This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Overview
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account.
This includes how the resources are related to one another and how they were configured in the past
so that you can see how the configurations and relationships change over time.
Enable this integration to see all your AWS Config metrics in Datadog. Use Events to monitor changes to your configurations detected by AWS Config.
Setup
Installation
If you haven’t already, set up the Amazon Web Services integration first.
Resource changes collection
Join the Preview!
Resource changes collection is in Preview, but you can easily request access! Use this form to submit your request today.
Request AccessYou can receive events in Datadog when AWS Config detects changes to your configuration snapshots and history. Create and configure the necessary resources with the CloudFormation stack below, or manually set up an Amazon Data Firehose to forward your AWS Config events.
Note: If your Datadog account is not located in the US1 Datadog site, select the DatadogSite
value that corresponds to your Datadog site:
Datadog Site | DatadogSite value |
---|
EU | datadoghq.eu |
US3 | us3.datadoghq.com |
US5 | us5.datadoghq.com |
AP1 | ap1.datadoghq.com |
Follow these steps to manually set up AWS Config event forwarding through Amazon Data Firehose.
Prerequisites
- An AWS account integrated with Datadog.
- The Datadog integration IAM role must have the
s3:GetObject
permission against the bucket with the Config data in it.
- An SNS topic is set up to receive the AWS Config events.
- An S3 bucket is set up to receive events larger than 256 kB as a backup.
- An Access key is set up. Ensure you have your Datadog API key.
Create an Amazon Data Firehose stream
- In the AWS Console, click Create Firehose stream.
- For the Source, select
Direct PUT
. - For the Destination, select
Datadog
.
- In the Destination settings section, choose the HTTP endpoint URL that corresponds to your Datadog site:
Datadog Site | Destination URL |
---|
US1 | https://cloudplatform-intake.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose |
US3 | https://cloudplatform-intake.us3.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose |
US5 | https://cloudplatform-intake.us5.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose |
EU | https://cloudplatform-intake.datadoghq.eu/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose |
AP1 | https://cloudplatform-intake.ap1.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose |
- For Authentication, enter your Datadog API key value or select an AWS Secrets Manager secret containing the value.
- For Content encoding, enter
GZIP
. - For Retry duration, enter
300
. - Click Add parameter.
- For the Key, enter
dd-s3-bucket-auth-account-id
. - For the Value, enter your 12-digit AWS account ID.
- Under Buffer hints, set the Buffer size to
4 MiB
. - Under Backup settings, select an S3 backup bucket.
- Click Create Firehose stream.
- On the AWS Config page, open the left side panel and click Settings.
- Click Edit.
- In the Delivery method section, select or create the S3 bucket for receiving events larger than 256 kB as a backup.
- Click the checkbox under Amazon SNS topic, and select or create the SNS topic for receiving AWS Config events.
- Click Save.
Subscribe the Amazon Data Firehose stream to an SNS topic
- Follow the steps on the SNS Developer Guide. Ensure that the Subscription role has the following permissions:
firehose:DescribeDeliveryStream
firehose:ListDeliveryStreams
firehose:ListTagsForDeliveryStream
firehose:PutRecord
firehose:PutRecordBatch
- Confirm that data is flowing to Datadog on the Monitoring tab of the Firehose.
Metric collection
- In the AWS integration page, ensure that
Config
is enabled under the Metric Collection
tab. - Install the Datadog - AWS Config integration.
Data Collected
Metrics
aws.config.change_notifications_delivery_failed (count) | The number of failed change notification deliveries to the Amazon SNS topic for your delivery channel |
aws.config.compliance_score (gauge) | The percentage of compliant rule-resource combinations in a conformance pack compared to total possible rule-resource combinations Shown as percent |
aws.config.config_history_export_failed (count) | The number of failed configuration history exports to your Amazon S3 bucket |
aws.config.config_snapshot_export_failed (count) | The number of failed configuration snapshot exports to your Amazon S3 bucket |
aws.config.configuration_items_recorded (count) | The number of configuration items recorded for each resource type or all resource types Shown as item |
aws.config.configuration_recorder_insufficient_permissions_failure (count) | The number of failed permission access attempts due to the IAM role policy for the configuration recorder having insufficient permissions |
Events
The AWS Config integration collects events related to AWS resource changes.
Validation
Inspect configuration changes with the Recent Changes tab available in the resource’s side panel on the Resource Catalog. You can also go to the Event Management page and query for source:amazon_config
to validate that data is flowing into your Datadog account.
Service Checks
The AWS Config integration does not include any service checks.
Troubleshooting
Need help? Contact Datadog support.
Further Reading
Additional helpful documentation, links, and articles: