Grant New Relic permissions with AWS managed policies

In order to use infrastructure integrations, you need to grant New Relic permission to read the relevant data from your account. Amazon Web Services (AWS) uses managed policies to grant these permissions.

Recommended policy

Important

Recommendation: Grant an account-wide ReadOnlyAccess managed policy from AWS. AWS automatically updates this policy when new services are added or existing services are modified. New Relic infrastructure integrations have been designed to function with ReadOnlyAccess policies. For instructions, see Connect AWS integrations to infrastructure.

Exception: The Trusted Advisor integration is not covered by the ReadOnlyAccess policy. It requires the additional AWSSupportAccess managed policy. This is also the only integration that requires full access permissions (support:*) in order to correctly operate. We notified Amazon about this limitation. Once it's resolved we'll update documentation with more specific permissions required for this integration.

Optional policy

If you cannot use the ReadOnlyAccess managed policy from AWS, you can create your own customized policy based on the list of permissions. This allows you to specify the optimal permissions required to fetch data from AWS for each integration. While this option is available, it is not recommended because it must be manually updated when you add or modify your integrations.

Important

New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom policy, it is your responsibility to maintain it and ensure proper data is being collected.

There are two ways to set up your customized policy: You can either use our CloudFormation template, or create own yourself by adding the permissions you need.

Option 1: Use our CloudFormation template

Our CloudFormation template contains all the permissions for all our AWS integrations.

A user different than root can be used in the managed policy.

AWSTemplateFormatVersion: 2010-09-09
Outputs:
  NewRelicRoleArn:
    Description: NewRelicRole to monitor AWS Lambda
    Value: !GetAtt 
      - NewRelicIntegrationsTemplate
      - Arn
Parameters:
  NewRelicAccountNumber:
    Type: String
    Description: The Newrelic account number to send data
    AllowedPattern: '[0-9]+'
Resources:
  NewRelicIntegrationsTemplate:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub NewRelicTemplateTest
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::754728514883:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref NewRelicAccountNumber
      Policies:
        - PolicyName: NewRelicIntegrations
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'elasticloadbalancing:DescribeLoadBalancers'
                  - 'elasticloadbalancing:DescribeTargetGroups'
                  - 'elasticloadbalancing:DescribeTags'
                  - 'elasticloadbalancing:DescribeLoadBalancerAttributes'
                  - 'elasticloadbalancing:DescribeListeners'
                  - 'elasticloadbalancing:DescribeRules'
                  - 'elasticloadbalancing:DescribeTargetGroupAttributes'
                  - 'elasticloadbalancing:DescribeInstanceHealth'
                  - 'elasticloadbalancing:DescribeLoadBalancerPolicies'
                  - 'elasticloadbalancing:DescribeLoadBalancerPolicyTypes'
                  - 'apigateway:GET'
                  - 'autoscaling:DescribeLaunchConfigurations'
                  - 'autoscaling:DescribeAutoScalingGroups'
                  - 'autoscaling:DescribePolicies'
                  - 'autoscaling:DescribeTags'
                  - 'autoscaling:DescribeAccountLimits'
                  - 'budgets:ViewBudget'
                  - 'cloudfront:ListDistributions'
                  - 'cloudfront:ListStreamingDistributions'
                  - 'cloudfront:ListTagsForResource'
                  - 'cloudtrail:LookupEvents'
                  - 'config:BatchGetResourceConfig'
                  - 'config:ListDiscoveredResources'
                  - 'dynamodb:DescribeLimits'
                  - 'dynamodb:ListTables'
                  - 'dynamodb:DescribeTable'
                  - 'dynamodb:ListGlobalTables'
                  - 'dynamodb:DescribeGlobalTable'
                  - 'dynamodb:ListTagsOfResource'
                  - 'ec2:DescribeVolumeStatus'
                  - 'ec2:DescribeVolumes'
                  - 'ec2:DescribeVolumeAttribute'
                  - 'ec2:DescribeInstanceStatus'
                  - 'ec2:DescribeInstances'
                  - 'ec2:DescribeVpnConnections'
                  - 'ecs:ListServices'
                  - 'ecs:DescribeServices'
                  - 'ecs:DescribeClusters'
                  - 'ecs:ListClusters'
                  - 'ecs:ListTagsForResource'
                  - 'ecs:ListContainerInstances'
                  - 'ecs:DescribeContainerInstances'
                  - 'elasticfilesystem:DescribeMountTargets'
                  - 'elasticfilesystem:DescribeFileSystems'
                  - 'elasticache:DescribeCacheClusters'
                  - 'elasticache:ListTagsForResource'
                  - 'es:ListDomainNames'
                  - 'es:DescribeElasticsearchDomain'
                  - 'es:DescribeElasticsearchDomains'
                  - 'es:ListTags'
                  - 'elasticbeanstalk:DescribeEnvironments'
                  - 'elasticbeanstalk:DescribeInstancesHealth'
                  - 'elasticbeanstalk:DescribeConfigurationSettings'
                  - 'elasticloadbalancing:DescribeLoadBalancers'
                  - 'elasticmapreduce:ListInstances'
                  - 'elasticmapreduce:ListClusters'
                  - 'elasticmapreduce:DescribeCluster'
                  - 'elasticmapreduce:ListInstanceGroups'
                  - 'health:DescribeAffectedEntities'
                  - 'health:DescribeEventDetails'
                  - 'health:DescribeEvents'
                  - 'iam:ListSAMLProviders'
                  - 'iam:ListOpenIDConnectProviders'
                  - 'iam:ListServerCertificates'
                  - 'iam:GetAccountAuthorizationDetails'
                  - 'iam:ListVirtualMFADevices'
                  - 'iam:GetAccountSummary'
                  - 'iot:ListTopicRules'
                  - 'iot:GetTopicRule'
                  - 'iot:ListThings'
                  - 'firehose:DescribeDeliveryStream'
                  - 'firehose:ListDeliveryStreams'
                  - 'kinesis:ListStreams'
                  - 'kinesis:DescribeStream'
                  - 'kinesis:ListTagsForStream'
                  - 'rds:ListTagsForResource'
                  - 'rds:DescribeDBInstances' 
                  - 'rds:DescribeDBClusters' 
                  - 'redshift:DescribeClusters' 
                  - 'redshift:DescribeClusterParameters'
                  - 'route53:ListHealthChecks'
                  - 'route53:GetHostedZone'
                  - 'route53:ListHostedZones'
                  - 'route53:ListResourceRecordSets'
                  - 'route53:ListTagsForResources'
                  - 's3:GetLifecycleConfiguration'
                  - 's3:GetBucketTagging'
                  - 's3:ListAllMyBuckets'
                  - 's3:GetBucketWebsite'
                  - 's3:GetBucketLogging'
                  - 's3:GetBucketCORS'
                  - 's3:GetBucketVersioning'
                  - 's3:GetBucketAcl'
                  - 's3:GetBucketNotification'
                  - 's3:GetBucketPolicy'
                  - 's3:GetReplicationConfiguration'
                  - 's3:GetMetricsConfiguration'
                  - 's3:GetAccelerateConfiguration'
                  - 's3:GetAnalyticsConfiguration'
                  - 's3:GetBucketLocation'
                  - 's3:GetBucketRequestPayment'
                  - 's3:GetEncryptionConfiguration'
                  - 's3:GetInventoryConfiguration'
                  - 'ses:ListConfigurationSets'
                  - 'ses:GetSendQuota'
                  - 'ses:DescribeConfigurationSet'
                  - 'ses:ListReceiptFilters'
                  - 'ses:ListReceiptRuleSets'
                  - 'ses:DescribeReceiptRule'
                  - 'ses:DescribeReceiptRuleSet'
                  - 'sns:GetTopicAttributes'
                  - 'sns:ListTopics'
                  - 'sqs:ListQueues'
                  - 'sqs:ListQueueTags'
                  - 'sqs:GetQueueAttributes'
                  - 'tag:GetResources'
                  - 'ec2:DescribeInternetGateways'
                  - 'ec2:DescribeVpcs'
                  - 'ec2:DescribeNatGateways'
                  - 'ec2:DescribeVpcEndpoints'
                  - 'ec2:DescribeSubnets'
                  - 'ec2:DescribeNetworkAcls'
                  - 'ec2:DescribeVpcAttribute'
                  - 'ec2:DescribeRouteTables'
                  - 'ec2:DescribeSecurityGroups'
                  - 'ec2:DescribeVpcPeeringConnections'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'lambda:GetAccountSettings'
                  - 'lambda:ListFunctions'
                  - 'lambda:ListAliases'
                  - 'lambda:ListTags'
                  - 'lambda:ListEventSourceMappings'
                  - 'cloudwatch:GetMetricStatistics'
                  - 'cloudwatch:ListMetrics'
                  - 'cloudwatch:GetMetricData'
                  - 'support:*'
                Resource: '*'

Option 2: Manually add permissions

To create your own policy using available permissions:

Add the permissions for all integrations.
Add permissions that are specific to the integrations you need

The following permissions are used by New Relic to retrieve data for specific AWS integrations:

Important

If an integration is not listed on this page, these permissions are all you need.

All integrations	Permissions
CloudWatch	`cloudwatch:GetMetricStatistics` `cloudwatch:ListMetrics` `cloudwatch:GetMetricData`
Config API	`config:BatchGetResourceConfig` `config:ListDiscoveredResources`
Resource Tagging API	`tag:GetResources`

All integrations

Permissions

CloudWatch

cloudwatch:GetMetricStatistics

cloudwatch:ListMetrics

cloudwatch:GetMetricData

Config API

config:BatchGetResourceConfig

config:ListDiscoveredResources

Resource Tagging API

tag:GetResources

Additional ALB permissions:

elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeRules
elasticloadbalancing:DescribeTargetGroupAttributes
elasticloadbalancing:DescribeInstanceHealth
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancerPolicyTypes

Additional S3 permissions:

s3:GetLifecycleConfiguration
s3:GetBucketTagging
s3:ListAllMyBuckets
s3:GetBucketWebsite
s3:GetBucketLogging
s3:GetBucketCORS
s3:GetBucketVersioning
s3:GetBucketAcl
s3:GetBucketNotification
s3:GetBucketPolicy
s3:GetReplicationConfiguration
s3:GetMetricsConfiguration
s3:GetAccelerateConfiguration
s3:GetAnalyticsConfiguration
s3:GetBucketLocation
s3:GetBucketRequestPayment
s3:GetEncryptionConfiguration
s3:GetInventoryConfiguration

Grant New Relic permissions with AWS managed policies

Recommended policy .css-21sua1{background:none;border:none;width:0;padding:0;}

Important

Optional policy

Important

Option 1: Use our CloudFormation template

Option 2: Manually add permissions

Required by CloudWatch metric streams and all API polling integrations

ALB permissions

API Gateway permissions

Auto Scaling permissions

Billing permission

CloudFront permissions

CloudTrail permissions

DynamoDB permissions

EBS permissions

EC2 permissions

ECS/ECR permissions

EFS permissions

ElastiCache permissions

ElasticSearch permissions

Elastic Beanstalk permissions

ELB permissions

EMR permissions

Health permissions

IAM permissions

IoT permissions

Kinesis Firehose permissions

Kinesis Streams permissions

Lambda permissions

RDS, RDS Enhanced Monitoring permissions

Redshift permissions

Route 53 permissions

S3 permissions

Simple Email Service (SES) permissions

SNS permissions

SQS permissions

Trusted Advisor permissions

VPC permissions

X-Ray monitoring permissions

Recommended policy