Categories
AWS

How to Safely Send AWS Billing Data to New Relic (Cost Data Only)

Monitoring your AWS cloud spend is critical, but connecting your entire AWS environment to a third-party observability platform can feel risky. Many standard tutorials suggest using the ReadOnlyAccess policy, which exposes your compute metrics, database logs, and network traffic.

If you want to view only your AWS costs in New Relic without leaking unnecessary infrastructure data, you need a strict, custom IAM approach using API Polling. Here is the step-by-step guide to setting it up securely.

Step 1: Get Your New Relic Identifiers

First, we need to generate unique connection IDs from New Relic.

  1. Log into your New Relic account and navigate to Infrastructure -> AWS.
  2. Click Add an AWS account and choose the API polling method.
  3. Keep this tab open. You will see an Account ID and an External ID. You need both for the next step.

Step 2: Create a Strict AWS IAM Policy

We will create a policy that restricts New Relic to only reading Cost Explorer and AWS Budgets data.

  1. Open your AWS Management Console and go to the IAM dashboard.
  2. Navigate to Policies and click Create policy.
  3. Switch to the JSON tab and paste the following exact configuration:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowNewRelicBillingOnly",
      "Effect": "Allow",
      "Action": [
        "budgets:ViewBudget",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetReservationUtilization",
        "ce:GetDimensionValues",
        "ce:GetTags"
      ],
      "Resource": "*"
    }
  ]
}
  1. Click through to the end, name the policy NewRelicBillingOnlyPolicy, and save it.

Step 3: Create the IAM Role

Now, attach this policy to a dedicated role for New Relic.

  1. In the AWS IAM console, go to Roles and click Create role.
  2. Select AWS account as the trusted entity, then choose Another AWS account.
  3. Paste the Account ID you got from New Relic in Step 1.
  4. Check the Require external ID box and paste the External ID from New Relic.
  5. Click Next, search for your newly created NewRelicBillingOnlyPolicy, and select it.
  6. Name the role NewRelicBillingIntegrationRole and click Create role.
  7. Open the role you just created and copy its ARN (Amazon Resource Name).

Step 4: Finalize the New Relic Setup

  1. Go back to your open New Relic tab.
  2. In the AWS account name field, enter a clear alias like AWS-Billing-Only so your team knows exactly what this integration does.
  3. Paste your Role ARN.
  4. On the next screen, uncheck every service except for Billing.
  5. Save the integration.

Step 5: Verify Your Data

AWS Cost Explorer data is not real-time; it updates a few times a day. Wait about 15-30 minutes, then head to the New Relic Query Builder and run this NRQL query to see your total spend for the current month:

SELECT max(provider.estimatedCharges.Maximum) FROM FinanceSample SINCE 1 month ago TIMESERIES 1 day

If you see a rising chart, your cost data is successfully flowing into New Relic without exposing your sensitive infrastructure metrics!