AWS CloudTrail provides an audit trail for your AWS account. Datadog reads this audit trail and creates events. Search your Datadog events stream for these events or use them for correlation on your dashboards. Here is an example of a CloudTrail event:
Note: The Datadog CloudTrail integration requires events to be collected in a CloudTrail bucket.
Add the following permissions to your Datadog IAM policy to collect AWS CloudTrail metrics. For more information on CloudTrail policies, see the AWS CloudTrail API Reference. CloudTrail also requires some S3 permissions to access the trails. These are required on the CloudTrail bucket only. For more information on Amazon S3 policies, see the Amazon S3 API Reference.
AWS Permission
Description
cloudtrail:DescribeTrails
Lists trails and the s3 bucket the trails are stored in.
cloudtrail:GetTrailStatus
Skips inactive trails.
s3:ListBucket
Lists objects in the CloudTrail bucket to get available trails.
s3:GetBucketLocation
Obtains the bucket’s region to download trails.
s3:GetObject
Fetches available trails.
organizations:DescribeOrganization
Returns information about an account’s organization (required for org trails).
Add this policy to your existing main Datadog IAM policy:
Note: The principal ARN is the one listed during the installation process for the main AWS integration. See the Resources section of How AWS CloudTrail works with IAM for more information on CloudTrail resource ARNs. If you are updating your policy (as opposed to adding a new one), you don’t need the SID or the Principal.
Install the Datadog - AWS CloudTrail integration:
On the integration tile, choose the types of events to show as normal priority (the default filter) in the Datadog events stream. The accounts you configured in the Amazon Web Services tile are also shown here. If you would like to see other events that are not mentioned here, contact Datadog support.
Log collection
Enable logging
When you define your Trails, select a S3 bucket to write the logs in:
Once the lambda function is installed, manually add a trigger on the S3 bucket that contains your CloudTrail logs. In the AWS console, in your Lambda, click on S3 in the trigger list:
Configure your trigger by choosing the S3 bucket that contains your CloudTrail logs and change the event type to Object Created (All) then click on the add button:
The AWS CloudTrail integration does not include any metrics.
Events
The AWS CloudTrail integration creates many different events based on the AWS CloudTrail audit trail. All events are tagged with #cloudtrail in your Datadog events stream. You can set their priority in the integration configuration.
CloudTrail events that can be set to a normal priority (they appear in the Event Stream under the default filter):
apigateway
autoscaling
cloudformation
cloudfront
cloudsearch
cloudtrail
codedeploy
codepipeline
config
datapipeline
ds
ec2
ecs
elasticache
elasticbeanstalk
elasticfilesystem
elasticloadbalancing
elasticmapreduce
iam
kinesis
lambda
monitoring
opsworks
rds
redshift
route53
s3
ses
signin
ssm
Service Checks
The AWS CloudTrail integration does not include any service checks.
Troubleshooting
The CloudTrail tile is missing or there are no accounts listed
You need to first configure the Amazon Web Services tile. Then the CloudTrail tile can be configured.