Integrations and managed policies

In order to use Infrastructure integrations, you need to grant New Relic permission to read the relevant data from your account. Amazon Web Services (AWS) uses managed policies to grant these permissions.

New Relic highly recommends granting an account-wide ReadOnlyAccess managed policy from AWS. AWS automatically updates this policy when new services are added or existing services are modified. New Relic Infrastructure integrations have been designed to function with ReadOnlyAccess policies. For instructions, see Connect AWS integrations to Infrastructure.

Optional policy

If you're unable to use the ReadOnlyAccess managed policy from AWS, you can create your own policy based on the following permissions list. This list specifies the optimal permissions required to fetch data from AWS for each integration. While this option is available, it is not recommended because it must be manually updated when you add or modify your integrations.

New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom policy, it is your responsibility to maintain it and ensure proper data is being collected.

New Relic uses the following permissions to retrieve data for each AWS integration:

Integration Permissions
ALB

elasticloadbalancing:DescribeLoadBalancers

elasticloadbalancing:DescribeTargetGroups

elasticloadbalancing:DescribeTags

elasticloadbalancing:DescribeLoadBalancerAttributes

elasticloadbalancing:DescribeListeners

elasticloadbalancing:DescribeRules

elasticloadbalancing:DescribeTargetGroupAttributes

elasticloadbalancing:DescribeInstanceHealth

elasticloadbalancing:DescribeLoadBalancerPolicies

elasticloadbalancing:DescribeLoadBalancerPolicyTypes

API Gateway

apigateway:GET

apigateway:HEAD

apigateway:OPTIONS

Auto Scaling

autoscaling:DescribeLaunchConfigurations

autoscaling:DescribeAutoScalingGroups

autoscaling:DescribePolicies

autoscaling:DescribeTags

autoscaling:DescribeAccountLimits

Billing

budgets:ViewBilling

budgets:ViewBudget

Cloudfront

cloudfront:ListDistributions

cloudfront:ListStreamingDistributions

CloudWatch

cloudwatch:GetMetricStatistics

cloudwatch:ListMetrics

cloudwatch:GetMetricData

CloudTrail

cloudtrail:LookupEvents

DynamoDB

dynamodb:DescribeLimits

dynamodb:ListTables

dynamodb:DescribeTable

dynamodb:ListGlobalTables

dynamodb:DescribeGlobalTable

dynamodb:ListTagsOfResource

EBS

ec2:DescribeVolumeStatus

ec2:DescribeVolumes

ec2:DescribeVolumeAttribute

EC2

ec2:DescribeInstanceStatus

ec2:DescribeInstances

ECS/ECR

ecs:ListServices

ecs:DescribeServices

ecs:DescribeClusters

ecs:ListClusters

EFS

elasticfilesystem:DescribeMountTargets

elasticfilesystem:DescribeFileSystems

ElastiCache

elasticache:DescribeCacheClusters

ElasticSearch

es:ListDomainNames

es:DescribeElasticsearchDomain

es:DescribeElasticsearchDomains

es:ListTags

Elastic Beanstalk

elasticbeanstalk:DescribeEnvironments

elasticbeanstalk:DescribeInstancesHealth

elasticbeanstalk:DescribeConfigurationSettings

ELB

elasticloadbalancing:DescribeLoadBalancers

EMR

elasticmapreduce:ListInstances

elasticmapreduce:ListClusters

elasticmapreduce:DescribeCluster

elasticmapreduce:ListInstanceGroups

Health

health:DescribeAffectedEntities

health:DescribeEventDetails

health:DescribeEvents

IAM

iam:ListSAMLProviders

iam:ListOpenIDConnectProviders

iam:ListServerCertificates

iam:GetAccountAuthorizationDetails

iam:ListVirtualMFADevices

iam:GetAccountSummary​

IoT

iot:ListTopicRules

iot:GetTopicRule

iot:ListThings

Kinesis Firehose

firehose:DescribeDeliveryStream

firehose:ListDeliveryStreams​

Kinesis Streams kinesis:ListStreams

kinesis:DescribeStream

kinesis:ListTagsForStream

Lambda lambda:GetAccountSettings

lambda:ListFunctions

lambda:ListAliases

lambda:ListTags

lambda:ListEventSourceMappings​

RDS, RDS Enhanced Monitoring

rds:ListTagsForResource

rds:DescribeDBInstances

rds:DescribeDBClusters​

Redshift

redshift:DescribeClusters

redshift:DescribeClusterParameters​

Route 53

route53:ListHealthChecks

route53:GetHostedZone

route53:ListHostedZones

route53:ListResourceRecordSets

S3

s3:GetLifecycleConfiguration

s3:GetBucketTagging

s3:ListAllMyBuckets

s3:GetBucketWebsite

s3:GetBucketLogging

s3:GetBucketCORS

s3:GetBucketVersioning

s3:GetBucketAcl

s3:GetBucketNotification

s3:GetBucketPolicy

s3:GetReplicationConfiguration​

s3:GetMetricsConfiguration

s3:GetAccelerateConfiguration

s3:GetAnalyticsConfiguration

s3:GetBucketLocation

s3:GetBucketRequestPayment

s3:GetEncryptionConfiguration

s3:GetInventoryConfiguration

s3:GetIpConfiguration

SES ses:ListConfigurationSets

ses:GetSendQuota

ses:DescribeConfigurationSet

ses:ListReceiptFilters

ses:ListReceiptRuleSets

ses:DescribeReceiptRule

ses:DescribeReceiptRuleSet

SNS

sns:GetTopicAttributes

sns:ListTopics​

SQS

sqs:ListQueues

sqs:GetQueueAttributes​

VPC ec2:DescribeInternetGateways

ec2:DescribeVpcs

ec2:DescribeNatGateways

ec2:DescribeVpcEndpoints

ec2:DescribeSubnets

ec2:DescribeNetworkAcls

ec2:DescribeVpcAttribute

ec2:DescribeRouteTables

ec2:DescribeSecurityGroups

ec2:DescribeVpcPeeringConnections

ec2:DescribeNetworkInterfaces

For more help

Recommendations for learning more: