Integrations and managed policies

In order to use Infrastructure integrations, you need to grant New Relic permission to read the relevant data from your account. Amazon Web Services (AWS) uses managed policies to grant these permissions.

New Relic highly recommends granting an account-wide ReadOnlyAccess managed policy from AWS. AWS automatically updates this policy when new services are added or existing services are modified. New Relic Infrastructure integrations have been designed to function with ReadOnlyAccess policies. For instructions, see Connect AWS integrations to Infrastructure.

Trusted Advisor is currently the only integration that is not covered by ReadOnlyAccess policy and requires the additional AWSSupportAccess managed policy. This is also the only integration that requires full access permissions (support:*) in order to correctly operate. We notified Amazon about this limitation. Once it's resolved we'll update documentation with more specific permissions required for this integration.

Optional policy

If you're unable to use the ReadOnlyAccess managed policy from AWS, you can create your own customized policy based on the list of permissions, which specifies the optimal permissions required to fetch data from AWS for each integration. While this option is available, it is not recommended because it must be manually updated when you add or modify your integrations.

New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom policy, it is your responsibility to maintain it and ensure proper data is being collected.

Here is an example of how to set the permissions:

Cloud formation template
AWSTemplateFormatVersion: 2010-09-09
Outputs:
  NewRelicRoleArn:
    Description: NewRelicRole to monitor AWS Lambda
    Value: !GetAtt 
      - NewRelicIntegrationsTemplate
      - Arn
Parameters:
  NewRelicAccountNumber:
    Type: String
    Description: The Newrelic account number to send data
    AllowedPattern: '[0-9]+'
Resources:
  NewRelicIntegrationsTemplate:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub NewRelicTemplateTest
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::754728514883:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref NewRelicAccountNumber
      Policies:
        - PolicyName: NewRelicIntegrations
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'elasticloadbalancing:DescribeLoadBalancers'
                  - 'elasticloadbalancing:DescribeTargetGroups'
                  - 'elasticloadbalancing:DescribeTags'
                  - 'elasticloadbalancing:DescribeLoadBalancerAttributes'
                  - 'elasticloadbalancing:DescribeListeners'
                  - 'elasticloadbalancing:DescribeRules'
                  - 'elasticloadbalancing:DescribeTargetGroupAttributes'
                  - 'elasticloadbalancing:DescribeInstanceHealth'
                  - 'elasticloadbalancing:DescribeLoadBalancerPolicies'
                  - 'elasticloadbalancing:DescribeLoadBalancerPolicyTypes'
                  - 'apigateway:GET'
                  - 'apigateway:HEAD'
                  - 'apigateway:OPTIONS'
                  - 'autoscaling:DescribeLaunchConfigurations'
                  - 'autoscaling:DescribeAutoScalingGroups'
                  - 'autoscaling:DescribePolicies'
                  - 'autoscaling:DescribeTags'
                  - 'autoscaling:DescribeAccountLimits'
                  - 'budgets:ViewBilling'
                  - 'budgets:ViewBudget'
                  - 'cloudfront:ListDistributions'
                  - 'cloudfront:ListStreamingDistributions'
                  - 'cloudfront:ListTagsForResource'
                  - 'cloudtrail:LookupEvents'
                  - 'dynamodb:DescribeLimits'
                  - 'dynamodb:ListTables'
                  - 'dynamodb:DescribeTable'
                  - 'dynamodb:ListGlobalTables'
                  - 'dynamodb:DescribeGlobalTable'
                  - 'dynamodb:ListTagsOfResource'
                  - 'ec2:DescribeVolumeStatus'
                  - 'ec2:DescribeVolumes'
                  - 'ec2:DescribeVolumeAttribute'
                  - 'ec2:DescribeInstanceStatus'
                  - 'ec2:DescribeInstances'
                  - 'ec2:DescribeVpnConnections'
                  - 'ecs:ListServices'
                  - 'ecs:DescribeServices'
                  - 'ecs:DescribeClusters'
                  - 'ecs:ListClusters'
                  - 'ecs:ListTagsForResource'
                  - 'elasticfilesystem:DescribeMountTargets'
                  - 'elasticfilesystem:DescribeFileSystems'
                  - 'elasticache:DescribeCacheClusters'
                  - 'es:ListDomainNames'
                  - 'es:DescribeElasticsearchDomain'
                  - 'es:DescribeElasticsearchDomains'
                  - 'es:ListTags'
                  - 'elasticbeanstalk:DescribeEnvironments'
                  - 'elasticbeanstalk:DescribeInstancesHealth'
                  - 'elasticbeanstalk:DescribeConfigurationSettings'
                  - 'elasticloadbalancing:DescribeLoadBalancers'
                  - 'elasticmapreduce:ListInstances'
                  - 'elasticmapreduce:ListClusters'
                  - 'elasticmapreduce:DescribeCluster'
                  - 'elasticmapreduce:ListInstanceGroups'
                  - 'health:DescribeAffectedEntities'
                  - 'health:DescribeEventDetails'
                  - 'health:DescribeEvents'
                  - 'iam:ListSAMLProviders'
                  - 'iam:ListOpenIDConnectProviders'
                  - 'iam:ListServerCertificates'
                  - 'iam:GetAccountAuthorizationDetails'
                  - 'iam:ListVirtualMFADevices'
                  - 'iam:GetAccountSummary'
                  - 'iot:ListTopicRules'
                  - 'iot:GetTopicRule'
                  - 'iot:ListThings'
                  - 'firehose:DescribeDeliveryStream'
                  - 'firehose:ListDeliveryStreams'
                  - 'kinesis:ListStreams'
                  - 'kinesis:DescribeStream'
                  - 'kinesis:ListTagsForStream'
                  - 'rds:ListTagsForResource'
                  - 'rds:DescribeDBInstances'
                  - 'rds:DescribeDBClusters'
                  - 'route53:ListHealthChecks'
                  - 'route53:GetHostedZone'
                  - 'route53:ListHostedZones'
                  - 'route53:ListResourceRecordSets'
                  - 's3:GetLifecycleConfiguration'
                  - 's3:GetBucketTagging'
                  - 's3:ListAllMyBuckets'
                  - 's3:GetBucketWebsite'
                  - 's3:GetBucketLogging'
                  - 's3:GetBucketCORS'
                  - 's3:GetBucketVersioning'
                  - 's3:GetBucketAcl'
                  - 's3:GetBucketNotification'
                  - 's3:GetBucketPolicy'
                  - 's3:GetReplicationConfiguration'
                  - 's3:GetMetricsConfiguration'
                  - 's3:GetAccelerateConfiguration'
                  - 's3:GetAnalyticsConfiguration'
                  - 's3:GetBucketLocation'
                  - 's3:GetBucketRequestPayment'
                  - 's3:GetEncryptionConfiguration'
                  - 's3:GetInventoryConfiguration'
                  - 's3:GetIpConfiguration'
                  - 'ses:ListConfigurationSet'
                  - 'ses:GetSendQuota'
                  - 'ses:DescribeConfigurationSet'
                  - 'ses:ListReceiptFilters'
                  - 'ses:ListReceiptRuleSets'
                  - 'ses:DescribeReceiptRule'
                  - 'ses:DescribeReceiptRuleSet'
                  - 'sns:GetTopicAttributes'
                  - 'sns:ListTopics'
                  - 'sqs:ListQueues'
                  - 'sqs:ListQueueTags'
                  - 'sqs:GetQueueAttributes'
                  - 'ec2:DescribeInternetGateways'
                  - 'ec2:DescribeVpcs'
                  - 'ec2:DescribeNatGateways'
                  - 'ec2:DescribeVpcEndpoints'
                  - 'ec2:DescribeSubnets'
                  - 'ec2:DescribeNetworkAcls'
                  - 'ec2:DescribeVpcAttribute'
                  - 'ec2:DescribeRouteTables'
                  - 'ec2:DescribeSecurityGroups'
                  - 'ec2:DescribeVpcPeeringConnections'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'lambda:GetAccountSettings'
                  - 'lambda:ListFunctions'
                  - 'lambda:ListAliases'
                  - 'lambda:ListTags'
                  - 'lambda:ListEventSourceMappings'
                  - 'cloudwatch:GetMetricStatistics'
                  - 'cloudwatch:ListMetrics'
                  - 'cloudwatch:GetMetricData'
                  - 'support:*'
                Resource: '*'
    

Permissions

Permissions required for all integrations:

All integrations Permissions
CloudWatch

cloudwatch:GetMetricStatistics

cloudwatch:ListMetrics

cloudwatch:GetMetricData

The following permissions are used by New Relic to retrieve data for specific AWS integrations:

ALB permissions

Additional ALB permissions:

elasticloadbalancing:DescribeLoadBalancers

elasticloadbalancing:DescribeTargetGroups

elasticloadbalancing:DescribeTags

elasticloadbalancing:DescribeLoadBalancerAttributes

elasticloadbalancing:DescribeListeners

elasticloadbalancing:DescribeRules

elasticloadbalancing:DescribeTargetGroupAttributes

elasticloadbalancing:DescribeInstanceHealth

elasticloadbalancing:DescribeLoadBalancerPolicies

elasticloadbalancing:DescribeLoadBalancerPolicyTypes

API Gateway permissions

Additional API Gateway permissions:

apigateway:GET

apigateway:HEAD

apigateway:OPTIONS

Auto Scaling permissions

Additional Auto Scaling permissions:

autoscaling:DescribeLaunchConfigurations

autoscaling:DescribeAutoScalingGroups

autoscaling:DescribePolicies

autoscaling:DescribeTags

autoscaling:DescribeAccountLimits

Billing permissions

Additional Billing permissions:

budgets:ViewBilling

budgets:ViewBudget

Cloudfront permissions

Additional Cloudfront permissions:

cloudfront:ListDistributions

cloudfront:ListStreamingDistributions

cloudfront:ListTagsForResource

DynamoDB permissions

Additional DynamoDB permissions:

dynamodb:DescribeLimits

dynamodb:ListTables

dynamodb:DescribeTable

dynamodb:ListGlobalTables

dynamodb:DescribeGlobalTable

dynamodb:ListTagsOfResource

EBS permissions

Additional EBS permissions:

ec2:DescribeVolumeStatus

ec2:DescribeVolumes

ec2:DescribeVolumeAttribute

EC2 permissions

Additional EC2 permissions:

ec2:DescribeInstanceStatus

ec2:DescribeInstances

ECS/ECR permissions

Additional ECS/ECR permissions:

ecs:ListServices

ecs:DescribeServices

ecs:DescribeClusters

ecs:ListClusters

ecs:ListTagsForResource

EFS permissions

Additional EFS permissions:

elasticfilesystem:DescribeMountTargets

elasticfilesystem:DescribeFileSystems

ElastiCache permissions

Additional ElastiCache permissions:

elasticache:DescribeCacheClusters

ElasticSearch permissions

Additional ElasticSearch permissions:

es:ListDomainNames

es:DescribeElasticsearchDomain

es:DescribeElasticsearchDomains

es:ListTags

Elastic Beanstalk permissions

Additional Elastic Beanstalk permissions:

elasticbeanstalk:DescribeEnvironments

elasticbeanstalk:DescribeInstancesHealth

elasticbeanstalk:DescribeConfigurationSettings

ELB permissions

Additional ELB permissions:

elasticloadbalancing:DescribeLoadBalancers

EMR permissions

Additional EMR permissions:

elasticmapreduce:ListInstances

elasticmapreduce:ListClusters

elasticmapreduce:DescribeCluster

elasticmapreduce:ListInstanceGroups

Health permissions

Additional Health permissions:

health:DescribeAffectedEntities

health:DescribeEventDetails

health:DescribeEvents

IAM permissions

Additional IAM permissions:

iam:ListSAMLProviders

iam:ListOpenIDConnectProviders

iam:ListServerCertificates

iam:GetAccountAuthorizationDetails

iam:ListVirtualMFADevices

iam:GetAccountSummary

IoT permissions

Additional IoT permissions:

iot:ListTopicRules

iot:GetTopicRule

iot:ListThings

Kinesis Firehose permissions

Additional Kinesis Firehose permissions:

firehose:DescribeDeliveryStream

firehose:ListDeliveryStreams

Kinesis Streams permissions

Additional Kinesis Streams permissions:

kinesis:ListStreams

kinesis:DescribeStream

kinesis:ListTagsForStream

Lambda permissions

Additional Lambda permissions:

lambda:GetAccountSettings

lambda:ListFunctions

lambda:ListAliases

lambda:ListTags

lambda:ListEventSourceMappings

RDS, RDS Enhanced Monitoring permissions

Additional RDS and RDS Enhanced Monitoring permissions:

rds:ListTagsForResource

rds:DescribeDBInstances

rds:DescribeDBClusters

Redshift permissions

Additional Redshift permissions:

redshift:DescribeClusters

redshift:DescribeClusterParameters

Route 53 permissions

Additional Route 53 permissions:

route53:ListHealthChecks

route53:GetHostedZone

route53:ListHostedZones

route53:ListResourceRecordSets

S3 permissions

Additional S3 permissions:

s3:GetLifecycleConfiguration

s3:GetBucketTagging

s3:ListAllMyBuckets

s3:GetBucketWebsite

s3:GetBucketLogging

s3:GetBucketCORS

s3:GetBucketVersioning

s3:GetBucketAcl

s3:GetBucketNotification

s3:GetBucketPolicy

s3:GetReplicationConfiguration

s3:GetMetricsConfiguration

s3:GetAccelerateConfiguration

s3:GetAnalyticsConfiguration

s3:GetBucketLocation

s3:GetBucketRequestPayment

s3:GetEncryptionConfiguration

s3:GetInventoryConfiguration

s3:GetIpConfiguration

Simple Email Service (SES) permissions

Additional SES permissions:

ses:ListConfigurationSets

ses:GetSendQuota

ses:DescribeConfigurationSet

ses:ListReceiptFilters

ses:ListReceiptRuleSets

ses:DescribeReceiptRule

ses:DescribeReceiptRuleSet

SNS permissions

Additional SNS permissions:

sns:GetTopicAttributes

sns:ListTopics

SQS permissions

Additional SQS permissions:

sqs:ListQueues

sqs:GetQueueAttributes

sqs:ListQueueTags

Trusted Advisor permissions

Additional Trusted Advisor permissions:

support:*

See also the note about the Trusted Advisor integration and recommended policies.

VPC permissions

Additional VPC permissions:

ec2:DescribeInternetGateways

ec2:DescribeVpcs

ec2:DescribeNatGateways

ec2:DescribeVpcEndpoints

ec2:DescribeSubnets

ec2:DescribeNetworkAcls

ec2:DescribeVpcAttribute

ec2:DescribeRouteTables

ec2:DescribeSecurityGroups

ec2:DescribeVpcPeeringConnections

ec2:DescribeNetworkInterfaces

ec2:DescribeVpnConnections

For more help

Recommendations for learning more: