APM's configurable security policies is available in limited release for approved New Relic accounts.
If you are a New Relic customer and interested in the limited release of configurable security policies, contact your New Relic sales rep.
APM's configurable security policies gives you granular control over configuration options related to your account's data security. This document explains how to enable account-wide security policies and the options available.
Security policies apply account-wide. Once enabled, they can only be edited or disabled with the help of New Relic support.
If high security mode is enabled for the account(s), do not disable it. Account-level high security mode differs from your APM agent's high security mode, which is set in the configuration file.
High security mode and configurable security policies do not apply to Lambda monitoring or use of the New Relic Event API.
For the limited release, there is no UI component.
If you are participating in the limited release, follow this procedure to set up your accounts:
Choose the accounts on which to enable configurable security policies.
When you receive the security token based on the security policies options that you chose, insert the security token into the agent configuration file(s). See examples.
Delete the high security mode enabled flag from your config file(s).
High security mode (HSM) at the agent level is different than high security mode at the account level. Be sure to disable HSM in the agent's config file, as explained in this procedure. Having both the security token and the HSM flag will result in the agent disconnecting.
Example configuration
Here are some example configuration examples for enabling the configurable security policies:
Here are the settings you can choose when creating your policies. Some of these options will not be available for some agents.
Setting
Effect
Database query collection
Options:
Enabled: Collects obfuscated database query data. Obfuscated queries generally appear along with slow query details in the APM or New Relic One UI.
Disabled: Prevents the collection of obfuscated database query data.
Raw query data is not collected once configurable security policies is enabled.
attributes.include list
Go, Java, .NET, Node.js, Ruby only
Options:
Enabled: attributes.include list functions normally; attribute keys found in the attributes.include list are recorded.
Disabled: Ignores the list of allowed attributes listed in the attributes.include property in agent configuration; no intrinsic request parameter attributes will be collected.
Whitelisting attributes at the account level is not supported.
Raw exception messages
Options:
Enabled: Allows recording of all raw exception messages.
Disabled: Prevents recording of all raw exception messages. The messages may be either obfuscated or completely removed, depending on the agent.
Custom events
Options:
Enabled: Allows the recording of custom events that are created and sent up via an agent API.
Disabled: Prevents recording of any custom events collect by an agent API.
Custom attributes
Options:
Enabled: Allows for the collection of custom attributes passed in by the New Relic agent.
Disabled: Prevents collection of custom attributes that are collected by the New Relic agent.
Disabled: Prevents custom instrumentation of the agent using the custom instrumentation editor. Instrumentation previously done via the editor is also disabled.
Access to the custom instrumentation editor is only available to New Relic account Owners and Admins.
Message parameters
Java and Ruby only
Options:
Enabled: Allows the collection of message parameters (message.parameters.*).
Disabled: Prevents collection of message parameters.
Job arguments
Ruby only
Options:
Enabled: Allows the collection of job arguments (job.(type).args.*).
Disabled: Prevents the collection of job arguments.