Overview
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account.
This includes how the resources are related to one another and how they were configured in the past
so that you can see how the configurations and relationships change over time.
Enable this integration to see all your AWS Config metrics in Datadog.
Setup
Installation
If you haven’t already, set up the Amazon Web Services integration first.
Metric collection
- In the AWS integration page, ensure that
Config
is enabled under the Metric Collection
tab. - Install the Datadog - AWS Config integration.
Data Collected
Metrics
aws.config.change_notifications_delivery_failed (count) | The number of failed change notification deliveries to the Amazon SNS topic for your delivery channel |
aws.config.compliance_score (gauge) | The percentage of compliant rule-resource combinations in a conformance pack compared to total possible rule-resource combinations Shown as percent |
aws.config.config_history_export_failed (count) | The number of failed configuration history exports to your Amazon S3 bucket |
aws.config.config_snapshot_export_failed (count) | The number of failed configuration snapshot exports to your Amazon S3 bucket |
aws.config.configuration_items_recorded (count) | The number of configuration items recorded for each resource type or all resource types Shown as item |
aws.config.configuration_recorder_insufficient_permissions_failure (count) | The number of failed permission access attempts due to the IAM role policy for the configuration recorder having insufficient permissions |
Events
Join the Preview!
Resource change collection is in Preview, but you can easily request access! Use this form to submit your request today.
Request AccessYou can receive events in Datadog when AWS Config detects changes to your configuration snapshots and history. Create and configure the necessary resources with the CloudFormation stack below, or manually set up an Amazon Data Firehose to forward your AWS Config events.
Follow these steps to manually set up AWS Config event forwarding through Amazon Data Firehose.
Prerequisites
- An AWS account integrated with Datadog.
- The Datadog integration IAM role must have the
s3:GetObject
permission against the bucket with the Config data in it.
- An SNS topic is set up to receive the AWS Config events.
- An S3 bucket is set up to receive events larger than 256 kB as a backup.
- An Access key is set up. Ensure you have your Datadog API key.
Create an Amazon Data Firehose stream
- In the AWS Console, click Create Firehose stream.
- For the Source, select
Direct PUT
. - For the Destination, select
Datadog
.
- In the Destination settings section, choose the HTTP endpoint URL that corresponds to your Datadog site:
- For Authentication, enter your Datadog API key value or select an AWS Secrets Manager secret containing the value.
- For Content encoding, enter
GZIP
. - For Retry duration, enter
300
. - Click Add parameter.
- For the Key, enter
dd-s3-bucket-auth-account-id
. - For the Value, enter your 12-digit AWS account ID.
- Under Buffer hints, set the Buffer size to
4 MiB
. - Under Backup settings, select an S3 backup bucket.
- Click Create Firehose stream.
- On the AWS Config page, open the left side panel and click Settings.
- Click Edit.
- In the Delivery method section, select or create the S3 bucket for receiving events larger than 256 kB as a backup.
- Click the checkbox under Amazon SNS topic, and select or create the SNS topic for receiving AWS Config events.
- Click Save.
Subscribe the Amazon Data Firehose stream to an SNS topic
- Follow the steps on the SNS Developer Guide. Ensure that the Subscription role has the following permissions:
firehose:DescribeDeliveryStream
firehose:ListDeliveryStreams
firehose:ListTagsForDeliveryStream
firehose:PutRecord
firehose:PutRecordBatch
- Confirm that data is flowing to Datadog on the Monitoring tab of the Firehose.
Validation
Inspect configuration changes with the Recent Changes tab available in the resource’s side panel on the Resource Catalog. You can also go to the Event Management page and query for source:amazon_config
to validate that data is flowing into your Datadog account.
Service Checks
The AWS Config integration does not include any service checks.
Troubleshooting
Need help? Contact Datadog support.