Overview
Use this guide to manually set up the Datadog AWS Integration.
To set up the AWS integration manually, create an IAM policy and IAM role in your AWS account, and configure the role with an AWS External ID generated in your Datadog account. This allows Datadog’s AWS account to query AWS APIs on your behalf, and pull data into your Datadog account. The sections below detail the steps for creating each of these components, and then completing the setup in your Datadog account.
Setting up S3 Log Archives using Role Delegation is currently in limited availability. Contact Datadog Support to request this feature in your Datadog for Government account.
Setup
Generate an external ID
- In the AWS integration configuration page, click Add AWS Account, and then select Manually.
- Select
Role Delegation
for the access type and copy the AWS External ID
. For more information about the external ID, read the IAM User Guide.
Note: The External ID remains available and is not regenerated for 48 hours, unless explicitly changed by a user or another AWS account is added to Datadog during this period. You can return to the Add New AWS Account page within that time period to complete the process of adding an account without the External ID changing.
AWS IAM policy for Datadog
Create an IAM policy for the Datadog role in your AWS account with the necessary permissions to take advantage of every AWS integration offered by Datadog. As other components are added to an integration, these permissions may change.
- Create a new policy in the AWS IAM Console.
- Select the JSON tab. Paste the permission policies in the textbox.
Note: Optionally, you can add Condition elements to the IAM policy. For example, conditions can be used to restrict monitoring to certain regions. - Click Next: Tags and Next: Review.
- Name the policy
DatadogIntegrationPolicy
or one of your own choosing, and provide an apt description. - Click Create policy.
AWS IAM role for Datadog
Create an IAM role for Datadog to use the permissions defined in the IAM policy.
- Create a new role in the AWS IAM Console.
- Select AWS account for the trusted entity type, and Another AWS account.
- Enter
464622532012
as the Account ID
. This is Datadog’s account ID, and grants Datadog access to your AWS data.
- Enter
417141415827
as the Account ID
. This is Datadog’s account ID, and grants Datadog access to your AWS data.
- If the AWS account you want to integrate is a GovCloud account, enter
065115117704
as the Account ID
, otherwise enter 392588925713
. This is Datadog’s account ID, and grants Datadog access to your AWS data.
- Select Require external ID and enter the external ID copied in the Generate an external ID section.
Ensure to leave
Require MFA
disabled. For more details, see the How to use an external ID when granting access to your AWS resources to a third party AWS documentation. - Click Next.
- If you’ve already created the policy, search for it on this page and select it. Otherwise, click Create Policy, which opens in a new window, and follow the instructions from the previous section.
- Optionally, attach the AWS SecurityAudit Policy to the role to use Cloud Security Management Misconfigurations.
- Click Next.
- Give the role a name such as
DatadogIntegrationRole
, as well as an apt description. - Click Create Role.
Complete the setup in Datadog
- Return to the AWS integration configuration page for manually adding an account in Datadog that you had open in another tab. Click the checkbox to confirm the Datadog IAM role was added to the AWS account.
- Enter the account ID without dashes, for example:
123456789012
. Your Account ID can be found in the ARN of the role created for Datadog. - Enter the name of the role created in the previous section, and click Save.
Note: The role name you enter in the integration tile is case sensitive and must exactly match the role name in AWS. - If there is a Datadog is not authorized to perform sts:AssumeRole error, follow the troubleshooting steps recommended in the UI, or read the troubleshooting guide.
- Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.
Setup
AWS
- In your AWS console, create an IAM user to be used by the Datadog integration with the necessary permissions.
- Generate an access key and secret key for the Datadog integration IAM user.
Datadog
- In the AWS integration tile, click Add AWS Account, and then select Manually.
- Select the Access Keys (GovCloud or China* Only) tab.
- Click the I confirm that the IAM User for the Datadog Integration has been added to the AWS Account checkbox.
- Enter your
Account ID
, AWS Access Key
and AWS Secret Key
. Only access and secret keys for GovCloud and China are accepted. - Click Save.
- Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.
* All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the Restricted Service Locations section on our website.
AWS IAM permissions
AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events, and other data necessary to monitor your AWS environment.
To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.
AWS integration IAM policy
The set of permissions necessary to use all the integrations for individual AWS services.
The following permissions included in the policy document use wild cards such as List*
and Get*
. If you require strict policies, use the complete action names as listed and reference the Amazon API documentation for your respective services.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"backup:List*",
"budgets:ViewBudget",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codedeploy:List*",
"codedeploy:BatchGet*",
"directconnect:Describe*",
"dynamodb:List*",
"dynamodb:Describe*",
"ec2:Describe*",
"ec2:GetTransitGatewayPrefixListReferences",
"ec2:SearchTransitGatewayRoutes",
"ecs:Describe*",
"ecs:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeAccessPoints",
"elasticloadbalancing:Describe*",
"elasticmapreduce:List*",
"elasticmapreduce:Describe*",
"es:ListTags",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"events:CreateEventBus",
"fsx:DescribeFileSystems",
"fsx:ListTagsForResource",
"health:DescribeEvents",
"health:DescribeEventDetails",
"health:DescribeAffectedEntities",
"kinesis:List*",
"kinesis:Describe*",
"lambda:GetPolicy",
"lambda:List*",
"logs:DeleteSubscriptionFilter",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeSubscriptionFilters",
"logs:FilterLogEvents",
"logs:PutSubscriptionFilter",
"logs:TestMetricFilter",
"oam:ListSinks",
"oam:ListAttachedLinks",
"organizations:Describe*",
"organizations:List*",
"rds:Describe*",
"rds:List*",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:List*",
"s3:GetBucketLogging",
"s3:GetBucketLocation",
"s3:GetBucketNotification",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:PutBucketNotification",
"ses:Get*",
"sns:List*",
"sns:Publish",
"sns:GetSubscriptionAttributes",
"sqs:ListQueues",
"states:ListStateMachines",
"states:DescribeStateMachine",
"support:DescribeTrustedAdvisor*",
"support:RefreshTrustedAdvisorCheck",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"wafv2:ListLoggingConfigurations",
"wafv2:GetLoggingConfiguration",
"xray:BatchGetTraces",
"xray:GetTraceSummaries"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS resource collection IAM policy
To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.
For the most complete security coverage that Datadog can provide, Datadog recommends also attaching the following read permissions to the IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"backup:ListRecoveryPointsByBackupVault",
"bcm-data-exports:GetExport",
"bcm-data-exports:ListExports",
"cassandra:Select",
"cur:DescribeReportDefinitions",
"ec2:GetSnapshotBlockPublicAccessState",
"glacier:GetVaultNotifications",
"glue:ListRegistries",
"lightsail:GetInstancePortStates",
"savingsplans:DescribeSavingsPlanRates",
"savingsplans:DescribeSavingsPlans",
"timestream:DescribeEndpoints",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"waf:ListRuleGroups",
"waf:ListRules",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Notes:
- Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
- As Datadog adds support for new features and services, the list of permissions used for resource collection might expand.
- To enable Datadog to collect account management resources from
account.GetAlternateContact
and account.GetContactInformation
, you need to enable trusted access for AWS account management.
Additional helpful documentation, links, and articles: