Enable configurable security policies

Tip

APM's configurable security policies is available in limited release for approved New Relic accounts.

If you are a New Relic customer and interested in the limited release of configurable security policies, contact your New Relic sales rep.

APM's configurable security policies gives you granular control over configuration options related to your account's data security. This document explains how to enable account-wide security policies and the options available.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Compatibility and requirements

APM agent versions that support this feature include:

C SDK: not available
Go: 2.1 or higher
Java: 4.1 or higher
.NET: 8.1 or higher
Node.js: 4.1 or higher
PHP: 8.1 or higher
Python: not available
Ruby: 5.2 or higher

Caution

Security policies apply account-wide. Once enabled, they can only be edited or disabled with the help of New Relic support.

If high security mode is enabled for the account(s), do not disable it. Account-level high security mode differs from your APM agent's high security mode, which is set in the configuration file.

High security mode and configurable security policies do not apply to Lambda monitoring or use of the New Relic Event API.

For the limited release, there is no UI component.

If you are participating in the limited release, follow this procedure to set up your accounts:

Choose the accounts on which to enable configurable security policies.
Choose the configurable security policies options that you want for those accounts.
Inform your New Relic sales rep of the options that you have chosen.
Ensure your agent versions support this feature. Update agents if necessary.
When you receive the security token based on the security policies options that you chose, insert the security token into the agent configuration file(s). See examples.
Delete the high security mode enabled flag from your config file(s).

High security mode (HSM) at the agent level is different than high security mode at the account level. Be sure to disable HSM in the agent's config file, as explained in this procedure. Having both the security token and the HSM flag will result in the agent disconnecting.

Example configuration

Here are some example configuration examples for enabling the configurable security policies:

The Java agent uses a YAML file for configuration. Here is an example snippet enabling security policies:

common: &default_settings
  license_key: 'YOUR_LICENSE_KEY'
  app_name: 'YOUR_APPLICATION_NAME'
  security_policies_token: 'YOUR_TOKEN'
production:
  <<: *default_settings
  log_level: info

The .NET agent uses a XML file for configuration. Here is an example snippet enabling security policies:

...
<configuration agentenabled="true" xmlns="urn:newrelic-config">
  <service licensekey="YOUR_LICENSE_KEY">
  <application>
    <name>YOUR_APPLICATION_NAME</name>
  </application>
  <securityPoliciesToken>YOUR_TOKEN</securityPoliciesToken>
  <log level="info">
</log></service></configuration>
...

If you prefer to use an environment variable, it would look like this:

NEW_RELIC_SECURITY_POLICIES_TOKEN=YOUR_TOKEN

The Ruby agent uses a YAML file for configuration. Here is an example snippet enabling security policies:

common: &default_settings
  license_key: 'YOUR_LICENSE_KEY'
  app_name: 'YOUR_APPLICATION_NAME'
  security_policies_token: 'YOUR_TOKEN'
production:
  <<: *default_settings
  log_level: info

Available policy options

Here are the settings you can choose when creating your policies. Some of these options will not be available for some agents.

Setting	Effect
Database query collection	Options: Enabled: Collects obfuscated database query data. Obfuscated queries generally appear along with slow query details in the APM or New Relic One UI. Disabled: Prevents the collection of obfuscated database query data. Raw query data is not collected once configurable security policies is enabled.
`attributes.include` list Go, Java, .NET, Node.js, Ruby only	Options: Enabled: `attributes.include` list functions normally; attribute keys found in the `attributes.include` list are recorded. Disabled: Ignores the list of allowed attributes listed in the `attributes.include` property in agent configuration; no intrinsic request parameter attributes will be collected. Whitelisting attributes at the account level is not supported.
Raw exception messages	Options: Enabled: Allows recording of all raw exception messages. Disabled: Prevents recording of all raw exception messages. The messages may be either obfuscated or completely removed, depending on the agent.
Custom events	Options: Enabled: Allows the recording of custom events that are created and sent up via an agent API. Disabled: Prevents recording of any custom events collect by an agent API.
Custom attributes	Options: Enabled: Allows for the collection of custom attributes passed in by the New Relic agent. Disabled: Prevents collection of custom attributes that are collected by the New Relic agent.
Custom instrumentation editor Java only	Options: Enabled: Allows custom instrumentation of the agent, using the custom instrumentation editor. Disabled: Prevents custom instrumentation of the agent using the custom instrumentation editor. Instrumentation previously done via the editor is also disabled. Access to the custom instrumentation editor is only available to New Relic account Owners and Admins.
Message parameters Java and Ruby only	Options: Enabled: Allows the collection of message parameters (`message.parameters.*`). Disabled: Prevents collection of message parameters.
Job arguments Ruby only	Options: Enabled: Allows the collection of job arguments (`job.(type).args.*`). Disabled: Prevents the collection of job arguments.

Setting

Effect

Database query collection

Options:

Enabled: Collects obfuscated database query data. Obfuscated queries generally appear along with slow query details in the APM or New Relic One UI.
Disabled: Prevents the collection of obfuscated database query data.
Raw query data is not collected once configurable security policies is enabled.

attributes.include list

Go, Java, .NET, Node.js, Ruby only

Options:

Enabled: attributes.include list functions normally; attribute keys found in the attributes.include list are recorded.
Disabled: Ignores the list of allowed attributes listed in the attributes.include property in agent configuration; no intrinsic request parameter attributes will be collected.
Whitelisting attributes at the account level is not supported.

Raw exception messages

Options:

Enabled: Allows recording of all raw exception messages.
Disabled: Prevents recording of all raw exception messages. The messages may be either obfuscated or completely removed, depending on the agent.

Custom events

Options:

Enabled: Allows the recording of custom events that are created and sent up via an agent API.
Disabled: Prevents recording of any custom events collect by an agent API.

Custom attributes

Options:

Enabled: Allows for the collection of custom attributes passed in by the New Relic agent.
Disabled: Prevents collection of custom attributes that are collected by the New Relic agent.

Custom instrumentation editor

Java only

Options:

Enabled: Allows custom instrumentation of the agent, using the custom instrumentation editor.
Disabled: Prevents custom instrumentation of the agent using the custom instrumentation editor. Instrumentation previously done via the editor is also disabled.
Access to the custom instrumentation editor is only available to New Relic account Owners and Admins.

Message parameters

Java and Ruby only

Options:

Enabled: Allows the collection of message parameters (message.parameters.*).
Disabled: Prevents collection of message parameters.

Job arguments

Ruby only

Options:

Enabled: Allows the collection of job arguments (job.(type).args.*).
Disabled: Prevents the collection of job arguments.

Enable configurable security policies

Tip

Compatibility and requirements