 'es:ListTags' - 'elasticbeanstalk:DescribeEnvironments' - 'elasticbeanstalk:DescribeInstancesHealth' - 'elasticbeanstalk:DescribeConfigurationSettings' - 'elasticloadbalancing:DescribeLoadBalancers' - 'elasticmapreduce:ListInstances' - 'elasticmapreduce:ListClusters' - 'elasticmapreduce:DescribeCluster' - 'elasticmapreduce:ListInstanceGroups' - 'health:DescribeAffectedEntities' - 'health:DescribeEventDetails' - 'health:DescribeEvents' - 'iam:ListSAMLProviders' - 'iam:ListOpenIDConnectProviders' - 'iam:ListServerCertificates' - 'iam:GetAccountAuthorizationDetails' - 'iam:ListVirtualMFADevices' - 'iam:GetAccountSummary' - 'iot:ListTopicRules' - 'iot:GetTopicRule' - 'iot:ListThings' - 'firehose:DescribeDeliveryStream' - 'firehose:ListDeliveryStreams' - 'kinesis:ListStreams' - 'kinesis:DescribeStream' - 'kinesis:ListTagsForStream' - 'rds:ListTagsForResource' - 'rds:DescribeDBInstances' - 'rds:DescribeDBClusters' - 'route53:ListHealthChecks' - 'route53:GetHostedZone' - 'route53:ListHostedZones' - 'route53:ListResourceRecordSets' - 's3:GetLifecycleConfiguration' - 's3:GetBucketTagging' - 's3:ListAllMyBuckets' - 's3:GetBucketWebsite' - 's3:GetBucketLogging' - 's3:GetBucketCORS' - 's3:GetBucketVersioning' - 's3:GetBucketAcl' - 's3:GetBucketNotification' - 's3:GetBucketPolicy' - 's3:GetReplicationConfiguration' - 's3:GetMetricsConfiguration' - 's3:GetAccelerateConfiguration' - 's3:GetAnalyticsConfiguration' - 's3:GetBucketLocation' - 's3:GetBucketRequestPayment' - 's3:GetEncryptionConfiguration' - 's3:GetInventoryConfiguration' - 's3:GetIpConfiguration' - 'ses:ListConfigurationSet' - 'ses:GetSendQuota' - 'ses:DescribeConfigurationSet' - 'ses:ListReceiptFilters' - 'ses:ListReceiptRuleSets' - 'ses:DescribeReceiptRule' - 'ses:DescribeReceiptRuleSet' - 'sns:GetTopicAttributes' - 'sns:ListTopics' - 'sqs:ListQueues' - 'sqs:ListQueueTags' - 'sqs:GetQueueAttributes' - 'ec2:DescribeInternetGateways' - 'ec2:DescribeVpcs' - 'ec2:DescribeNatGateways' - 'ec2:DescribeVpcEndpoints' - 'ec2:DescribeSubnets' - 'ec2:DescribeNetworkAcls' - 'ec2:DescribeVpcAttribute' - 'ec2:DescribeRouteTables' - 'ec2:DescribeSecurityGroups' - 'ec2:DescribeVpcPeeringConnections' - 'ec2:DescribeNetworkInterfaces' - 'lambda:GetAccountSettings' - 'lambda:ListFunctions' - 'lambda:ListAliases' - 'lambda:ListTags' - 'lambda:ListEventSourceMappings' - 'cloudwatch:GetMetricStatistics' - 'cloudwatch:ListMetrics' - 'cloudwatch:GetMetricData' - 'support:*' Resource: '*'
Permissions
Permissions required for all integrations:
All integrations | Permissions |
---|---|
CloudWatch |
|
The following permissions are used by New Relic to retrieve data for specific AWS integrations:
- ALB permissions
-
Additional ALB permissions:
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeRules
elasticloadbalancing:DescribeTargetGroupAttributes
elasticloadbalancing:DescribeInstanceHealth
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
- API Gateway permissions
-
Additional API Gateway permissions:
apigateway:GET
apigateway:HEAD
apigateway:OPTIONS
- Auto Scaling permissions
-
Additional Auto Scaling permissions:
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribePolicies
autoscaling:DescribeTags
autoscaling:DescribeAccountLimits
- Billing permissions
-
Additional Billing permissions:
budgets:ViewBilling
budgets:ViewBudget
- Cloudfront permissions
-
Additional Cloudfront permissions:
cloudfront:ListDistributions
cloudfront:ListStreamingDistributions
cloudfront:ListTagsForResource
- DynamoDB permissions
-
Additional DynamoDB permissions:
dynamodb:DescribeLimits
dynamodb:ListTables
dynamodb:DescribeTable
dynamodb:ListGlobalTables
dynamodb:DescribeGlobalTable
dynamodb:ListTagsOfResource
- EBS permissions
-
Additional EBS permissions:
ec2:DescribeVolumeStatus
ec2:DescribeVolumes
ec2:DescribeVolumeAttribute
- EC2 permissions
-
Additional EC2 permissions:
ec2:DescribeInstanceStatus
ec2:DescribeInstances
- ECS/ECR permissions
-
Additional ECS/ECR permissions:
ecs:ListServices
ecs:DescribeServices
ecs:DescribeClusters
ecs:ListClusters
ecs:ListTagsForResource
- EFS permissions
-
Additional EFS permissions:
elasticfilesystem:DescribeMountTargets
elasticfilesystem:DescribeFileSystems
- ElastiCache permissions
-
Additional ElastiCache permissions:
elasticache:DescribeCacheClusters
elasticache:ListTagsForResource
- ElasticSearch permissions
-
Additional ElasticSearch permissions:
es:ListDomainNames
es:DescribeElasticsearchDomain
es:DescribeElasticsearchDomains
es:ListTags
- Elastic Beanstalk permissions
-
Additional Elastic Beanstalk permissions:
elasticbeanstalk:DescribeEnvironments
elasticbeanstalk:DescribeInstancesHealth
elasticbeanstalk:DescribeConfigurationSettings
- ELB permissions
-
Additional ELB permissions:
elasticloadbalancing:DescribeLoadBalancers
- EMR permissions
-
Additional EMR permissions:
elasticmapreduce:ListInstances
elasticmapreduce:ListClusters
elasticmapreduce:DescribeCluster
elasticmapreduce:ListInstanceGroups
- Health permissions
-
Additional Health permissions:
health:DescribeAffectedEntities
health:DescribeEventDetails
health:DescribeEvents
- IAM permissions
-
Additional IAM permissions:
iam:ListSAMLProviders
iam:ListOpenIDConnectProviders
iam:ListServerCertificates
iam:GetAccountAuthorizationDetails
iam:ListVirtualMFADevices
iam:GetAccountSummary
- IoT permissions
-
Additional IoT permissions:
iot:ListTopicRules
iot:GetTopicRule
iot:ListThings
- Kinesis Firehose permissions
-
Additional Kinesis Firehose permissions:
firehose:DescribeDeliveryStream
firehose:ListDeliveryStreams
- Kinesis Streams permissions
-
Additional Kinesis Streams permissions:
kinesis:ListStreams
kinesis:DescribeStream
kinesis:ListTagsForStream
- Lambda permissions
-
Additional Lambda permissions:
lambda:GetAccountSettings
lambda:ListFunctions
lambda:ListAliases
lambda:ListTags
lambda:ListEventSourceMappings
- RDS, RDS Enhanced Monitoring permissions
-
Additional RDS and RDS Enhanced Monitoring permissions:
rds:ListTagsForResource
rds:DescribeDBInstances
rds:DescribeDBClusters
- Redshift permissions
-
Additional Redshift permissions:
redshift:DescribeClusters
redshift:DescribeClusterParameters
- Route 53 permissions
-
Additional Route 53 permissions:
route53:ListHealthChecks
route53:GetHostedZone
route53:ListHostedZones
route53:ListResourceRecordSets
- S3 permissions
-
Additional S3 permissions:
s3:GetLifecycleConfiguration
s3:GetBucketTagging
s3:ListAllMyBuckets
s3:GetBucketWebsite
s3:GetBucketLogging
s3:GetBucketCORS
s3:GetBucketVersioning
s3:GetBucketAcl
s3:GetBucketNotification
s3:GetBucketPolicy
s3:GetReplicationConfiguration
s3:GetMetricsConfiguration
s3:GetAccelerateConfiguration
s3:GetAnalyticsConfiguration
s3:GetBucketLocation
s3:GetBucketRequestPayment
s3:GetEncryptionConfiguration
s3:GetInventoryConfiguration
s3:GetIpConfiguration
- Simple Email Service (SES) permissions
-
Additional SES permissions:
ses:ListConfigurationSets
ses:GetSendQuota
ses:DescribeConfigurationSet
ses:ListReceiptFilters
ses:ListReceiptRuleSets
ses:DescribeReceiptRule
ses:DescribeReceiptRuleSet
- SNS permissions
-
Additional SNS permissions:
sns:GetTopicAttributes
sns:ListTopics
- SQS permissions
-
Additional SQS permissions:
sqs:ListQueues
sqs:GetQueueAttributes
sqs:ListQueueTags
- Trusted Advisor permissions
-
Additional Trusted Advisor permissions:
support:*
See also the note about the Trusted Advisor integration and recommended policies.
- VPC permissions
-
Additional VPC permissions:
ec2:DescribeInternetGateways
ec2:DescribeVpcs
ec2:DescribeNatGateways
ec2:DescribeVpcEndpoints
ec2:DescribeSubnets
ec2:DescribeNetworkAcls
ec2:DescribeVpcAttribute
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeVpcPeeringConnections
ec2:DescribeNetworkInterfaces
ec2:DescribeVpnConnections