In order to use Infrastructure integrations, you need to grant New Relic permission to read the relevant data from your account. Amazon Web Services (AWS) uses managed policies to grant these permissions.
Recommended policy
Recommendation: Grant an account-wide ReadOnlyAccess managed policy from AWS. AWS automatically updates this policy when new services are added or existing services are modified. New Relic Infrastructure integrations have been designed to function with ReadOnlyAccess policies. For instructions, see Connect AWS integrations to Infrastructure.
Exception: The Trusted Advisor integration is not covered by the ReadOnlyAccess policy. It requires the additional AWSSupportAccess managed policy. This is also the only integration that requires full access permissions (support:*) in order to correctly operate. We notified Amazon about this limitation. Once it's resolved we'll update documentation with more specific permissions required for this integration.
Optional policy
If you cannot use the ReadOnlyAccess managed policy from AWS, you can create your own customized policy based on the list of permissions. This allows you to specify the optimal permissions required to fetch data from AWS for each integration. While this option is available, it is not recommended because it must be manually updated when you add or modify your integrations.
New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom policy, it is your responsibility to maintain it and ensure proper data is being collected.
Here is an example of how to set the permissions:
- Cloud formation template
-
AWSTemplateFormatVersion: 2010-09-09 Outputs: NewRelicRoleArn: Description: NewRelicRole to monitor AWS Lambda Value: !GetAtt - NewRelicIntegrationsTemplate - Arn Parameters: NewRelicAccountNumber: Type: String Description: The Newrelic account number to send data AllowedPattern: '[0-9]+' Resources: NewRelicIntegrationsTemplate: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub NewRelicTemplateTest AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::754728514883:root' Action: 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref NewRelicAccountNumber Policies: - PolicyName: NewRelicIntegrations PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'elasticloadbalancing:DescribeLoadBalancers' - 'elasticloadbalancing:DescribeTargetGroups' - 'elasticloadbalancing:DescribeTags' - 'elasticloadbalancing:DescribeLoadBalancerAttributes' - 'elasticloadbalancing:DescribeListeners' - 'elasticloadbalancing:DescribeRules' - 'elasticloadbalancing:DescribeTargetGroupAttributes' - 'elasticloadbalancing:DescribeInstanceHealth' - 'elasticloadbalancing:DescribeLoadBalancerPolicies' - 'elasticloadbalancing:DescribeLoadBalancerPolicyTypes' - 'apigateway:GET' - 'apigateway:HEAD' - 'apigateway:OPTIONS' - 'autoscaling:DescribeLaunchConfigurations' - 'autoscaling:DescribeAutoScalingGroups' - 'autoscaling:DescribePolicies' - 'autoscaling:DescribeTags' - 'autoscaling:DescribeAccountLimits' - 'budgets:ViewBilling' - 'budgets:ViewBudget' - 'cloudfront:ListDistributions' - 'cloudfront:ListStreamingDistributions' - 'cloudfront:ListTagsForResource' - 'cloudtrail:LookupEvents' - 'dynamodb:DescribeLimits' - 'dynamodb:ListTables' - 'dynamodb:DescribeTable' - 'dynamodb:ListGlobalTables' - 'dynamodb:DescribeGlobalTable' - 'dynamodb:ListTagsOfResource' - 'ec2:DescribeVolumeStatus' - 'ec2:DescribeVolumes' - 'ec2:DescribeVolumeAttribute' - 'ec2:DescribeInstanceStatus' - 'ec2:DescribeInstances' - 'ec2:DescribeVpnConnections' - 'ecs:ListServices' - 'ecs:DescribeServices' - 'ecs:DescribeClusters' - 'ecs:ListClusters' - 'ecs:ListTagsForResource' - 'elasticfilesystem:DescribeMountTargets' - 'elasticfilesystem:DescribeFileSystems' - 'elasticache:DescribeCacheClusters' - 'elasticache:ListTagsForResource' - 'es:ListDomainNames' - 'es:DescribeElasticsearchDomain' - 'es:DescribeElasticsearchDomains' - 'es:ListTags' - 'elasticbeanstalk:DescribeEnvironments' - 'elasticbeanstalk:DescribeInstancesHealth' - 'elasticbeanstalk:DescribeConfigurationSettings' - 'elasticloadbalancing:DescribeLoadBalancers' - 'elasticmapreduce:ListInstances' - 'elasticmapreduce:ListClusters' - 'elasticmapreduce:DescribeCluster' - 'elasticmapreduce:ListInstanceGroups' - 'health:DescribeAffectedEntities' - 'health:DescribeEventDetails' - 'health:DescribeEvents' - 'iam:ListSAMLProviders' - 'iam:ListOpenIDConnectProviders' - 'iam:ListServerCertificates' - 'iam:GetAccountAuthorizationDetails' - 'iam:ListVirtualMFADevices' - 'iam:GetAccountSummary' - 'iot:ListTopicRules' - 'iot:GetTopicRule' - 'iot:ListThings' - 'firehose:DescribeDeliveryStream' - 'firehose:ListDeliveryStreams' - 'kinesis:ListStreams' - 'kinesis:DescribeStream' - 'kinesis:ListTagsForStream' - 'rds:ListTagsForResource' - 'rds:DescribeDBInstances' - 'rds:DescribeDBClusters' - 'route53:ListHealthChecks' - 'route53:GetHostedZone' - 'route53:ListHostedZones' - 'route53:ListResourceRecordSets' - 'route53:ListTagsForResources' - 's3:GetLifecycleConfiguration' - 's3:GetBucketTagging' - 's3:ListAllMyBuckets' - 's3:GetBucketWebsite' - 's3:GetBucketLogging' - 's3:GetBucketCORS' - 's3:GetBucketVersioning' - 's3:GetBucketAcl' - 's3:GetBucketNotification' - 's3:GetBucketPolicy' - 's3:GetReplicationConfiguration' - 's3:GetMetricsConfiguration' - 's3:GetAccelerateConfiguration' - 's3:GetAnalyticsConfiguration' - 's3:GetBucketLocation' - 's3:GetBucketRequestPayment' - 's3:GetEncryptionConfiguration' - 's3:GetInventoryConfiguration' - 's3:GetIpConfiguration' - 'ses:ListConfigurationSet' - 'ses:GetSendQuota' - 'ses:DescribeConfigurationSet' - 'ses:ListReceiptFilters' - 'ses:ListReceiptRuleSets' - 'ses:DescribeReceiptRule' - 'ses:DescribeReceiptRuleSet' - 'sns:GetTopicAttributes' - 'sns:ListTopics' - 'sqs:ListQueues' - 'sqs:ListQueueTags' - 'sqs:GetQueueAttributes' - 'tag:GetResources' - 'tag:GetTagKeys' - 'tag:GetTagValues' - 'ec2:DescribeInternetGateways' - 'ec2:DescribeVpcs' - 'ec2:DescribeNatGateways' - 'ec2:DescribeVpcEndpoints' - 'ec2:DescribeSubnets' - 'ec2:DescribeNetworkAcls' - 'ec2:DescribeVpcAttribute' - 'ec2:DescribeRouteTables' - 'ec2:DescribeSecurityGroups' - 'ec2:DescribeVpcPeeringConnections' - 'ec2:DescribeNetworkInterfaces' - 'lambda:GetAccountSettings' - 'lambda:ListFunctions' - 'lambda:ListAliases' - 'lambda:ListTags' - 'lambda:ListEventSourceMappings' - 'cloudwatch:GetMetricStatistics' - 'cloudwatch:ListMetrics' - 'cloudwatch:GetMetricData' - 'support:*' Resource: '*'
Permissions
Permissions required for all integrations:
| All integrations | Permissions |
|---|---|
| CloudWatch |
|
| Resource Tagging API |
|
The following permissions are used by New Relic to retrieve data for specific AWS integrations:
- ALB permissions
-
Additional ALB permissions:
elasticloadbalancing:DescribeLoadBalancerselasticloadbalancing:DescribeTargetGroupselasticloadbalancing:DescribeTagselasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:DescribeListenerselasticloadbalancing:DescribeRuleselasticloadbalancing:DescribeTargetGroupAttributeselasticloadbalancing:DescribeInstanceHealthelasticloadbalancing:DescribeLoadBalancerPolicieselasticloadbalancing:DescribeLoadBalancerPolicyTypes
- API Gateway permissions
-
Additional API Gateway permissions:
apigateway:GETapigateway:HEADapigateway:OPTIONS
- Auto Scaling permissions
-
Additional Auto Scaling permissions:
autoscaling:DescribeLaunchConfigurationsautoscaling:DescribeAutoScalingGroupsautoscaling:DescribePoliciesautoscaling:DescribeTagsautoscaling:DescribeAccountLimits
- Billing permissions
-
Additional Billing permissions:
budgets:ViewBillingbudgets:ViewBudget
- Cloudfront permissions
-
Additional Cloudfront permissions:
cloudfront:ListDistributionscloudfront:ListStreamingDistributionscloudfront:ListTagsForResource
- CloudTrail permissions
-
Additional CloudTrail permissions:
cloudtrail:LookupEvents
- DynamoDB permissions
-
Additional DynamoDB permissions:
dynamodb:DescribeLimitsdynamodb:ListTablesdynamodb:DescribeTabledynamodb:ListGlobalTablesdynamodb:DescribeGlobalTabledynamodb:ListTagsOfResource
- EBS permissions
-
Additional EBS permissions:
ec2:DescribeVolumeStatusec2:DescribeVolumesec2:DescribeVolumeAttribute
- EC2 permissions
-
Additional EC2 permissions:
ec2:DescribeInstanceStatusec2:DescribeInstances
- ECS/ECR permissions
-
Additional ECS/ECR permissions:
ecs:ListServicesecs:DescribeServicesecs:DescribeClustersecs:ListClustersecs:ListTagsForResource
- EFS permissions
-
Additional EFS permissions:
elasticfilesystem:DescribeMountTargetselasticfilesystem:DescribeFileSystems
- ElastiCache permissions
-
Additional ElastiCache permissions:
elasticache:DescribeCacheClusterselasticache:ListTagsForResource
- ElasticSearch permissions
-
Additional ElasticSearch permissions:
es:ListDomainNameses:DescribeElasticsearchDomaines:DescribeElasticsearchDomainses:ListTags
- Elastic Beanstalk permissions
-
Additional Elastic Beanstalk permissions:
elasticbeanstalk:DescribeEnvironmentselasticbeanstalk:DescribeInstancesHealthelasticbeanstalk:DescribeConfigurationSettings
- ELB permissions
-
Additional ELB permissions:
elasticloadbalancing:DescribeLoadBalancers
- EMR permissions
-
Additional EMR permissions:
elasticmapreduce:ListInstanceselasticmapreduce:ListClusterselasticmapreduce:DescribeClusterelasticmapreduce:ListInstanceGroups
- Health permissions
-
Additional Health permissions:
health:DescribeAffectedEntitieshealth:DescribeEventDetailshealth:DescribeEvents
- IAM permissions
-
Additional IAM permissions:
iam:ListSAMLProvidersiam:ListOpenIDConnectProvidersiam:ListServerCertificatesiam:GetAccountAuthorizationDetailsiam:ListVirtualMFADevicesiam:GetAccountSummary
- IoT permissions
-
Additional IoT permissions:
iot:ListTopicRulesiot:GetTopicRuleiot:ListThings
- Kinesis Firehose permissions
-
Additional Kinesis Firehose permissions:
firehose:DescribeDeliveryStreamfirehose:ListDeliveryStreams
- Kinesis Streams permissions
-
Additional Kinesis Streams permissions:
kinesis:ListStreamskinesis:DescribeStreamkinesis:ListTagsForStream
- Lambda permissions
-
Additional Lambda permissions:
lambda:GetAccountSettingslambda:ListFunctionslambda:ListAliaseslambda:ListTagslambda:ListEventSourceMappings
- RDS, RDS Enhanced Monitoring permissions
-
Additional RDS and RDS Enhanced Monitoring permissions:
rds:ListTagsForResourcerds:DescribeDBInstancesrds:DescribeDBClusters
- Redshift permissions
-
Additional Redshift permissions:
redshift:DescribeClustersredshift:DescribeClusterParameters
- Route 53 permissions
-
Additional Route 53 permissions:
route53:ListHealthChecksroute53:GetHostedZoneroute53:ListHostedZonesroute53:ListResourceRecordSetsroute53:ListTagsForResources
- S3 permissions
-
Additional S3 permissions:
s3:GetLifecycleConfigurations3:GetBucketTaggings3:ListAllMyBucketss3:GetBucketWebsites3:GetBucketLoggings3:GetBucketCORSs3:GetBucketVersionings3:GetBucketAcls3:GetBucketNotifications3:GetBucketPolicys3:GetReplicationConfigurations3:GetMetricsConfigurations3:GetAccelerateConfigurations3:GetAnalyticsConfigurations3:GetBucketLocations3:GetBucketRequestPayments3:GetEncryptionConfigurations3:GetInventoryConfigurations3:GetIpConfiguration
- Simple Email Service (SES) permissions
-
Additional SES permissions:
ses:ListConfigurationSetsses:GetSendQuotases:DescribeConfigurationSetses:ListReceiptFiltersses:ListReceiptRuleSetsses:DescribeReceiptRuleses:DescribeReceiptRuleSet
- SNS permissions
-
Additional SNS permissions:
sns:GetTopicAttributessns:ListTopics
- SQS permissions
-
Additional SQS permissions:
sqs:ListQueuessqs:GetQueueAttributessqs:ListQueueTags
- Trusted Advisor permissions
-
Additional Trusted Advisor permissions:
support:*
See also the note about the Trusted Advisor integration and recommended policies.
- VPC permissions
-
Additional VPC permissions:
ec2:DescribeInternetGatewaysec2:DescribeVpcsec2:DescribeNatGatewaysec2:DescribeVpcEndpointsec2:DescribeSubnetsec2:DescribeNetworkAclsec2:DescribeVpcAttributeec2:DescribeRouteTablesec2:DescribeSecurityGroupsec2:DescribeVpcPeeringConnectionsec2:DescribeNetworkInterfacesec2:DescribeVpnConnections