---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# aws_ec2_settings{% #aws_ec2_settings %}

## `account_id`{% #account_id %}

**Type**: `STRING`

## `allowed_amis`{% #allowed_amis %}

**Type**: `STRUCT`**Provider name**: `GetAllowedImagesSettingsResult`

- `image_criteria`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ImageCriteria`**Description**: The list of criteria for images that are discoverable and usable in the account in the specified Amazon Web Services Region.
  - `image_providers`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `ImageProviders`**Description**: A list of AMI providers whose AMIs are discoverable and useable in the account. Up to a total of 200 values can be specified. Possible values: `amazon`: Allow AMIs created by Amazon Web Services. `aws-marketplace`: Allow AMIs created by verified providers in the Amazon Web Services Marketplace. `aws-backup-vault`: Allow AMIs created by Amazon Web Services Backup. 12-digit account ID: Allow AMIs created by this account. One or more account IDs can be specified. `none`: Allow AMIs created by your own account only.
- `managed_by`**Type**: `STRING`**Provider name**: `ManagedBy`**Description**: The entity that manages the Allowed AMIs settings. Possible values include:
  - `account` - The Allowed AMIs settings is managed by the account.
  - `declarative-policy` - The Allowed AMIs settings is managed by a declarative policy and can't be modified by the account.
- `state`**Type**: `STRING`**Provider name**: `State`**Description**: The current state of the Allowed AMIs setting at the account level in the specified Amazon Web Services Region. Possible values:
  - `disabled`: All AMIs are allowed.
  - `audit-mode`: All AMIs are allowed, but the `ImageAllowed` field is set to `true` if the AMI would be allowed with the current list of criteria if allowed AMIs was enabled.
  - `enabled`: Only AMIs matching the image criteria are discoverable and available for use.

## `ebs_default_kms_key_id`{% #ebs_default_kms_key_id %}

**Type**: `STRING`**Provider name**: `KmsKeyId`**Description**: The Amazon Resource Name (ARN) of the default KMS key for encryption by default.

## `ebs_encryption_by_default`{% #ebs_encryption_by_default %}

**Type**: `BOOLEAN`**Provider name**: `EbsEncryptionByDefault`**Description**: Indicates whether encryption by default is enabled.

## `image_block_public_access`{% #image_block_public_access %}

**Type**: `STRUCT`**Provider name**: `GetImageBlockPublicAccessStateResult`

- `image_block_public_access_state`**Type**: `STRING`**Provider name**: `ImageBlockPublicAccessState`**Description**: The current state of block public access for AMIs at the account level in the specified Amazon Web Services Region. Possible values:
  - `block-new-sharing` - Any attempt to publicly share your AMIs in the specified Region is blocked.
  - `unblocked` - Your AMIs in the specified Region can be publicly shared.
- `managed_by`**Type**: `STRING`**Provider name**: `ManagedBy`**Description**: The entity that manages the state for block public access for AMIs. Possible values include:
  - `account` - The state is managed by the account.
  - `declarative-policy` - The state is managed by a declarative policy and can't be modified by the account.

## `imds_defaults`{% #imds_defaults %}

**Type**: `STRUCT`**Provider name**: `AccountLevel`**Description**: The account-level default IMDS settings.

- `http_endpoint`**Type**: `STRING`**Provider name**: `HttpEndpoint`**Description**: Indicates whether the IMDS endpoint for an instance is enabled or disabled. When disabled, the instance metadata can't be accessed.
- `http_put_response_hop_limit`**Type**: `INT32`**Provider name**: `HttpPutResponseHopLimit`**Description**: The maximum number of hops that the metadata token can travel.
- `http_tokens`**Type**: `STRING`**Provider name**: `HttpTokens`**Description**: Indicates whether IMDSv2 is required.
  - `optional` – IMDSv2 is optional, which means that you can use either IMDSv2 or IMDSv1.
  - `required` – IMDSv2 is required, which means that IMDSv1 is disabled, and you must use IMDSv2.
- `instance_metadata_tags`**Type**: `STRING`**Provider name**: `InstanceMetadataTags`**Description**: Indicates whether access to instance tags from the instance metadata is enabled or disabled. For more information, see [Work with instance tags using the instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS) in the Amazon EC2 User Guide.
- `managed_by`**Type**: `STRING`**Provider name**: `ManagedBy`**Description**: The entity that manages the IMDS default settings. Possible values include:
  - `account` - The IMDS default settings are managed by the account.
  - `declarative-policy` - The IMDS default settings are managed by a declarative policy and can't be modified by the account.
- `managed_exception_message`**Type**: `STRING`**Provider name**: `ManagedExceptionMessage`**Description**: The customized exception message that is specified in the declarative policy.

## `serial_console`{% #serial_console %}

**Type**: `STRUCT`**Provider name**: `GetSerialConsoleAccessStatusResult`

- `managed_by`**Type**: `STRING`**Provider name**: `ManagedBy`**Description**: The entity that manages access to the serial console. Possible values include:
  - `account` - Access is managed by the account.
  - `declarative-policy` - Access is managed by a declarative policy and can't be modified by the account.
- `serial_console_access_enabled`**Type**: `BOOLEAN`**Provider name**: `SerialConsoleAccessEnabled`**Description**: If `true`, access to the EC2 serial console of all instances is enabled for your account. If `false`, access to the EC2 serial console of all instances is disabled for your account.

## `snapshot_block_public_access`{% #snapshot_block_public_access %}

**Type**: `STRUCT`**Provider name**: `GetSnapshotBlockPublicAccessStateResult`

- `managed_by`**Type**: `STRING`**Provider name**: `ManagedBy`**Description**: The entity that manages the state for block public access for snapshots. Possible values include:
  - `account` - The state is managed by the account.
  - `declarative-policy` - The state is managed by a declarative policy and can't be modified by the account.
- `state`**Type**: `STRING`**Provider name**: `State`**Description**: The current state of block public access for snapshots. Possible values include:
  - `block-all-sharing` - All public sharing of snapshots is blocked. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are not publicly available.
  - `block-new-sharing` - Only new public sharing of snapshots is blocked. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
  - `unblocked` - Public sharing is not blocked. Users can publicly share snapshots.

## `sse_type`{% #sse_type %}

**Type**: `STRING`**Provider name**: `SseType`**Description**: Reserved for future use.

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `vpc_block_public_access_exclusions`{% #vpc_block_public_access_exclusions %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `VpcBlockPublicAccessExclusions`**Description**: Details related to the exclusions.

- `creation_timestamp`**Type**: `TIMESTAMP`**Provider name**: `CreationTimestamp`**Description**: When the exclusion was created.
- `deletion_timestamp`**Type**: `TIMESTAMP`**Provider name**: `DeletionTimestamp`**Description**: When the exclusion was deleted.
- `exclusion_id`**Type**: `STRING`**Provider name**: `ExclusionId`**Description**: The ID of the exclusion.
- `internet_gateway_exclusion_mode`**Type**: `STRING`**Provider name**: `InternetGatewayExclusionMode`**Description**: The exclusion mode for internet gateway traffic.
  - `allow-bidirectional`: Allow all internet traffic to and from the excluded VPCs and subnets.
  - `allow-egress`: Allow outbound internet traffic from the excluded VPCs and subnets. Block inbound internet traffic to the excluded VPCs and subnets. Only applies when VPC Block Public Access is set to Bidirectional.
- `last_update_timestamp`**Type**: `TIMESTAMP`**Provider name**: `LastUpdateTimestamp`**Description**: When the exclusion was last updated.
- `reason`**Type**: `STRING`**Provider name**: `Reason`**Description**: The reason for the current exclusion state.
- `resource_arn`**Type**: `STRING`**Provider name**: `ResourceArn`**Description**: The ARN of the exclusion.
- `state`**Type**: `STRING`**Provider name**: `State`**Description**: The state of the exclusion.

## `vpc_block_public_access_options`{% #vpc_block_public_access_options %}

**Type**: `STRUCT`**Provider name**: `VpcBlockPublicAccessOptions`**Description**: Details related to the options.

- `aws_account_id`**Type**: `STRING`**Provider name**: `AwsAccountId`**Description**: An Amazon Web Services account ID.
- `aws_region`**Type**: `STRING`**Provider name**: `AwsRegion`**Description**: An Amazon Web Services Region.
- `exclusions_allowed`**Type**: `STRING`**Provider name**: `ExclusionsAllowed`**Description**: Determines if exclusions are allowed. If you have [enabled VPC BPA at the Organization level](https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html#security-vpc-bpa-exclusions-orgs), exclusions may be `not-allowed`. Otherwise, they are `allowed`.
- `internet_gateway_block_mode`**Type**: `STRING`**Provider name**: `InternetGatewayBlockMode`**Description**: The current mode of VPC BPA.
  - `off`: VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
  - `block-bidirectional`: Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
  - `block-ingress`: Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
- `last_update_timestamp`**Type**: `TIMESTAMP`**Provider name**: `LastUpdateTimestamp`**Description**: The last time the VPC BPA mode was updated.
- `managed_by`**Type**: `STRING`**Provider name**: `ManagedBy`**Description**: The entity that manages the state of VPC BPA. Possible values include:
  - `account` - The state is managed by the account.
  - `declarative-policy` - The state is managed by a declarative policy and can't be modified by the account.
- `reason`**Type**: `STRING`**Provider name**: `Reason`**Description**: The reason for the current state.
- `state`**Type**: `STRING`**Provider name**: `State`**Description**: The current state of VPC BPA.