Use one of the following methods to integrate your AWS accounts into Datadog for metric, event, tag, and log collection.
AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events, and other data necessary to monitor your AWS environment.
To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.
The set of permissions necessary to use all the integrations for individual AWS services.
The following permissions included in the policy document use wild cards such as List* and Get*. If you require strict policies, use the complete action names as listed and reference the Amazon API documentation for your respective services.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:GetAccountInformation",
"account:GetContactInformation",
"airflow:GetEnvironment",
"airflow:ListEnvironments",
"amplify:ListApps",
"amplify:ListArtifacts",
"amplify:ListBackendEnvironments",
"amplify:ListBranches",
"amplify:ListDomainAssociations",
"amplify:ListJobs",
"amplify:ListWebhooks",
"aoss:BatchGetCollection",
"aoss:ListCollections",
"apigateway:GET",
"apigateway:GetRestApis",
"apigateway:GetStages",
"appstream:DescribeAppBlockBuilders",
"appstream:DescribeAppBlocks",
"appstream:DescribeApplications",
"appstream:DescribeFleets",
"appstream:DescribeImageBuilders",
"appstream:DescribeImages",
"appstream:DescribeStacks",
"aps:DescribeRuleGroupsNamespace",
"aps:DescribeScraper",
"aps:DescribeWorkspace",
"aps:ListRuleGroupsNamespaces",
"aps:ListScrapers",
"aps:ListWorkspaces",
"autoscaling:Describe*",
"backup:List*",
"batch:DescribeJobQueues",
"batch:DescribeSchedulingPolicies",
"batch:ListSchedulingPolicies",
"bcm-data-exports:GetExport",
"bcm-data-exports:ListExports",
"bedrock:GetAgent",
"bedrock:GetAgentActionGroup",
"bedrock:GetAgentAlias",
"bedrock:GetAsyncInvoke",
"bedrock:GetBlueprint",
"bedrock:GetDataSource",
"bedrock:GetEvaluationJob",
"bedrock:GetFlow",
"bedrock:GetFlowAlias",
"bedrock:GetFlowVersion",
"bedrock:GetFoundationModel",
"bedrock:GetGuardrail",
"bedrock:GetImportedModel",
"bedrock:GetInferenceProfile",
"bedrock:GetIngestionJob",
"bedrock:GetKnowledgeBase",
"bedrock:GetMarketplaceModelEndpoint",
"bedrock:GetModelCopyJob",
"bedrock:GetModelCustomizationJob",
"bedrock:GetModelInvocationJob",
"bedrock:GetPrompt",
"bedrock:ListAgentActionGroups",
"bedrock:ListAgentAliases",
"bedrock:ListAgentCollaborators",
"bedrock:ListAgentVersions",
"bedrock:ListAgents",
"bedrock:ListAsyncInvokes",
"bedrock:ListBlueprints",
"bedrock:ListDataSources",
"bedrock:ListEvaluationJobs",
"bedrock:ListFlowAliases",
"bedrock:ListFlows",
"bedrock:ListFoundationModels",
"bedrock:ListGuardrails",
"bedrock:ListImportedModels",
"bedrock:ListInferenceProfiles",
"bedrock:ListIngestionJobs",
"bedrock:ListKnowledgeBaseDocuments",
"bedrock:ListKnowledgeBases",
"bedrock:ListMarketplaceModelEndpoints",
"bedrock:ListModelCopyJobs",
"bedrock:ListModelCustomizationJobs",
"bedrock:ListModelInvocationJobs",
"bedrock:ListPromptRouters",
"bedrock:ListPrompts",
"bedrock:ListProvisionedModelThroughputs",
"budgets:ViewBudget",
"cassandra:Select",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudhsm:DescribeBackups",
"cloudhsm:DescribeClusters",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTrails",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codeartifact:DescribeDomain",
"codeartifact:DescribePackageGroup",
"codeartifact:DescribeRepository",
"codeartifact:ListDomains",
"codeartifact:ListPackageGroups",
"codeartifact:ListPackages",
"codedeploy:BatchGet*",
"codedeploy:List*",
"codepipeline:ListWebhooks",
"connect:DescribeAgentStatus",
"connect:DescribeAuthenticationProfile",
"connect:DescribeContactFlow",
"connect:DescribeContactFlowModule",
"connect:DescribeHoursOfOperation",
"connect:DescribeInstance",
"connect:DescribeQueue",
"connect:DescribeQuickConnect",
"connect:DescribeRoutingProfile",
"connect:DescribeSecurityProfile",
"connect:DescribeUser",
"connect:ListAgentStatuses",
"connect:ListAuthenticationProfiles",
"connect:ListContactFlowModules",
"connect:ListContactFlows",
"connect:ListHoursOfOperations",
"connect:ListQueues",
"connect:ListQuickConnects",
"connect:ListRoutingProfiles",
"connect:ListSecurityProfiles",
"connect:ListUsers",
"controltower:GetLandingZone",
"controltower:ListEnabledBaselines",
"controltower:ListEnabledControls",
"controltower:ListLandingZones",
"cur:DescribeReportDefinitions",
"datazone:GetDomain",
"datazone:ListDomains",
"deadline:GetBudget",
"deadline:GetLicenseEndpoint",
"deadline:GetQueue",
"deadline:ListBudgets",
"deadline:ListFarms",
"deadline:ListFleets",
"deadline:ListLicenseEndpoints",
"deadline:ListMonitors",
"deadline:ListQueues",
"deadline:ListWorkers",
"directconnect:Describe*",
"dlm:GetLifecyclePolicies",
"dlm:GetLifecyclePolicy",
"docdb-elastic:GetCluster",
"docdb-elastic:GetClusterSnapshot",
"docdb-elastic:ListClusterSnapshots",
"drs:DescribeJobs",
"drs:DescribeLaunchConfigurationTemplates",
"drs:DescribeRecoveryInstances",
"drs:DescribeReplicationConfigurationTemplates",
"drs:DescribeSourceNetworks",
"drs:DescribeSourceServers",
"dsql:GetCluster",
"dsql:ListClusters",
"dynamodb:Describe*",
"dynamodb:List*",
"ec2:Describe*",
"ec2:GetAllowedImagesSettings",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetInstanceMetadataDefaults",
"ec2:GetSerialConsoleAccessStatus",
"ec2:GetSnapshotBlockPublicAccessState",
"ec2:GetVerifiedAccessEndpointPolicy",
"ec2:GetVerifiedAccessEndpointTargets",
"ec2:GetVerifiedAccessGroupPolicy",
"ecs:Describe*",
"ecs:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"emr-containers:ListManagedEndpoints",
"emr-containers:ListSecurityConfigurations",
"emr-containers:ListVirtualClusters",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"es:ListTags",
"events:CreateEventBus",
"fsx:DescribeFileSystems",
"fsx:ListTagsForResource",
"glacier:GetVaultNotifications",
"glue:ListRegistries",
"grafana:DescribeWorkspace",
"greengrass:GetComponent",
"greengrass:GetConnectivityInfo",
"greengrass:GetCoreDevice",
"greengrass:GetDeployment",
"health:DescribeAffectedEntities",
"health:DescribeEventDetails",
"health:DescribeEvents",
"iam:ListAccountAliases",
"imagebuilder:GetContainerRecipe",
"imagebuilder:GetDistributionConfiguration",
"imagebuilder:GetImageRecipe",
"imagebuilder:GetInfrastructureConfiguration",
"imagebuilder:GetLifecyclePolicy",
"imagebuilder:GetWorkflow",
"imagebuilder:ListComponents",
"imagebuilder:ListContainerRecipes",
"imagebuilder:ListDistributionConfigurations",
"imagebuilder:ListImagePipelines",
"imagebuilder:ListImageRecipes",
"imagebuilder:ListImages",
"imagebuilder:ListInfrastructureConfigurations",
"imagebuilder:ListLifecyclePolicies",
"imagebuilder:ListWorkflows",
"iotsitewise:DescribeAsset",
"iotsitewise:DescribeAssetModel",
"iotsitewise:DescribeDashboard",
"iotsitewise:DescribeDataset",
"iotsitewise:DescribePortal",
"iotsitewise:DescribeProject",
"iotsitewise:ListAssets",
"iotsitewise:ListDashboards",
"iotsitewise:ListDatasets",
"iotsitewise:ListPortals",
"iotsitewise:ListProjects",
"iotsitewise:ListTimeSeries",
"iottwinmaker:GetComponentType",
"iottwinmaker:GetEntity",
"iottwinmaker:GetScene",
"iottwinmaker:GetWorkspace",
"iottwinmaker:ListComponentTypes",
"iottwinmaker:ListEntities",
"iottwinmaker:ListScenes",
"iotwireless:GetDeviceProfile",
"iotwireless:GetMulticastGroup",
"iotwireless:GetNetworkAnalyzerConfiguration",
"iotwireless:GetServiceProfile",
"iotwireless:GetWirelessDevice",
"iotwireless:GetWirelessGateway",
"iotwireless:ListDestinations",
"iotwireless:ListDeviceProfiles",
"iotwireless:ListMulticastGroups",
"iotwireless:ListNetworkAnalyzerConfigurations",
"iotwireless:ListServiceProfiles",
"iotwireless:ListWirelessDevices",
"iotwireless:ListWirelessGateways",
"ivs:GetChannel",
"ivs:GetRecordingConfiguration",
"ivs:ListChannels",
"ivs:ListPlaybackKeyPairs",
"ivs:ListPlaybackRestrictionPolicies",
"ivs:ListRecordingConfigurations",
"ivs:ListStreamKeys",
"ivschat:GetLoggingConfiguration",
"ivschat:GetRoom",
"ivschat:ListLoggingConfigurations",
"ivschat:ListRooms",
"kinesis:Describe*",
"kinesis:List*",
"lambda:GetFunction",
"lambda:List*",
"launchwizard:GetDeployment",
"launchwizard:ListDeployments",
"lightsail:GetInstancePortStates",
"logs:DeleteSubscriptionFilter",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeSubscriptionFilters",
"logs:FilterLogEvents",
"logs:PutSubscriptionFilter",
"logs:TestMetricFilter",
"macie2:GetAllowList",
"macie2:GetCustomDataIdentifier",
"macie2:GetMacieSession",
"macie2:ListAllowLists",
"macie2:ListCustomDataIdentifiers",
"macie2:ListMembers",
"managedblockchain:GetAccessor",
"managedblockchain:GetMember",
"managedblockchain:GetNetwork",
"managedblockchain:GetNode",
"managedblockchain:GetProposal",
"managedblockchain:ListAccessors",
"managedblockchain:ListInvitations",
"managedblockchain:ListMembers",
"managedblockchain:ListNodes",
"managedblockchain:ListProposals",
"memorydb:DescribeAcls",
"memorydb:DescribeMultiRegionClusters",
"memorydb:DescribeParameterGroups",
"memorydb:DescribeReservedNodes",
"memorydb:DescribeSnapshots",
"memorydb:DescribeSubnetGroups",
"memorydb:DescribeUsers",
"mobiletargeting:GetApps",
"mobiletargeting:GetCampaigns",
"mobiletargeting:GetChannels",
"mobiletargeting:GetEventStream",
"mobiletargeting:GetRecommenderConfigurations",
"mobiletargeting:GetSegments",
"mobiletargeting:ListJourneys",
"mobiletargeting:ListTemplates",
"networkmanager:GetConnectPeer",
"networkmanager:GetConnections",
"networkmanager:GetCoreNetwork",
"networkmanager:GetDevices",
"networkmanager:GetLinks",
"networkmanager:GetSites",
"networkmanager:ListAttachments",
"networkmanager:ListConnectPeers",
"networkmanager:ListCoreNetworks",
"networkmanager:ListPeerings",
"oam:ListAttachedLinks",
"oam:ListSinks",
"organizations:Describe*",
"organizations:List*",
"osis:GetPipeline",
"osis:GetPipelineBlueprint",
"osis:ListPipelineBlueprints",
"osis:ListPipelines",
"pca-connector-ad:ListConnectors",
"pca-connector-ad:ListTemplates",
"pca-connector-scep:ListConnectors",
"pipes:ListPipes",
"proton:GetComponent",
"proton:GetDeployment",
"proton:GetEnvironment",
"proton:GetEnvironmentAccountConnection",
"proton:GetEnvironmentTemplate",
"proton:GetEnvironmentTemplateVersion",
"proton:GetRepository",
"proton:GetService",
"proton:GetServiceInstance",
"proton:GetServiceTemplate",
"proton:GetServiceTemplateVersion",
"proton:ListComponents",
"proton:ListDeployments",
"proton:ListEnvironmentAccountConnections",
"proton:ListEnvironmentTemplateVersions",
"proton:ListEnvironmentTemplates",
"proton:ListEnvironments",
"proton:ListRepositories",
"proton:ListServiceInstances",
"proton:ListServiceTemplateVersions",
"proton:ListServiceTemplates",
"proton:ListServices",
"qbusiness:GetApplication",
"qbusiness:GetDataAccessor",
"qbusiness:GetDataSource",
"qbusiness:GetIndex",
"qbusiness:GetPlugin",
"qbusiness:GetRetriever",
"qbusiness:GetWebExperience",
"qbusiness:ListDataAccessors",
"qldb:ListJournalKinesisStreamsForLedger",
"ram:GetResourceShareInvitations",
"rbin:GetRule",
"rbin:ListRules",
"rds:Describe*",
"rds:List*",
"redshift-serverless:ListEndpointAccess",
"redshift-serverless:ListManagedWorkgroups",
"redshift-serverless:ListNamespaces",
"redshift-serverless:ListRecoveryPoints",
"redshift-serverless:ListSnapshots",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"resiliencehub:DescribeApp",
"resiliencehub:DescribeAppAssessment",
"resiliencehub:ListAppAssessments",
"resiliencehub:ListApps",
"resiliencehub:ListRecommendationTemplates",
"resiliencehub:ListResiliencyPolicies",
"resource-explorer-2:GetIndex",
"resource-explorer-2:GetManagedView",
"resource-explorer-2:GetView",
"resource-explorer-2:ListManagedViews",
"resource-explorer-2:ListViews",
"resource-groups:GetGroup",
"resource-groups:ListGroups",
"resourcegroupstaggingapi:GetResources",
"route53:List*",
"rum:GetAppMonitor",
"rum:ListAppMonitors",
"s3-outposts:ListRegionalBuckets",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:PutBucketNotification",
"savingsplans:DescribeSavingsPlanRates",
"savingsplans:DescribeSavingsPlans",
"scheduler:GetSchedule",
"scheduler:ListScheduleGroups",
"scheduler:ListSchedules",
"ses:Get*",
"ses:List*",
"signer:GetSigningProfile",
"signer:ListSigningProfiles",
"sms-voice:DescribeConfigurationSets",
"sms-voice:DescribeOptOutLists",
"sms-voice:DescribePhoneNumbers",
"sms-voice:DescribePools",
"sms-voice:DescribeProtectConfigurations",
"sms-voice:DescribeRegistrationAttachments",
"sms-voice:DescribeRegistrations",
"sms-voice:DescribeSenderIds",
"sms-voice:DescribeVerifiedDestinationNumbers",
"sns:GetSubscriptionAttributes",
"sns:List*",
"sns:Publish",
"social-messaging:GetLinkedWhatsAppBusinessAccount",
"social-messaging:ListLinkedWhatsAppBusinessAccounts",
"sqs:ListQueues",
"ssm:GetServiceSetting",
"ssm:ListCommands",
"states:DescribeStateMachine",
"states:ListStateMachines",
"support:DescribeTrustedAdvisor*",
"support:RefreshTrustedAdvisorCheck",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"timestream:DescribeEndpoints",
"timestream:ListTables",
"waf-regional:GetRule",
"waf-regional:GetRuleGroup",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"waf:GetRule",
"waf:GetRuleGroup",
"waf:ListRuleGroups",
"waf:ListRules",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"wafv2:ListLoggingConfigurations",
"workmail:DescribeOrganization",
"workmail:ListOrganizations",
"xray:BatchGetTraces",
"xray:GetTraceSummaries"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Some Datadog products leverage information about how your AWS resources (such as S3 buckets, RDS snapshots, and CloudFront distributions) are configured. Datadog collects this information by making read-only API calls to your AWS account.
The following sections list the resource types collected for different Datadog products, and the associated permissions required for the Datadog IAM role to collect data on your behalf. Add these permissions to your existing AWS integration IAM policy (with attached SecurityAudit policy).
The permissions listed here reflect resources planned to be added within the next 30 days. Include these permissions in your existing AWS integration IAM policy (with attached SecurityAudit policy) to get the full benefits of Datadog’s resource coverage and tracking.
If you do not have the AWS integration set up for your AWS account, complete the set up process above. Ensure that you enable Cloud Security when mentioned.
To add Cloud Security to an existing AWS integration, follow the steps below to enable resource collection.
The following tags are collected with the AWS integration. Note: Some tags only display on specific metrics.
