AWS Manual Setup Guide

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Use this guide to manually set up the Datadog AWS Integration.

Setting up the AWS integration manually involves creating an IAM policy and IAM role in your AWS account, and configuring the role with an AWS External ID generated in your Datadog account. This allows Datadog’s AWS account to query AWS APIs on your behalf, and pull data into your Datadog account. The sections below detail the steps for creating each of these components, and then completing the setup in your Datadog account.

Setup

Generate an external ID

Generate an External ID in the AWS integration tile on the integrations page. This is used in the trust policy of the AWS IAM role you create for Datadog.

  1. Select the Configuration tab, then Role Delegation.
  2. Click Manually. This creates an AWS External ID which is used for configuration of the AWS IAM role. For more information about the External ID, see the IAM User Guide.
  3. Copy this value to your clipboard or notepad.
    Note: Do not close the integration tile or the Datadog application page, as this causes the external ID value to reset.

AWS IAM Policy for Datadog

Create an IAM policy for the Datadog role in your AWS account with the necessary permissions to take advantage of every AWS integration offered by Datadog. As other components are added to an integration, these permissions may change.

  1. Create a new policy in the AWS IAM Console.
  2. Select the JSON tab. Paste the permission policies in the textbox.
  3. Click Next: Tags and Review policy.
  4. Name the policy DatadogAWSIntegrationPolicy or one of your own choosing, and provide an apt description.
  5. Click Create policy.

AWS IAM role for Datadog

Create an IAM role for Datadog to use the permissions defined in the IAM policy.

  1. Create a new role in the AWS IAM Console.
  2. Select Another AWS account for the Role Type.
  3. For Account ID, enter 464622532012 (Datadog’s account ID). This means that you are granting Datadog access to your AWS data.
  4. Select Require external ID and enter the one generated in AWS External ID. Ensure to leave Require MFA disabled.
  5. Click Next.
  6. If you’ve already created the policy, search for it on this page and select it. Otherwise, click Create Policy, which opens in a new window, and follow the instructions from AWS IAM Policy for Datadog.
  7. Optionally, attach the AWS SecurityAudit Policy to the role if you would like to use Datadog’s Cloud Security Posture Management product.
  8. Click Next: Tags and Next: Review.
  9. Give the role a name such as DatadogIntegrationRole, as well as an apt description.
  10. Click Create Role.

Complete the setup in Datadog

  1. Returning to the AWS integration tile page in your Datadog account that you had open in another tab, enter your AWS Account ID without dashes, for example: 123456789012. Your Account ID can be found in the ARN of the role created for Datadog.
  2. Enter the name of the created role.
    Note: The role name you enter in the integration tile is case sensitive and must exactly match the role name created on the AWS side.
  3. If there is a Datadog is not authorized to perform sts:AssumeRole error, make sure your AWS trust policy’s sts:ExternalId: matches the AWS External ID previously created in the integration tile.
  4. Click Install Integration.
  5. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.

Setup

AWS

  1. In your AWS console, create an IAM user to be used by the Datadog integration with the necessary permissions.
  2. Generate an access key and secret key for the Datadog integration IAM user.

For more details, see the How to use an external ID when granting access to your AWS resources to a third party AWS documentation.

Datadog

  1. Open the AWS integration tile.
  2. Select the Access Keys (GovCloud or China Only) tab.
  3. Enter your AWS Access Key and AWS Secret Key. Only access and secret keys for GovCloud and China are accepted.
  4. Choose the services to collect metrics from on the left side of the dialog.
  5. Optionally, add tags to all hosts and metrics.
  6. Optionally, monitor a subset of EC2 instances by entering the AWS tags in the textbox to hosts with tag. Note: This also applies to an instance’s attached EBS volumes.
  7. Optionally, monitor a subset of Lambdas by entering the AWS tags in the textbox to Lambdas with tag.
  8. Click Install Integration.

AWS IAM Permissions

AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events, and other data necessary to monitor your AWS environment.

To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.

AWS Integration IAM Policy

The set of permissions necessary to use all the integrations for individual AWS services.

The following permissions included in the policy document use wild cards such as List* and Get*. If you require strict policies, use the complete action names as listed and reference the Amazon API documentation for your respective services.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "apigateway:GET",
                "autoscaling:Describe*",
                "backup:List*",
                "budgets:ViewBudget",
                "cloudfront:GetDistributionConfig",
                "cloudfront:ListDistributions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:LookupEvents",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "codedeploy:List*",
                "codedeploy:BatchGet*",
                "directconnect:Describe*",
                "dynamodb:List*",
                "dynamodb:Describe*",
                "ec2:Describe*",
                "ecs:Describe*",
                "ecs:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:List*",
                "elasticmapreduce:Describe*",
                "es:ListTags",
                "es:ListDomainNames",
                "es:DescribeElasticsearchDomains",
                "events:CreateEventBus",
                "fsx:DescribeFileSystems",
                "fsx:ListTagsForResource",
                "health:DescribeEvents",
                "health:DescribeEventDetails",
                "health:DescribeAffectedEntities",
                "kinesis:List*",
                "kinesis:Describe*",
                "lambda:GetPolicy",
                "lambda:List*",
                "logs:DeleteSubscriptionFilter",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:DescribeSubscriptionFilters",
                "logs:FilterLogEvents",
                "logs:PutSubscriptionFilter",
                "logs:TestMetricFilter",
                "organizations:Describe*",
                "organizations:List*",
                "rds:Describe*",
                "rds:List*",
                "redshift:DescribeClusters",
                "redshift:DescribeLoggingStatus",
                "route53:List*",
                "s3:GetBucketLogging",
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:GetBucketTagging",
                "s3:ListAllMyBuckets",
                "s3:PutBucketNotification",
                "ses:Get*",
                "sns:List*",
                "sns:Publish",
                "sqs:ListQueues",
                "states:ListStateMachines",
                "states:DescribeStateMachine",
                "support:DescribeTrustedAdvisor*",
                "support:RefreshTrustedAdvisorCheck",
                "tag:GetResources",
                "tag:GetTagKeys",
                "tag:GetTagValues",
                "xray:BatchGetTraces",
                "xray:GetTraceSummaries"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS Security Audit Policy

To use Cloud Security Posture Management, attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.