AWS API Polling RDS Specific Instance

,

Hi There,

I want to monitor a specific RDS instance using AWS API Polling. and due to limited access I have to specify the RDS instance are instead of * when setting the role. But this leads to a permissions error ‘DescribeRDSInstances’ in the account status.

Is there a way to fix this without extending the role permissions to *?

Hello @m.kanzari

Thank you for reaching out to us here. I never had done this fileting before, but based on what you mentioned you are referring to the Create a Custom policy: policy, had you tried to use following permissions to RDS Actions, resources, and condition keys for Amazon RDS? not sure if it is possible, but I believe few RDS permissions would need to cover all action on RDS resource.

Hey,

Yeah I am creating a custom policy. I specified the permissions needed for RDS but I don’t want the whole resource just one resource ( an instance ).

With this one instance as a resource, I get the issue of account permissions error in New Relic.

Hello @m.kanzari

It seems to me that you need to explore more the permissions on the RDS side, I did a quick search on the AWS documentation and maybe the following will help you, as what you are looking for is very specific I haven’t seen a test performed on this context on our side, however, talking about permissions the following example listed on Allow a user to create DB instances in an AWS account describe permission user see instance|s only that contain like name test. Please see the documentation for different t policy examples and create yours as with the requirements you wish.

I hope the above helps. Please do not hesitate to contact me in case of any additional queries or issues. I will be happy to help you.

Kind regards,

Hello @vhenrique

I am sure I set the permissions right for the instance but somehow it requires access to all instances.

Kind Regards

Hello @m.kanzari

Thank you for sharing your findings. I have never tested this setup but if you have for sure done it all correctly it seems not to be supported, if you wish to share the configuration you had so, we can review it, I also will raise a feature request on this concern on your behalf. At this time I do not have an ETA that I can provide. But I would suggest that you monitor the New Relic forum, as this should be posted there when released.

What’s new in New Relic
New relic Release notes

If you have any questions at this time or require any other assistance from me please do not hesitate to ask. I am happy to help.

Have a great day.

Hey @vhenrique

Thank you for your efforts. Here is the role configuration that I set.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:ListTagsForResource"
            ],
            "Resource": [
                "arn:aws:rds:region:account:db:db_instance"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "config:ListDiscoveredResources",
                "config:BatchGetResourceConfig",
                "tag:GetResources"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Kind Regards

Hello @m.kanzari

Thank you for providing it I will have a look on it and let you know, please be aware that may take some time for me to review it, but as soon as I have any updates I will let you know here.

1 Like