Policies

Docs > Infrastructure > Datadog Resource Catalog > Policies

Join the Preview!

Resource Catalog Policies are in Preview.

Overview

The Resource Catalog page showing the Policies tab and list of custom policies

In Resource Catalog Policies, you can define policies on the desired optimal configuration of your infrastructure resources based on governance best practices in your organization. Some examples include improving ownership tag coverage on resources, or ensuring versioning on critical resources is up-to-date. Instead of writing custom scripts or Lambdas that scan every resource, Datadog gives you visibility into problematic resources so that you can focus on remediation.

Specifically, you can:

Define a custom policy, which involves choosing a resource type, the attribute on the resource type, and target values the attribute should have.
Define a tagging policy, which involves a resource type and the desired tag key and value the resource type should have.
Access a dedicated view for each policy where you can see its list of non-compliant resources and compliance score.
Filter, group, and export the list of non-compliant resources for a policy so you can prioritize and assign the work.

Create a custom policy

A custom policy reflecting a compliance score of 75%.

Custom policies require specific values in your cloud resource attributes within Datadog based on your organization’s infrastructure best practices.

To create a custom policy:

Navigate to Infrastructure > Resource Catalog and click the Policies tab.
Click the New Custom Policy button.
Select a resource type from the dropdown menu.
Optionally, search for additional dataset filters, such as env: prod to only include resources in production.
Select a target resource attribute and desired value.
Optionally, add instructions for remediation.
A name is automatically generated based on the data entered, but you can modify it.
Click Create Custom Policy.

Click the new policy to review all non-compliant resources and filter them by region, environment, account, service, or team. You can also group them by attributes or tags.

Selecting values for your target attribute

Custom policies let you define a target resource attribute and a desired value, providing flexibility in creating policies for your cloud resources without requiring complex query languages. The following features are available:

Access data in nested attributes: Validate more of your configurations (for example, require that TLS 1.2, which is data stored in a multi-level property, is used for Amazon CloudFront).
Use advanced condition matching: Use operators like >, <, or != (for example, enforcing Kubernetes version > 1.25).
Use multi-attribute logic: Chain multiple attributes in one policy (for example, require AWS CloudTrail logging and multi-region to be enabled).

Create a tagging policy

Tagging policies require specific tag keys and tag value formats on your infrastructure resources across Datadog.

To create a tagging policy:

Navigate to Infrastructure > Resource Catalog and click the Policies tab.
Click the New Tagging Policy button.
Choose the resource types the policy applies to.
Define the required tag key and its allowed values.
A name is automatically generated based on the data entered, but you can modify it.
Click Create Tagging Policy.

Click the new policy to review all non-compliant resources and filter them by cloud, region, environment, account, service, team, or tag. You can also group them by attributes or tags.