--- title: AWS Config description: >- AWS Config allows you to audit and evaluate configuration of your AWS resources. breadcrumbs: Docs > Integrations > AWS Config --- # AWS Config Integration version1.1.0 ## Overview{% #overview %} [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. Enable this integration to see all your AWS Config metrics in Datadog. Use Events to monitor changes to your configurations detected by AWS Config. ## Setup{% #setup %} ### Installation{% #installation %} If you haven't already, set up the [Amazon Web Services integration](https://docs.datadoghq.com/integrations/amazon_web_services.md) first. ### Resource changes collection{% #resource-changes-collection %} {% callout %} ##### Join the Preview! **Resource changes collection** is in Preview, but you can easily request access! Use this form to submit your request today. [Request Access](https://www.datadoghq.com/product-preview/recent-changes-tab/) {% /callout %} You can receive events in Datadog when AWS Config detects changes to your configuration snapshots and history. Create and configure the necessary resources with the [CloudFormation](https://docs.aws.amazon.com/cloudformation/) stack below, or manually set up an [Amazon Data Firehose](https://aws.amazon.com/firehose/) to forward your AWS Config events. {% tab title="Terraform" %} You can use the [config-changes-datadog Terraform module](https://registry.terraform.io/modules/DataDog/config-changes-datadog/aws/latest) to start sharing your AWS Config data with Datadog. See the [terraform-aws-config-changes-datadog repo](https://github.com/DataDog/terraform-aws-config-changes-datadog?tab=readme-ov-file#aws-config-change-streaming-module) for an example to get started, as well as detailed descriptions for each parameter you can specify. {% /tab %} {% tab title="CloudFormation" %} [](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?stackName=datadog-aws-config-stream&templateURL=https://datadog-cloudformation-template.s3.amazonaws.com/aws/main_config_stream.yaml) **Note**: If your Datadog account is **not** located in the US1 [Datadog site](https://docs.datadoghq.com/getting_started/site.md), select the `DatadogSite` value that corresponds to your Datadog site: | Datadog Site | **DatadogSite** value | | ------------ | --------------------- | | EU | datadoghq.eu | | US3 | us3.datadoghq.com | | US5 | us5.datadoghq.com | | AP1 | ap1.datadoghq.com | {% /tab %} {% tab title="Manual" %} Follow these steps to manually set up AWS Config event forwarding through Amazon Data Firehose. #### Prerequisites{% #prerequisites %} 1. An AWS account integrated with Datadog. - The Datadog integration IAM role must have the `s3:GetObject` permission against the bucket with the Config data in it. 1. An [SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) is set up to receive the AWS Config events. 1. An [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) is set up to receive events larger than 256 kB as a backup. 1. An [Access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) is set up. Ensure you have your Datadog API key. #### Create an Amazon Data Firehose stream{% #create-an-amazon-data-firehose-stream %} 1. In the AWS Console, click **Create Firehose stream**. - For the **Source**, select `Direct PUT`. - For the **Destination**, select `Datadog`. 1. In the **Destination settings** section, choose the **HTTP endpoint URL** that corresponds to your [Datadog site](https://docs.datadoghq.com/getting_started/site.md): | Datadog Site | Destination URL | | ------------ | ----------------------------------------------------------------------------------------------------- | | US1 | `https://cloudplatform-intake.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose` | | US3 | `https://cloudplatform-intake.us3.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose` | | US5 | `https://cloudplatform-intake.us5.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose` | | EU | `https://cloudplatform-intake.datadoghq.eu/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose` | | AP1 | `https://cloudplatform-intake.ap1.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose` | For **Authentication**, enter your [Datadog API key](https://app.datadoghq.com/organization-settings/api-keys) value or select an AWS Secrets Manager secret containing the value.For **Content encoding**, enter `GZIP`.For **Retry duration**, enter `300`.Click **Add parameter**. - For the **Key**, enter `dd-s3-bucket-auth-account-id`. - For the **Value**, enter your 12-digit AWS account ID. Under **Buffer hints**, set the **Buffer size** to `4 MiB`.Under **Backup settings**, select an S3 backup bucket.Click **Create Firehose stream**. #### Configure delivery methods for AWS Config{% #configure-delivery-methods-for-aws-config %} 1. On the [AWS Config page](https://console.aws.amazon.com/config/home), open the left side panel and click **Settings**. 1. Click **Edit**. 1. In the **Delivery method** section, select or create the S3 bucket for receiving events larger than 256 kB as a backup. 1. Click the checkbox under **Amazon SNS topic**, and select or create the SNS topic for receiving AWS Config events. 1. Click **Save**. #### Subscribe the Amazon Data Firehose stream to an SNS topic{% #subscribe-the-amazon-data-firehose-stream-to-an-sns-topic %} 1. Follow the steps on the [SNS Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/firehose-endpoints-subscribe.html). Ensure that the **Subscription role** has the following permissions: - `firehose:DescribeDeliveryStream` - `firehose:ListDeliveryStreams` - `firehose:ListTagsForDeliveryStream` - `firehose:PutRecord` - `firehose:PutRecordBatch` 1. Confirm that data is flowing to Datadog on the **Monitoring** tab of the Firehose. {% /tab %} ### Metric collection{% #metric-collection %} 1. In the [AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services), ensure that `Config` is enabled under the `Metric Collection` tab. 1. Install the [Datadog - AWS Config integration](https://app.datadoghq.com/integrations/amazon-config). ## Data Collected{% #data-collected %} ### Metrics{% #metrics %} | | | | | **aws.config.configuration\_recorder\_insufficient\_permissions\_failure**(count) | The number of failed permission access attempts due to the IAM role policy for the configuration recorder having insufficient permissions | | **aws.config.configuration\_items\_recorded**(count) | The number of configuration items recorded for each resource type or all resource types*Shown as item* | | **aws.config.config\_history\_export\_failed**(count) | The number of failed configuration history exports to your Amazon S3 bucket | | **aws.config.config\_snapshot\_export\_failed**(count) | The number of failed configuration snapshot exports to your Amazon S3 bucket | | **aws.config.change\_notifications\_delivery\_failed**(count) | The number of failed change notification deliveries to the Amazon SNS topic for your delivery channel | | **aws.config.compliance\_score**(gauge) | The percentage of compliant rule-resource combinations in a conformance pack compared to total possible rule-resource combinations*Shown as percent* | #### Validation{% #validation %} Inspect configuration changes with the **Recent Changes** tab available in the resource's side panel on the [Resource Catalog](https://docs.datadoghq.com/infrastructure/resource_catalog.md). You can also go to the [Event Management page](https://app.datadoghq.com/event/overview) and query for `source:amazon_config` to validate that data is flowing into your Datadog account. ### Service Checks{% #service-checks %} The AWS Config integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).