diff --git a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc
index 55d12709124f4..b555b636c433f 100644
--- a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc
+++ b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc
@@ -16,7 +16,8 @@ Grants access necessary for the APM system user to send system-level data
 
 [[built-in-roles-apm-user]] `apm_user` ::
 Grants the privileges required for APM users (such as `read` and 
-`view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices).
+`view_index_metadata` privileges on the `apm-*`, `.apm-agent-configuration` and
+`.ml-anomalies*` indices).
 
 [[built-in-roles-beats-admin]] `beats_admin` ::
 Grants access to the `.management-beats` index, which contains configuration
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index ed80944a3764e..1c64a7575cd33 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -153,6 +153,8 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                     null, new RoleDescriptor.IndicesPrivileges[] {
                         RoleDescriptor.IndicesPrivileges.builder().indices("apm-*")
                             .privileges("read", "view_index_metadata").build(),
+                        RoleDescriptor.IndicesPrivileges.builder().indices(".apm-agent-configuration")
+                            .privileges("read", "write", "view_index_metadata").build(),
                         RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*")
                             .privileges("view_index_metadata", "read").build(),
                     }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))