Amazon Web Services

Documentos > Integraciones > Amazon Web Services

Información general

Conecta Amazon Web Services (AWS) para:

Consulta de las actualizaciones automáticas del estado de AWS en tu Explorador de eventos
Obtener las métricas de CloudWatch de los hosts EC2 sin necesidad de instalar el Agent
Etiquetar tus hosts EC2 con información concreta sobre EC2
Ver los eventos de mantenimiento programados de EC2 en tu flujo (stream)
Recopilar las métricas y eventos de CloudWatch de muchos otros productos de AWS
Consulta de las alarmas de CloudWatch en tu Explorador de eventos

Para empezar a utilizar la integración de AWS cuanto antes, consulta la guía sobre cómo empezar con AWS.

La integración Amazon Web Services de Datadog recopila logs, eventos y la mayoría de las métricas de CloudWatch para más de 90 servicios AWS.

Configurar

Usa uno de los siguientes métodos para integrar tus cuentas de AWS en Datadog con el fin de recopilar métricas, eventos, etiquetas y logs.

Automático

CloudFormation (la mejor opción para empezar rápidamente). Para configurar la integración de AWS con CloudFormation, consulta la guía sobre cómo empezar con AWS.
Terraform Para configurar la integración AWS con Terraform, consulta la integración AWS con Terraform.
Control Tower Para configurar la integración AWS al proporcionar una nueva cuenta AWS con Control Tower Account Factory, consulta la guía de configuración de Control Tower.
Configuración multicuenta para AWS Organizations Para configurar la integración AWS para varias cuentas dentro de una organización AWS, consulta la guía de configuración de AWS Organizations.

Manual

Delegación de roles Para configurar manualmente la integración AWS con delegación de roles, consulta la guía de configuración manual.
Claves de acceso (sólo GovCloud o China) Para configurar la integración de AWS con las claves de acceso, consulta la guía de configuración manual.
* Cualquier uso de los servicios Datadog en China continental (o relacionados con entornos de esta localización) está sujeto a la cláusula de exención de responsabilidad, publicada en la sección Localizaciones con restricciones de servicio de nuestro sitio web.

AWS IAM permissions

AWS IAM permissions enable Datadog to collect resource data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.

AWS integration IAM policies

The set of permissions necessary to use all the integrations for individual AWS services which are not included in AWS Security Audit Policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetContactInformation",
        "amplify:ListApps",
        "amplify:ListArtifacts",
        "amplify:ListBackendEnvironments",
        "amplify:ListBranches",
        "amplify:ListDomainAssociations",
        "amplify:ListJobs",
        "amplify:ListWebhooks",
        "aoss:BatchGetCollection",
        "aoss:ListCollections",
        "app-integrations:GetApplication",
        "app-integrations:GetDataIntegration",
        "app-integrations:ListApplicationAssociations",
        "app-integrations:ListApplications",
        "app-integrations:ListDataIntegrationAssociations",
        "app-integrations:ListDataIntegrations",
        "app-integrations:ListEventIntegrationAssociations",
        "app-integrations:ListEventIntegrations",
        "appstream:DescribeAppBlockBuilders",
        "appstream:DescribeAppBlocks",
        "appstream:DescribeApplications",
        "appstream:DescribeFleets",
        "appstream:DescribeImageBuilders",
        "appstream:DescribeImages",
        "appstream:DescribeStacks",
        "appsync:GetGraphqlApi",
        "aps:DescribeRuleGroupsNamespace",
        "aps:DescribeScraper",
        "aps:DescribeWorkspace",
        "aps:ListRuleGroupsNamespaces",
        "aps:ListScrapers",
        "aps:ListWorkspaces",
        "athena:BatchGetNamedQuery",
        "athena:BatchGetPreparedStatement",
        "b2bi:GetCapability",
        "b2bi:GetPartnership",
        "b2bi:GetProfile",
        "b2bi:GetTransformer",
        "b2bi:ListCapabilities",
        "b2bi:ListPartnerships",
        "b2bi:ListProfiles",
        "b2bi:ListTransformers",
        "backup-gateway:GetGateway",
        "backup-gateway:GetHypervisor",
        "backup-gateway:GetVirtualMachine",
        "backup-gateway:ListGateways",
        "backup-gateway:ListHypervisors",
        "backup-gateway:ListVirtualMachines",
        "backup:DescribeFramework",
        "backup:GetLegalHold",
        "backup:ListBackupPlans",
        "backup:ListFrameworks",
        "backup:ListLegalHolds",
        "backup:ListProtectedResources",
        "backup:ListRecoveryPointsByBackupVault",
        "batch:DescribeJobQueues",
        "batch:DescribeSchedulingPolicies",
        "batch:ListSchedulingPolicies",
        "bedrock:GetAgent",
        "bedrock:GetAgentActionGroup",
        "bedrock:GetAgentAlias",
        "bedrock:GetAsyncInvoke",
        "bedrock:GetBlueprint",
        "bedrock:GetDataSource",
        "bedrock:GetEvaluationJob",
        "bedrock:GetFlow",
        "bedrock:GetFlowAlias",
        "bedrock:GetFlowVersion",
        "bedrock:GetFoundationModel",
        "bedrock:GetGuardrail",
        "bedrock:GetImportedModel",
        "bedrock:GetInferenceProfile",
        "bedrock:GetIngestionJob",
        "bedrock:GetKnowledgeBase",
        "bedrock:GetMarketplaceModelEndpoint",
        "bedrock:GetModelCopyJob",
        "bedrock:GetModelCustomizationJob",
        "bedrock:GetModelInvocationJob",
        "bedrock:GetPrompt",
        "bedrock:ListAgentActionGroups",
        "bedrock:ListAgentAliases",
        "bedrock:ListAgentCollaborators",
        "bedrock:ListAgentVersions",
        "bedrock:ListAgents",
        "bedrock:ListAsyncInvokes",
        "bedrock:ListBlueprints",
        "bedrock:ListDataSources",
        "bedrock:ListEvaluationJobs",
        "bedrock:ListFlowAliases",
        "bedrock:ListFlows",
        "bedrock:ListFoundationModels",
        "bedrock:ListGuardrails",
        "bedrock:ListImportedModels",
        "bedrock:ListInferenceProfiles",
        "bedrock:ListIngestionJobs",
        "bedrock:ListKnowledgeBaseDocuments",
        "bedrock:ListKnowledgeBases",
        "bedrock:ListMarketplaceModelEndpoints",
        "bedrock:ListModelCopyJobs",
        "bedrock:ListModelCustomizationJobs",
        "bedrock:ListModelInvocationJobs",
        "bedrock:ListPromptRouters",
        "bedrock:ListPrompts",
        "bedrock:ListProvisionedModelThroughputs",
        "cassandra:Select",
        "ce:DescribeCostCategoryDefinition",
        "ce:GetAnomalyMonitors",
        "ce:GetAnomalySubscriptions",
        "ce:GetCostCategories",
        "cloudformation:DescribeGeneratedTemplate",
        "cloudformation:DescribeResourceScan",
        "cloudformation:ListGeneratedTemplates",
        "cloudformation:ListResourceScans",
        "cloudformation:ListTypes",
        "cloudhsm:DescribeBackups",
        "cloudhsm:DescribeClusters",
        "codeartifact:DescribeDomain",
        "codeartifact:DescribePackageGroup",
        "codeartifact:DescribeRepository",
        "codeartifact:ListDomains",
        "codeartifact:ListPackageGroups",
        "codeartifact:ListPackages",
        "codepipeline:GetActionType",
        "codepipeline:ListActionTypes",
        "codepipeline:ListWebhooks",
        "connect:DescribeAgentStatus",
        "connect:DescribeAuthenticationProfile",
        "connect:DescribeContactFlow",
        "connect:DescribeContactFlowModule",
        "connect:DescribeHoursOfOperation",
        "connect:DescribeInstance",
        "connect:DescribeQueue",
        "connect:DescribeQuickConnect",
        "connect:DescribeRoutingProfile",
        "connect:DescribeSecurityProfile",
        "connect:DescribeUser",
        "connect:ListAgentStatuses",
        "connect:ListAuthenticationProfiles",
        "connect:ListContactFlowModules",
        "connect:ListContactFlows",
        "connect:ListHoursOfOperations",
        "connect:ListQueues",
        "connect:ListQuickConnects",
        "connect:ListRoutingProfiles",
        "connect:ListSecurityProfiles",
        "connect:ListUsers",
        "controltower:GetLandingZone",
        "controltower:ListEnabledBaselines",
        "controltower:ListEnabledControls",
        "controltower:ListLandingZones",
        "databrew:ListDatasets",
        "databrew:ListRecipes",
        "databrew:ListRulesets",
        "databrew:ListSchedules",
        "datazone:GetDomain",
        "datazone:ListDomains",
        "deadline:GetBudget",
        "deadline:GetLicenseEndpoint",
        "deadline:GetQueue",
        "deadline:ListBudgets",
        "deadline:ListFarms",
        "deadline:ListFleets",
        "deadline:ListLicenseEndpoints",
        "deadline:ListMonitors",
        "deadline:ListQueues",
        "deadline:ListWorkers",
        "dlm:GetLifecyclePolicies",
        "dlm:GetLifecyclePolicy",
        "docdb-elastic:GetCluster",
        "docdb-elastic:GetClusterSnapshot",
        "docdb-elastic:ListClusterSnapshots",
        "drs:DescribeJobs",
        "drs:DescribeLaunchConfigurationTemplates",
        "drs:DescribeRecoveryInstances",
        "drs:DescribeReplicationConfigurationTemplates",
        "drs:DescribeSourceNetworks",
        "drs:DescribeSourceServers",
        "dsql:GetCluster",
        "dsql:ListClusters",
        "dynamodb:DescribeBackup",
        "dynamodb:DescribeStream",
        "ec2:GetAllowedImagesSettings",
        "ec2:GetEbsDefaultKmsKeyId",
        "ec2:GetInstanceMetadataDefaults",
        "ec2:GetSerialConsoleAccessStatus",
        "ec2:GetSnapshotBlockPublicAccessState",
        "ec2:GetVerifiedAccessEndpointPolicy",
        "ec2:GetVerifiedAccessEndpointTargets",
        "ec2:GetVerifiedAccessGroupPolicy",
        "eks:DescribeAccessEntry",
        "eks:DescribeAddon"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "eks:DescribeIdentityProviderConfig",
        "eks:DescribeInsight",
        "eks:DescribePodIdentityAssociation",
        "eks:DescribeUpdate",
        "eks:ListAccessEntries",
        "eks:ListAddons",
        "eks:ListAssociatedAccessPolicies",
        "eks:ListEksAnywhereSubscriptions",
        "eks:ListIdentityProviderConfigs",
        "eks:ListInsights",
        "eks:ListPodIdentityAssociations",
        "elasticmapreduce:ListInstanceFleets",
        "elasticmapreduce:ListInstanceGroups",
        "emr-containers:ListManagedEndpoints",
        "emr-containers:ListSecurityConfigurations",
        "emr-containers:ListVirtualClusters",
        "geo:DescribeGeofenceCollection",
        "geo:DescribeKey",
        "geo:DescribeMap",
        "geo:DescribePlaceIndex",
        "geo:DescribeRouteCalculator",
        "geo:DescribeTracker",
        "geo:ListGeofenceCollections",
        "geo:ListKeys",
        "geo:ListPlaceIndexes",
        "geo:ListRouteCalculators",
        "geo:ListTrackers",
        "glacier:GetVaultNotifications",
        "glue:ListRegistries",
        "grafana:DescribeWorkspace",
        "greengrass:GetComponent",
        "greengrass:GetConnectivityInfo",
        "greengrass:GetCoreDevice",
        "greengrass:GetDeployment",
        "imagebuilder:GetContainerRecipe",
        "imagebuilder:GetDistributionConfiguration",
        "imagebuilder:GetImageRecipe",
        "imagebuilder:GetInfrastructureConfiguration",
        "imagebuilder:GetLifecyclePolicy",
        "imagebuilder:GetWorkflow",
        "imagebuilder:ListComponents",
        "imagebuilder:ListContainerRecipes",
        "imagebuilder:ListDistributionConfigurations",
        "imagebuilder:ListImagePipelines",
        "imagebuilder:ListImageRecipes",
        "imagebuilder:ListImages",
        "imagebuilder:ListInfrastructureConfigurations",
        "imagebuilder:ListLifecyclePolicies",
        "imagebuilder:ListWorkflows",
        "iotsitewise:DescribeAsset",
        "iotsitewise:DescribeAssetModel",
        "iotsitewise:DescribeDashboard",
        "iotsitewise:DescribeDataset",
        "iotsitewise:DescribePortal",
        "iotsitewise:DescribeProject",
        "iotsitewise:ListAssets",
        "iotsitewise:ListDashboards",
        "iotsitewise:ListDatasets",
        "iotsitewise:ListPortals",
        "iotsitewise:ListProjects",
        "iotsitewise:ListTimeSeries",
        "iottwinmaker:GetComponentType",
        "iottwinmaker:GetEntity",
        "iottwinmaker:GetScene",
        "iottwinmaker:GetWorkspace",
        "iottwinmaker:ListComponentTypes",
        "iottwinmaker:ListEntities",
        "iottwinmaker:ListScenes",
        "iotwireless:GetDeviceProfile",
        "iotwireless:GetMulticastGroup",
        "iotwireless:GetNetworkAnalyzerConfiguration",
        "iotwireless:GetServiceProfile",
        "iotwireless:GetWirelessDevice",
        "iotwireless:GetWirelessGateway",
        "iotwireless:ListDestinations",
        "iotwireless:ListDeviceProfiles",
        "iotwireless:ListMulticastGroups",
        "iotwireless:ListNetworkAnalyzerConfigurations",
        "iotwireless:ListServiceProfiles",
        "iotwireless:ListWirelessDevices",
        "iotwireless:ListWirelessGateways",
        "ivs:GetChannel",
        "ivs:GetComposition",
        "ivs:GetEncoderConfiguration",
        "ivs:GetIngestConfiguration",
        "ivs:GetPublicKey",
        "ivs:GetRecordingConfiguration",
        "ivs:GetStage",
        "ivs:ListChannels",
        "ivs:ListCompositions",
        "ivs:ListEncoderConfigurations",
        "ivs:ListIngestConfigurations",
        "ivs:ListPlaybackKeyPairs",
        "ivs:ListPlaybackRestrictionPolicies",
        "ivs:ListPublicKeys",
        "ivs:ListRecordingConfigurations",
        "ivs:ListStages",
        "ivs:ListStorageConfigurations",
        "ivs:ListStreamKeys",
        "ivschat:GetLoggingConfiguration",
        "ivschat:GetRoom",
        "ivschat:ListLoggingConfigurations",
        "ivschat:ListRooms",
        "lambda:GetFunction",
        "launchwizard:GetDeployment",
        "launchwizard:ListDeployments",
        "lightsail:GetAlarms",
        "lightsail:GetCertificates",
        "lightsail:GetDistributions",
        "lightsail:GetInstancePortStates",
        "lightsail:GetRelationalDatabaseParameters",
        "lightsail:GetRelationalDatabaseSnapshots",
        "lightsail:GetRelationalDatabases",
        "lightsail:GetStaticIps",
        "macie2:GetAllowList",
        "macie2:GetCustomDataIdentifier",
        "macie2:GetMacieSession",
        "macie2:ListAllowLists",
        "macie2:ListCustomDataIdentifiers",
        "macie2:ListMembers",
        "managedblockchain:GetAccessor",
        "managedblockchain:GetMember",
        "managedblockchain:GetNetwork",
        "managedblockchain:GetNode",
        "managedblockchain:GetProposal",
        "managedblockchain:ListAccessors",
        "managedblockchain:ListInvitations",
        "managedblockchain:ListMembers",
        "managedblockchain:ListNodes",
        "managedblockchain:ListProposals",
        "medialive:ListChannelPlacementGroups",
        "medialive:ListCloudWatchAlarmTemplateGroups",
        "medialive:ListCloudWatchAlarmTemplates",
        "medialive:ListClusters",
        "medialive:ListEventBridgeRuleTemplateGroups",
        "medialive:ListEventBridgeRuleTemplates",
        "medialive:ListInputDevices",
        "medialive:ListInputSecurityGroups",
        "medialive:ListInputs",
        "medialive:ListMultiplexes",
        "medialive:ListNetworks",
        "medialive:ListNodes",
        "medialive:ListOfferings",
        "medialive:ListReservations",
        "medialive:ListSdiSources",
        "medialive:ListSignalMaps",
        "mediapackage-vod:DescribeAsset",
        "mediapackage-vod:ListAssets",
        "mediapackage-vod:ListPackagingConfigurations",
        "mediapackage:ListChannels",
        "mediapackage:ListHarvestJobs",
        "mediapackagev2:GetChannel",
        "mediapackagev2:GetChannelGroup",
        "mediapackagev2:GetChannelPolicy",
        "mediapackagev2:GetOriginEndpoint",
        "mediapackagev2:GetOriginEndpointPolicy",
        "mediapackagev2:ListChannelGroups",
        "mediapackagev2:ListChannels",
        "mediapackagev2:ListHarvestJobs",
        "mediapackagev2:ListOriginEndpoints",
        "memorydb:DescribeAcls",
        "memorydb:DescribeMultiRegionClusters",
        "memorydb:DescribeParameterGroups",
        "memorydb:DescribeReservedNodes",
        "memorydb:DescribeSnapshots",
        "memorydb:DescribeSubnetGroups",
        "memorydb:DescribeUsers",
        "mobiletargeting:GetApps",
        "mobiletargeting:GetCampaigns",
        "mobiletargeting:GetChannels",
        "mobiletargeting:GetEventStream",
        "mobiletargeting:GetSegments",
        "mobiletargeting:ListJourneys",
        "mobiletargeting:ListTemplates",
        "network-firewall:DescribeTLSInspectionConfiguration",
        "network-firewall:DescribeVpcEndpointAssociation",
        "network-firewall:ListTLSInspectionConfigurations",
        "network-firewall:ListVpcEndpointAssociations",
        "networkmanager:GetConnectPeer"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "networkmanager:GetConnections",
        "networkmanager:GetCoreNetwork",
        "networkmanager:GetDevices",
        "networkmanager:GetLinks",
        "networkmanager:GetSites",
        "networkmanager:ListAttachments",
        "networkmanager:ListConnectPeers",
        "networkmanager:ListCoreNetworks",
        "networkmanager:ListPeerings",
        "osis:GetPipeline",
        "osis:GetPipelineBlueprint",
        "osis:ListPipelineBlueprints",
        "osis:ListPipelines",
        "payment-cryptography:GetKey",
        "payment-cryptography:ListAliases",
        "payment-cryptography:ListKeys",
        "pca-connector-ad:ListConnectors",
        "pca-connector-ad:ListDirectoryRegistrations",
        "pca-connector-ad:ListTemplates",
        "pca-connector-scep:ListConnectors",
        "personalize:DescribeAlgorithm",
        "personalize:DescribeBatchInferenceJob",
        "personalize:DescribeBatchSegmentJob",
        "personalize:DescribeCampaign",
        "personalize:DescribeDataDeletionJob",
        "personalize:DescribeDataset",
        "personalize:DescribeDatasetExportJob",
        "personalize:DescribeDatasetImportJob",
        "personalize:DescribeEventTracker",
        "personalize:DescribeFeatureTransformation",
        "personalize:DescribeFilter",
        "personalize:DescribeMetricAttribution",
        "personalize:DescribeRecipe",
        "personalize:DescribeRecommender",
        "personalize:DescribeSchema",
        "personalize:DescribeSolution",
        "personalize:ListBatchInferenceJobs",
        "personalize:ListBatchSegmentJobs",
        "personalize:ListCampaigns",
        "personalize:ListDataDeletionJobs",
        "personalize:ListDatasetExportJobs",
        "personalize:ListDatasetImportJobs",
        "personalize:ListDatasets",
        "personalize:ListEventTrackers",
        "personalize:ListFilters",
        "personalize:ListMetricAttributions",
        "personalize:ListRecipes",
        "personalize:ListRecommenders",
        "personalize:ListSchemas",
        "personalize:ListSolutions",
        "pipes:ListPipes",
        "proton:GetComponent",
        "proton:GetDeployment",
        "proton:GetEnvironment",
        "proton:GetEnvironmentAccountConnection",
        "proton:GetEnvironmentTemplate",
        "proton:GetEnvironmentTemplateVersion",
        "proton:GetRepository",
        "proton:GetService",
        "proton:GetServiceInstance",
        "proton:GetServiceTemplate",
        "proton:GetServiceTemplateVersion",
        "proton:ListComponents",
        "proton:ListDeployments",
        "proton:ListEnvironmentAccountConnections",
        "proton:ListEnvironmentTemplateVersions",
        "proton:ListEnvironmentTemplates",
        "proton:ListEnvironments",
        "proton:ListRepositories",
        "proton:ListServiceInstances",
        "proton:ListServiceTemplateVersions",
        "proton:ListServiceTemplates",
        "proton:ListServices",
        "qbusiness:GetApplication",
        "qbusiness:GetDataAccessor",
        "qbusiness:GetDataSource",
        "qbusiness:GetIndex",
        "qbusiness:GetPlugin",
        "qbusiness:GetRetriever",
        "qbusiness:GetWebExperience",
        "qbusiness:ListDataAccessors",
        "qldb:ListJournalKinesisStreamsForLedger",
        "ram:GetResourceShareInvitations",
        "rbin:GetRule",
        "rbin:ListRules",
        "redshift-serverless:ListEndpointAccess",
        "redshift-serverless:ListManagedWorkgroups",
        "redshift-serverless:ListNamespaces",
        "redshift-serverless:ListRecoveryPoints",
        "redshift-serverless:ListSnapshots",
        "resiliencehub:DescribeApp",
        "resiliencehub:DescribeAppAssessment",
        "resiliencehub:ListAppAssessments",
        "resiliencehub:ListApps",
        "resiliencehub:ListResiliencyPolicies",
        "resource-explorer-2:GetIndex",
        "resource-explorer-2:GetManagedView",
        "resource-explorer-2:GetView",
        "resource-explorer-2:ListManagedViews",
        "resource-explorer-2:ListViews",
        "resource-groups:GetGroup",
        "resource-groups:ListGroups",
        "route53-recovery-readiness:ListCells",
        "route53-recovery-readiness:ListReadinessChecks",
        "route53-recovery-readiness:ListRecoveryGroups",
        "route53-recovery-readiness:ListResourceSets",
        "rum:GetAppMonitor",
        "rum:ListAppMonitors",
        "s3-outposts:ListRegionalBuckets",
        "savingsplans:DescribeSavingsPlanRates",
        "savingsplans:DescribeSavingsPlans",
        "scheduler:GetSchedule",
        "scheduler:ListScheduleGroups",
        "scheduler:ListSchedules",
        "securitylake:ListDataLakes",
        "securitylake:ListSubscribers",
        "servicecatalog:DescribePortfolio",
        "servicecatalog:DescribeProduct",
        "servicecatalog:GetApplication",
        "servicecatalog:GetAttributeGroup",
        "servicecatalog:ListApplications",
        "servicecatalog:ListAttributeGroups",
        "servicecatalog:ListPortfolios",
        "servicecatalog:SearchProducts",
        "servicediscovery:GetNamespace",
        "servicediscovery:GetService",
        "servicediscovery:ListNamespaces",
        "servicediscovery:ListServices",
        "ses:GetArchive",
        "ses:GetContactList",
        "ses:GetCustomVerificationEmailTemplate",
        "ses:GetDedicatedIpPool",
        "ses:GetIdentityMailFromDomainAttributes",
        "ses:GetIngressPoint",
        "ses:GetMultiRegionEndpoint",
        "ses:GetRelay",
        "ses:GetRuleSet",
        "ses:GetTemplate",
        "ses:GetTrafficPolicy",
        "ses:ListAddonInstances",
        "ses:ListAddonSubscriptions",
        "ses:ListAddressLists",
        "ses:ListArchives",
        "ses:ListContactLists",
        "ses:ListCustomVerificationEmailTemplates",
        "ses:ListIngressPoints",
        "ses:ListMultiRegionEndpoints",
        "ses:ListRelays",
        "ses:ListRuleSets",
        "ses:ListTemplates",
        "ses:ListTrafficPolicies",
        "signer:GetSigningProfile",
        "signer:ListSigningProfiles",
        "sms-voice:DescribeConfigurationSets",
        "sms-voice:DescribeOptOutLists",
        "sms-voice:DescribePhoneNumbers",
        "sms-voice:DescribePools",
        "sms-voice:DescribeProtectConfigurations",
        "sms-voice:DescribeRegistrationAttachments",
        "sms-voice:DescribeRegistrations",
        "sms-voice:DescribeSenderIds",
        "sms-voice:DescribeVerifiedDestinationNumbers",
        "snowball:DescribeCluster",
        "snowball:DescribeJob",
        "sns:ListEndpointsByPlatformApplication",
        "sns:ListPlatformApplications",
        "social-messaging:GetLinkedWhatsAppBusinessAccount",
        "social-messaging:ListLinkedWhatsAppBusinessAccounts",
        "sqs:GetQueueUrl",
        "ssm-incidents:GetIncidentRecord",
        "ssm-incidents:GetReplicationSet",
        "ssm-incidents:GetResponsePlan",
        "ssm-incidents:ListIncidentRecords",
        "ssm-incidents:ListReplicationSets",
        "ssm-incidents:ListResponsePlans",
        "ssm:GetMaintenanceWindow",
        "ssm:GetOpsItem"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ssm:GetPatchBaseline",
        "states:ListActivities",
        "states:ListExecutions",
        "states:ListMapRuns",
        "states:ListStateMachineAliases",
        "storagegateway:DescribeFileSystemAssociations",
        "storagegateway:DescribeSMBFileShares",
        "timestream:ListScheduledQueries",
        "timestream:ListTables",
        "transcribe:GetCallAnalyticsJob",
        "transcribe:GetMedicalScribeJob",
        "transcribe:GetMedicalTranscriptionJob",
        "transcribe:GetTranscriptionJob",
        "transcribe:ListMedicalScribeJobs",
        "translate:GetParallelData",
        "translate:GetTerminology",
        "verifiedpermissions:GetPolicyStore",
        "verifiedpermissions:ListIdentitySources",
        "verifiedpermissions:ListPolicies",
        "verifiedpermissions:ListPolicyStores",
        "verifiedpermissions:ListPolicyTemplates",
        "vpc-lattice:GetListener",
        "vpc-lattice:GetResourceConfiguration",
        "vpc-lattice:GetResourceGateway",
        "vpc-lattice:GetRule",
        "vpc-lattice:GetService",
        "vpc-lattice:GetServiceNetwork",
        "vpc-lattice:GetTargetGroup",
        "vpc-lattice:ListAccessLogSubscriptions",
        "vpc-lattice:ListListeners",
        "vpc-lattice:ListResourceConfigurations",
        "vpc-lattice:ListResourceEndpointAssociations",
        "vpc-lattice:ListResourceGateways",
        "vpc-lattice:ListRules",
        "vpc-lattice:ListServiceNetworkResourceAssociations",
        "vpc-lattice:ListServiceNetworkServiceAssociations",
        "vpc-lattice:ListServiceNetworkVpcAssociations",
        "vpc-lattice:ListServiceNetworks",
        "vpc-lattice:ListServices",
        "vpc-lattice:ListTargetGroups",
        "waf-regional:GetRule",
        "waf-regional:GetRuleGroup",
        "waf-regional:ListRuleGroups",
        "waf-regional:ListRules",
        "waf:GetRule",
        "waf:GetRuleGroup",
        "waf:ListRuleGroups",
        "waf:ListRules",
        "wafv2:GetIPSet",
        "wafv2:GetRegexPatternSet",
        "wafv2:GetRuleGroup",
        "workmail:DescribeOrganization",
        "workmail:ListOrganizations"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS Govcloud and AWS China accounts are not currently supported.

Recopilación de logs

Existen dos formas de enviar los logs de los servicios de AWS a Datadog:

Destino Amazon Data Firehose: Utiliza el destino Datadog en tu flujo de entrega de Amazon Data Firehose para reenviar logs a Datadog. Recomendamos utilizar esta estrategia para el envío de grandes volúmenes de logs desde CloudWatch.
Función Lambda del Forwarder: Despliega la función Lambda del Datadog Forwarder, que está suscripta a buckets de S3 o a tus grupos de logs de CloudWatch y reenvía logs a Datadog. Datadog también te recomienda utilizar esta estrategia para enviar logs desde S3 u otros recursos que no puedan transmitir datos directamente a Amazon Data Firehose.

Recopilación de métricas

Existen dos formas de enviar las métricas de AWS a Datadog:

Sondeo de métricas: El sondeo de la API se incluye de forma predefinida con la integración AWS. Un rastreo métrica-por-métrica de la API CloudWatch extrae datos y los envía a Datadog. En promedio, se extraen nuevas métricas cada diez minutos.
Metric Streams con Amazon Data Firehose: Puedes utilizar Amazon CloudWatch Metric Streams y Amazon Data Firehose para ver tus métricas. Nota: Este método tiene una latencia de dos a tres minutos y requiere una configuración individual.

En la página Integraciones encontrarás una lista completa de las sub-integraciones disponibles. Muchas de estas integraciones se instalan por defecto cuando Datadog reconoce los datos procedentes de tu cuenta AWS. Para conocer las opciones de exclusión de recursos específicos y controlar tus costes, consulta la página Facturación de integraciones AWS.

Recopilación de recursos

Algunos productos de Datadog aprovechan la información de configuración de tus recursos de AWS (como buckets de S3, snapshots de RDS y distribuciones de CloudFront). Datadog recopila esta información realizando llamadas de API de sólo lectura a tu cuenta AWS.

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS Govcloud and AWS China accounts are not currently supported.

Tipos de recursos y permisos

En las siguientes secciones se enumeran los tipos de recursos recopilados para los distintos productos de Datadog y los permisos asociados necesarios para que el rol de IAM de Datadog recopile datos en tu nombre. Añade estos permisos a tu política de IAM de la integración de AWS existente (con la política SecurityAudit adjunta).

Cloud Cost Management (CCM)

Resource Type	Permissions
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:instance	ec2:DescribeInstances

Cloudcraft

Resource Type	Permissions
aws:apigateway:api	apigateway:GET
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:directconnect:connection	directconnect:DescribeConnections
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:customergateway	ec2:DescribeCustomerGateways
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:efs:mounttarget	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeMountTargetSecurityGroups, elasticfilesystem:DescribeMountTargets
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:elasticache:cachesubnetgroup	elasticache:DescribeCacheSubnetGroups
aws:elasticache:parametergroup	elasticache:DescribeCacheParameterGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:securitygroup	elasticache:DescribeCacheSecurityGroups
aws:elasticache:snapshot	elasticache:DescribeSnapshots
aws:elasticache:user	elasticache:DescribeUsers
aws:elasticache:usergroup	elasticache:DescribeUserGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:fsx:backup	fsx:DescribeBackups
aws:fsx:file-system	fsx:DescribeFileSystems
aws:glacier:vault	glacier:GetVaultNotifications, glacier:ListVaults
aws:keyspaces:keyspace	cassandra:Select
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:dbclusterparametergroup	rds:DescribeDBClusterParameterGroups
aws:rds:dbinstanceautomatedbackup	rds:DescribeDBInstanceAutomatedBackups
aws:rds:dbparametergroup	rds:DescribeDBParameterGroups
aws:rds:dbsubnetgroup	rds:DescribeDBSubnetGroups
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:exporttask	rds:DescribeExportTasks
aws:rds:instance	rds:DescribeDBInstances
aws:rds:optiongroup	rds:DescribeOptionGroups
aws:rds:securitygroup	rds:DescribeDBSecurityGroups
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:rds:reserveddbinstance	rds:DescribeReservedDBInstances
aws:redshift:eventsubscription	redshift:DescribeEventSubscriptions
aws:redshift:parametergroup	redshift:DescribeClusterParameterGroups
aws:redshift:securitygroup	redshift:DescribeClusterSecurityGroups
aws:redshift:snapshot	redshift:DescribeClusterSnapshots, redshift:DescribeClusters
aws:redshift:subnetgroup	redshift:DescribeClusterSubnetGroups, redshift:DescribeClusters
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:sns:subscription	sns:ListSubscriptions
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ec2:subnet	ec2:DescribeSubnets
aws:timestreamwrite:table	timestream:ListTables
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:waf:acl	waf:GetWebACL, waf:ListWebACLs
aws:waf:rule	waf:GetRule, waf:ListRules
aws:waf:rulegroup	waf:GetRuleGroup, waf:ListRuleGroups
aws:wafregional:acl	waf-regional:GetWebACL, waf-regional:ListWebACLs
aws:wafregional:rule	waf-regional:GetRule, waf-regional:ListRules
aws:wafregional:rulegroup	waf-regional:GetRuleGroup, waf-regional:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs

Cloud Security Monitoring (CSM)

Resource Type	Permissions
aws:accessanalyzer:analyzer	access-analyzer:GetAnalyzer, access-analyzer:ListAnalyzers
aws:account:account	organizations:DescribeOrganization, account:GetAlternateContact, account:GetContactInformation, account:GetPrimaryEmail, organizations:ListAccounts
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:apigateway:api	apigateway:GET
aws:apigateway:integration	apigateway:GetMethod, apigateway:GetResources, apigateway:GET
aws:apigateway:stage	apigateway:GET, apigateway:GET
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:route	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:stage	apigateway:GetApis, apigateway:GetStages
aws:applicationautoscaling:scalingactivity	applicationautoscaling:DescribeScalingActivities
aws:appsync:graphqlapi	appsync:GetGraphqlApi, appsync:ListGraphqlApis
aws:athena:workgroup	athena:GetWorkGroup, athena:ListWorkGroups
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:autoscaling:launchconfiguration	autoscaling:DescribeLaunchConfigurations
aws:backup:plan	backup:ListBackupPlans
aws:backup:recoverypoint	backup:ListBackupVaults, backup:ListRecoveryPointsByBackupVault
aws:cloudformation:stack	cloudformation:DescribeStacks, cloudformation:ListStacks
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:codebuild:project	codebuild:BatchGetProjects, codebuild:ListProjects
aws:cognitoidentity:identitypool	cognito-identity:DescribeIdentityPool, cognito-identity:GetIdentityPoolRoles, cognito-identity:ListIdentityPools
aws:cognitoidentityprovider:userpool	cognito-idp:DescribeUserPool, cognito-idp:ListIdentityProviders, cognito-idp:ListUserPools
aws:configservice:recorder	config:DescribeConfigurationRecorders
aws:configservice:recorderstatus	config:DescribeConfigurationRecorderStatus
aws:dms:endpoint	dms:DescribeEndpoints
aws:dms:replicationinstance	dms:DescribeReplicationInstances
aws:dms:replicationtask	dms:DescribeReplicationTasks
aws:dax:cluster	dax:DescribeClusters
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:launchtemplateversion	ec2:DescribeLaunchTemplateVersions, ec2:DescribeLaunchTemplates
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:publicimage	ec2:DescribeImages
aws:ec2:region	ec2:DescribeRegions
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcflowlog	ec2:DescribeFlowLogs
aws:ec2:elasticip	ec2:DescribeAddresses
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:routetable	ec2:DescribeRouteTables
aws:ec2:client-vpn-endpoint	ec2:DescribeClientVpnEndpoints
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:ecs:task-definition	ecs:DescribeServices, ecs:DescribeTaskDefinition, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticbeanstalk:environment	elasticbeanstalk:DescribeConfigurationSettings, elasticbeanstalk:DescribeEnvironments
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:targetgroup	elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:emr:cluster	elasticmapreduce:DescribeCluster, elasticmapreduce:GetAutoTerminationPolicy, elasticmapreduce:GetManagedScalingPolicy, elasticmapreduce:ListClusters
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:iam:account	organizations:DescribeOrganization, iam:GetAccountPasswordPolicy, iam:GetAccountSummary
aws:iam:instanceprofile	iam:GetInstanceProfile, iam:ListInstanceProfiles
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:group	iam:GetGroup, iam:ListAttachedGroupPolicies, iam:ListGroups
aws:iam:groupinlinepolicy	iam:GetGroupPolicy, iam:ListGroupPolicies, iam:ListGroups
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:roleinlinepolicy	iam:GetAccountAuthorizationDetails
aws:iam:accesskeymetadata	iam:GetUser, iam:ListAccessKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:userinlinepolicy	iam:GetUser, iam:GetUserPolicy, iam:ListUserPolicies, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:virtualmfadevice	iam:ListUsers, iam:ListVirtualMFADevices
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:kms:alias	kms:GetKeyPolicy, kms:ListAliases
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lambda:eventsourcemapping	lambda:ListEventSourceMappings, lambda:ListFunctions
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:lightsail:instance	lightsail:GetInstancePortStates, lightsail:GetInstances
aws:cloudwatch:metricalarm	cloudwatch:DescribeAlarms
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:opensearch:domain	es:DescribeDomain, es:ListDomainNames
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:instance	rds:DescribeDBInstances
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:route53:resourcerecordset	route53:ListHostedZones, route53:ListResourceRecordSets
aws:route53domains:domain	route53domains:ListDomains
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:sagemaker:notebookinstance	sagemaker:DescribeNotebookInstance, sagemaker:ListNotebookInstances
aws:secretsmanager:secret	secretsmanager:DescribeSecret, secretsmanager:GetResourcePolicy, secretsmanager:ListSecrets
aws:securityhub:hub	securityhub:DescribeHub
aws:sfn:statemachine	states:DescribeStateMachine, states:ListStateMachines
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ssm:instance	ssm:DescribeInstanceInformation, ssm:ListComplianceItems
aws:ec2:subnet	ec2:DescribeSubnets
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:iam:credentialreport	iam:GenerateCredentialReport, iam:GetCredentialReport

Network Performance Monitoring (NPM)

Resource Type	Permissions
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:egressonlyinternetgateway	ec2:DescribeEgressOnlyInternetGateways
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcendpointconnectionnotification	ec2:DescribeVpcEndpointConnectionNotifications
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:ec2:transitgateway	ec2:DescribeTransitGateways

Catálogo de recursos

Resource Type	Permissions
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:iam:account	organizations:DescribeOrganization, iam:GetAccountPasswordPolicy, iam:GetAccountSummary
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:mq:broker	mq:DescribeBroker, mq:ListBrokers
aws:rds:instance	rds:DescribeDBInstances
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues

Próximos lanzamientos

Los permisos enumerados aquí reflejan los recursos que está previsto añadir en los próximos 30 días. Incluye estos permisos en tu política de IAM de integración de AWS existente (con la política SecurityAudit adjunta) para obtener todos los beneficios de la cobertura y el seguimiento de recursos de Datadog.

Permisos para próximos lanzamientos

[
  "auditmanager:GetAssessment",
  "auditmanager:GetAssessmentFramework",
  "auditmanager:GetControl",
  "codeguru-profiler:ListFindingsReports",
  "codeguru-profiler:ListProfilingGroups",
  "codeguru-reviewer:ListCodeReviews",
  "codeguru-reviewer:ListRepositoryAssociations",
  "codeguru-security:GetFindings",
  "codeguru-security:GetScan",
  "codeguru-security:ListScans",
  "devicefarm:ListDeviceInstances",
  "devicefarm:ListDevicePools",
  "devicefarm:ListDevices",
  "devicefarm:ListInstanceProfiles",
  "devicefarm:ListNetworkProfiles",
  "devicefarm:ListRemoteAccessSessions",
  "devicefarm:ListTestGridProjects",
  "devicefarm:ListTestGridSessions",
  "devicefarm:ListUploads",
  "devicefarm:ListVPCEConfigurations",
  "frauddetector:DescribeDetector",
  "frauddetector:DescribeModelVersions",
  "frauddetector:GetBatchImportJobs",
  "frauddetector:GetBatchPredictionJobs",
  "frauddetector:GetDetectorVersion",
  "frauddetector:GetEntityTypes",
  "frauddetector:GetEventTypes",
  "frauddetector:GetExternalModels",
  "frauddetector:GetLabels",
  "frauddetector:GetListsMetadata",
  "frauddetector:GetModels",
  "frauddetector:GetOutcomes",
  "frauddetector:GetRules",
  "frauddetector:GetVariables",
  "gamelift:DescribeGameSessionQueues",
  "gamelift:DescribeMatchmakingConfigurations",
  "gamelift:DescribeMatchmakingRuleSets",
  "gamelift:ListAliases",
  "gamelift:ListContainerFleets",
  "gamelift:ListContainerGroupDefinitions",
  "gamelift:ListGameServerGroups",
  "gamelift:ListLocations",
  "gamelift:ListScripts",
  "greengrass:GetBulkDeploymentStatus",
  "greengrass:GetGroup",
  "iotfleetwise:GetCampaign",
  "iotfleetwise:GetSignalCatalog",
  "iotfleetwise:GetStateTemplate",
  "iotfleetwise:GetVehicle",
  "iotfleetwise:ListCampaigns",
  "iotfleetwise:ListDecoderManifests",
  "iotfleetwise:ListFleets",
  "iotfleetwise:ListSignalCatalogs",
  "iotfleetwise:ListStateTemplates",
  "iotfleetwise:ListVehicles",
  "lakeformation:GetDataLakeSettings",
  "lakeformation:ListPermissions",
  "refactor-spaces:ListApplications",
  "refactor-spaces:ListEnvironments",
  "refactor-spaces:ListRoutes",
  "refactor-spaces:ListServices",
  "textract:GetAdapter",
  "textract:GetAdapterVersion",
  "textract:ListAdapterVersions",
  "textract:ListAdapters",
  "workspaces-web:GetBrowserSettings",
  "workspaces-web:GetDataProtectionSettings",
  "workspaces-web:GetIdentityProvider",
  "workspaces-web:GetIpAccessSettings",
  "workspaces-web:GetNetworkSettings",
  "workspaces-web:GetTrustStore",
  "workspaces-web:GetUserAccessLoggingSettings",
  "workspaces-web:GetUserSettings",
  "workspaces-web:ListBrowserSettings",
  "workspaces-web:ListDataProtectionSettings",
  "workspaces-web:ListIdentityProviders",
  "workspaces-web:ListIpAccessSettings",
  "workspaces-web:ListNetworkSettings",
  "workspaces-web:ListPortals",
  "workspaces-web:ListTrustStores",
  "workspaces-web:ListUserAccessLoggingSettings",
  "workspaces-web:ListUserSettings"
]

Cloud Security

Configurar

Si no tienes configurada la integración AWS para tu cuenta AWS, completa el proceso de configuración anterior. Asegúrate de habilitar Cloud Security cuando se mencione.

Nota: Para usar esta función, es necesario configurar la integración de AWS con Delegación de roles.

Para añadir Cloud Security a una integración existente en AWS, sigue los pasos que se indican a continuación para habilitar la recopilación de recursos.

Proporciona los permisos necesarios al rol de IAM Datadog adjuntando la política de AWS gestionada SecurityAudit a tu rol de IAM AWS Datadog. Puedes encontrar este política en la consola de AWS.
Completa la configuración en la página de la integración AWS Datadog con los pasos que se indican a continuación. Como alternativa, puedes utilizar el endpoint de la API Actualizar una integración AWS.
1. Selecciona la cuenta AWS en la que quieres habilitar la recopilación de recursos.
2. En la pestaña Resource collection (Recopilación de recursos), haz clic en Enable (Habilitar) junto a Cloud Security. Se te redirigirá a la página de configuración de Cloud Security y se abrirá automáticamente un cuadro de diálogo de configuración para la cuenta seleccionada.
3. En el cuadro de diálogo de configuración, activa la casilla Enable Resource Scanning (Activar escaneado de recursos).
4. Haz clic en Done (Hecho) para completar la configuración.

Recopilación de alarmas

Hay dos maneras de enviar alarmas de CloudWatch AWS al Explorador de eventos de Datadog:

Sondeo de alarmas: El sondeo de alarmas se incluye de forma predefinida en la integración AWS y recupera las alarmas de las métricas a través de la API DescribeAlarmHistory. Si sigues este método, tus alarmas se organizarán por categorías en la fuente de eventos Amazon Web Services. Nota: El rastreador no recopila alarmas compuestas.
Tema SNS: Puedes ver todas las alarmas de CloudWatch AWS en tu Explorador de eventos suscribiendo las alarmas a un tema SNS y luego reenviando los mensajes SNS a Datadog. Para saber cómo recibir mensajes SNS como eventos en Datadog, consulta Recibir mensajes SNS. Si sigues este método, tus alarmas se organizarán por categorías en la fuente de eventos Amazon SNS.

Datos recopilados

Métricas

Nota: Puedes habilitar la recopilación de métricas personalizadas de AWS, así como métricas de servicios para los que Datadog no tiene una integración. Consulta las FAQ sobre la integración de AWS y CloudWatch para obtener más información.

Eventos

Los eventos de AWS se recopilan por cada servicio AWS. Para obtener más información sobre eventos recopilados, consulta la documentación de tu servicio AWS.

Etiquetas (Tags)

Las siguientes etiquetas se recopilan con la integración de AWS. Nota: Algunas etiquetas solo se muestran en determinadas métricas.

Integración	Claves de etiqueta de Datadog
Todos	`region`
API Gateway	`apiid`, `apiname`, `method`, `resource`, `stage`
App Runner	`instance`, `serviceid`, `servicename`
Auto Scaling	`autoscalinggroupname`, `autoscaling_group`
Billing	`account_id`, `budget_name`, `budget_type`, `currency`, `servicename`, `time_unit`
CloudFront	`distributionid`
CodeBuild	`project_name`
CodeDeploy	`application`, `creator`, `deployment_config`, `deployment_group`, `deployment_option`, `deployment_type`, `status`
DirectConnect	`connectionid`
DynamoDB	`globalsecondaryindexname`, `operation`, `streamlabel`, `tablename`
EBS	`volumeid`, `volume-name`, `volume-type`
EC2	`autoscaling_group`, `availability-zone`, `image`, `instance-id`, `instance-type`, `kernel`, `name`, `security_group_name`
ECS	`clustername`, `servicename`, `instance_id`
EFS	`filesystemid`
ElastiCache	`cachenodeid`, `cache_node_type`, `cacheclusterid`, `cluster_name`, `engine`, `engine_version`, `preferred_availability-zone`, `replication_group`
ElasticBeanstalk	`environmentname`, `enviromentid`
ELB	`availability-zone`, `hostname`, `loadbalancername`, `name`, `targetgroup`
EMR	`cluster_name`, `jobflowid`
ES	`dedicated_master_enabled`, `ebs_enabled`, `elasticsearch_version`, `instance_type`, `zone_awareness_enabled`
Firehose	`deliverystreamname`
FSx	`filesystemid`, `filesystemtype`
Health	`event_category`, `status`, `service`
IoT	`actiontype`, `protocol`, `rulename`
Kinesis	`streamname`, `name`, `state`
KMS	`keyid`
Lambda	`functionname`, `resource`, `executedversion`, `memorysize`, `runtime`
Machine Learning	`mlmodelid`, `requestmode`
MQ	`broker`, `queue`, `topic`
OpsWorks	`stackid`, `layerid`, `instanceid`
Polly	`operation`
RDS	`auto_minor_version_upgrade`, `dbinstanceclass`, `dbclusteridentifier`, `dbinstanceidentifier`, `dbname`, `engine`, `engineversion`, `hostname`, `name`, `publicly_accessible`, `secondary_availability-zone`
RDS Proxy	`proxyname`, `target`, `targetgroup`, `targetrole`
Redshift	`clusteridentifier`, `latency`, `nodeid`, `service_class`, `stage`, `wlmid`
Route 53	`healthcheckid`
S3	`bucketname`, `filterid`, `storagetype`
SES	Las claves de las etiquetas son un conjunto personalizado en AWS.
SNS	`topicname`
SQS	`queuename`
VPC	`nategatewayid`, `vpnid`, `tunnelipaddress`
WorkSpaces	`directoryid`, `workspaceid`

Checks de servicio

Solucionar problemas

Para solucionar problemas relacionados con la integración AWS, consulta la guía para la resolución de problemas de integraciones AWS.

Referencias adicionales

Documentación útil adicional, enlaces y artículos: