Merge pull request #2848 from josemore/patch-6

Document min permissions for AWS metric streams
newrelic · Jun 28, 2021 · 3c0e6af · 3c0e6af
2 parents 0ef35b4 + c4d0e04
commit 3c0e6af
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/...cs/integrations/amazon-integrations/aws-integrations-list/aws-metric-stream.mdx b/...cs/integrations/amazon-integrations/aws-integrations-list/aws-metric-stream.mdx
@@ -117,6 +117,18 @@ Next, set up the metric stream using the [CloudFormation template](https://conso
 
 3. ** Add the new AWS account** in the **Metric streams** mode in the New Relic UI. 
   Go to **[one.newrelic.com](https://one.newrelic.com/) > Infrastructure > AWS**, click on **Add an AWS account**, then on **Use metric streams**, and follow the steps.
+
+<Callout variant="tip">
+  The following are the minimal permissions that should be granted on the AWS role configured in New Relic so that CloudWatch metrics can be enriched with additional service metadata and custom tags when applicable:
+
+  ```
+  config:BatchGetResourceConfig
+  config:ListDiscoveredResources
+  tag:GetResources
+  ```
+
+  The New Relic UI currently recommends the `ReadOnlyAccess` policy over these individual items so that New Relic has proper permissions to collect service data that's not available in AWS CloudWatch Metric Streams.
+</Callout>
 
 ## Validate your data is received correctly [#validate-data]