Crawler Crawler


Connect to Amazon Web Services (AWS) to:

  • See automatic AWS status updates in your event stream
  • Get CloudWatch metrics for EC2 hosts without installing the Agent
  • Tag your EC2 hosts with EC2-specific information
  • See EC2 scheduled maintenance events in your stream
  • Collect CloudWatch metrics and events from many other AWS products
  • See CloudWatch alarms in your event stream
Datadog's Amazon integration is built to collect ALL metrics from CloudWatch. Datadog strives to continually update the docs to show every sub-integration, but cloud services rapidly release new metrics and services so the list of integrations are sometimes lagging.
Integration Description
API Gateway Create, publish, maintain, and secure APIs
App Runner A service that provides a fast, simple, and cost-effective way to deploy from source code or a container image.
Appstream Fully managed application streaming on AWS
AppSync A GraphQL service with real-time data synchronization and offline programming features
Athena Serverless interactive query service
Autoscaling Scale EC2 capacity
Billing Billing and budgets
CloudFront Local content delivery network
Cloudhsm Managed hardware security module (HSM)
CloudSearch Access to log files and AWS API calls
CloudTrail Access to log files and AWS API calls
CodeBuild Fully managed build service
CodeDeploy Automate code deployments
Cognito Secure user sign-up and sign-in
Connect A self-service, cloud-based contact center service
Direct Connect Dedicated network connection to AWS
DMS Database Migration Service
DocumentDB MongoDB-compatible database
Dynamo DB NoSQL Database
EBS (Elastic Block Store) Persistent block level storage volumes
EC2 (Elastic Cloud Compute) Resizable compute capacity in the cloud
EC2 Spot Take advantage of unused EC2 capacity
ECS (Elastic Container Service) Container management service that supports Docker containers
EFS (Elastic File System) Shared file storage
EKS Elastic Container Service for Kubernetes
Elastic Transcoder Media and video transcoding in the cloud
ElastiCache In-memory cache in the cloud
Elastic Beanstalk Service for deploying and scaling web applications and services
ELB (Elastic Load Balancing) Distributes incoming application traffic across multiple Amazon EC2 instances
EMR (Elastic Map Reduce) Data processing using Hadoop
ES (Elasticsearch) Deploy, operate, and scale Elasticsearch clusters
Firehose Capture and load streaming data
FSx Managed service providing scalable storage for Windows File Server or Lustre.
Gamelift Dedicated game server hosting
Glue Extract, transform, and load data for analytics
GuardDuty Intelligent threat detection
Health Visibility into the state of your AWS resources, services, and accounts
Inspector Automated security assessment
IOT (Internet of Things) Connect IOT devices with cloud services
Kinesis Service for real-time processing of large, distributed data streams
KMS (Key Management Service) Create and control encryption keys
Lambda Serverless computing
Lex Build conversation bots
Machine Learning Create machine learning models
MediaConnect Transport for live video
MediaConvert Video processing for broadcast and multiscreen delivery
MediaPackage Prepare and protect video for delivery over the internet
MediaTailor Scalable server-side ad insertion
MQ Managed message broker for ActiveMQ
Managed Streaming for Kafka Build and run applications that use Apache Kafka to process streaming data
NAT Gateway Enable instances in a private subnet to connect to the internet or other AWS services
Neptune Fast, reliable graph database built for the cloud
Network Firewall Filter traffic at the perimeter of a VPC
OpsWorks Configuration management
Polly Text-speech service
RDS (Relational Database Service) Relational database in the cloud
Redshift Data warehouse solution
Rekognition Image and video analysis for applications
Route 53 DNS and traffic management with availability monitoring
S3 (Simple Storage Service) Highly available and scalable cloud storage service
SageMaker Machine learning models and algorithms
SES (Simple Email Service) Cost-effective, outbound-only email-sending service
SNS (Simple Notification System) Alerts and notifications
SQS (Simple Queue Service) Messaging queue service
Storage Gateway Hybrid cloud storage
SWF (Simple Workflow Service) Cloud workflow management
VPC (Virtual Private Cloud) Launch AWS resources into a virtual network
Web Application Firewall (WAF) Protect web applications from common web exploits
Workspaces Secure desktop computing service
X-Ray Tracing for distributed applications


AWS role delegation is not supported on the Datadog for Government site. Access keys must be used.

Use one of the following methods to integrate your AWS accounts into Datadog for metric, trace, and log collection:

Choose a method for setting up the necessary AWS role. CloudFormation is recommended.

Automatic - CloudFormation

  1. Open the Datadog AWS integration tile.
  2. Under the Configuration tab, choose Automatically Using CloudFormation. If you already have an attached AWS account, click Add another account first. If you add another account, give it a different name than the IAM Role you have already registered, because specifying the same name results in access denial.
  3. Log into the AWS console.
  4. On the CloudFormation page:
    1. Provide your Datadog API key.
    2. If you would like to enable Resource Collection (required for some products and features), you must set the CloudSecurityPostureManagementPermissions parameter to true.
    3. Check the two acknowledgment boxes at the bottom.
    4. Click Create stack.
  5. Update the Datadog AWS integration tile with the IAM role name and account ID used to create the CloudFormation stack.
  6. If there is a Datadog is not authorized to perform sts:AssumeRole error, make sure your AWS trust policy’s sts:ExternalId: matches the generated AWS External ID in the Datadog AWS integration tile.
  7. Optionally, add tags to all hosts and metrics.
  8. Click Install Integration.



  1. Create a new role in the AWS IAM Console.
  2. Select Another AWS account for the Role Type.
  3. For Account ID, enter 464622532012 (Datadog’s account ID). This means that you are granting Datadog read only access to your AWS data.
  4. Select Require external ID and enter the one generated in the AWS integration tile. Make sure you leave Require MFA disabled. For more information about the External ID, see the IAM User Guide.
  5. Click Next: Permissions.
  6. If you’ve already created the policy, search for it on this page and select it, then skip to step 12. Otherwise, click Create Policy, which opens in a new window.
  7. Select the JSON tab. To take advantage of every AWS integration offered by Datadog, use policy snippet below in the textbox. As other components are added to an integration, these permissions may change.
  8. Click Next: Tags and Review policy.
  9. Name the policy DatadogAWSIntegrationPolicy or one of your own choosing, and provide an apt description.
  10. Click Create policy, then close this window.
  11. Back in the “Create role” window, refresh the list of policies and select the policy you just created.
  12. (Optional): Add the required permissions to use Datadog’s Cloud Security Posture Management product by adding the AWS SecurityAudit Policy to your role.
  13. Click Next: Tags and Next: Review.
  14. Give the role a name such as DatadogAWSIntegrationRole, as well as an apt description.
  15. Click Create Role.

Bonus: If you use Terraform, set up your Datadog IAM policy using - The AWS Integration with Terraform.


  1. Go back to the Datadog AWS integration tile.
  2. Select the Role Delegation tab and select Manually.
  3. Enter your AWS Account ID without dashes, for example: 123456789012. Your Account ID can be found in the ARN of the role created during the installation of the AWS integration.
  4. Enter the name of the created role. Note: The role name you enter in the integration tile is case sensitive and must exactly match the role name created on the AWS side.
  5. If there is a Datadog is not authorized to perform sts:AssumeRole error, make sure your AWS trust policy’s sts:ExternalId: matches the generated AWS External ID in the Datadog AWS integration tile.
  6. Choose the AWS services to collect metrics from on the left side of the dialog.
  7. Optionally, check the box Enable resource configuration collection if you would like to enable Resource Collection (required for some products and features).
  8. Optionally, add tags to all hosts and metrics.
  9. Optionally, monitor a subset of EC2 instances by entering the AWS tags in the textbox to hosts with tag. Note: This also applies to an instance’s attached EBS volumes.
  10. Optionally, monitor a subset of Lambdas by entering the AWS tags in the textbox to Lambdas with tag.
  11. Click Install Integration.

Datadog AWS IAM policy

The permissions listed below are included in the policy document using wild cards such as List* and Get*. If you require strict policies, use the complete action names as listed and reference the Amazon API documentation for the services you require.

All permissions

If you are not comfortable with granting all permissions, at the very least use the existing policies named AmazonEC2ReadOnlyAccess and CloudWatchReadOnlyAccess, for more detailed information regarding permissions see the Core permissions section.

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Effect": "Allow",
            "Resource": "*"
Core permissions

The core Datadog AWS integration pulls data from AWS CloudWatch. At a minimum, your Policy Document needs to allow the following actions:

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Effect": "Allow",
            "Resource": "*"
AWS Permission Description
cloudwatch:ListMetrics List the available CloudWatch metrics.
cloudwatch:GetMetricData Fetch data points for a given metric.
support:*: Add metrics about service limits.
It requires full access because of AWS limitations
tag:getResources Get custom tags by resource type.
tag:getTagKeys Get tag keys by region within an AWS account.
tag:getTagValues Get tag values by region within an AWS account.

The main use of the Resource Group Tagging API is to reduce the number of API calls needed to collect custom tags. For more information, review the Tag policies documentation on the AWS website.

AWS managed SecurityAudit policy

The permissions in AWS’s managed SecurityAudit policy are necessary for Datadog’s Cloud Security Posture Management product to monitor your AWS resource configurations. In addition to those permissions here, these features also require All Permissions.


  1. In your AWS console, set up an IAM user to be used by the Datadog integration.
  2. Generate an access key and secret key for the Datadog integration IAM user.

For more details, see How to use an external ID when granting access to your AWS resources to a third party.


  1. Open the AWS integration tile.
  2. Select the Access Keys (GovCloud or China Only) tab.
  3. Enter your AWS Access Key and AWS Secret Key. Only access and secret keys for GovCloud and China are accepted.
  4. Choose the services to collect metrics from on the left side of the dialog.
  5. Optionally, add tags to all hosts and metrics.
  6. Optionally, monitor a subset of EC2 instances by entering the AWS tags in the textbox to hosts with tag. Note: This also applies to an instance’s attached EBS volumes.
  7. Optionally, monitor a subset of Lambdas by entering the AWS tags in the textbox to Lambdas with tag.
  8. Click Install Integration.

Log collection

There are two ways of sending AWS service logs to Datadog:

  • Kinesis Firehose destination: Use the Datadog destination in your Kinesis Firehose delivery stream to forward logs to Datadog. It is recommended using this approach for sending logs from CloudWatch in very high volume.
  • Forwarder Lambda function: Deploy the Datadog Forwarder Lambda function, which subscribes to S3 buckets or your CloudWatch log groups and forward logs to Datadog. You must use this approach to send traces, enhanced metrics, or custom metrics from Lambda functions asynchronously through logs. Datadog also recommends you use this approach for sending logs from S3 or other resources that cannot directly stream data to Kinesis.

Metric collection

There are two ways to send AWS metrics to Datadog:

  • Metric polling: API polling comes out of the box with the AWS integration and does a metric-by-metric crawl of the CloudWatch API to pull data to send to Datadog. New metrics are pulled every ten minutes on average.
  • Metric streams with Kinesis Firehose: You can use Amazon CloudWatch Metric Streams and Amazon Kinesis Data Firehose to see your metrics at a two to three minute latency. This requires a separate setup.

Resource collection

Some Datadog products leverage information about how your AWS resources (such as S3 Buckets, RDS snapshots, and CloudFront distributions) are configured. Datadog collects this information by making read only API calls into your AWS account.

Cloud Security Posture Management


  1. If you do not have the AWS Integration setup yet for your AWS account, complete the set up process above and make sure to enable resource collection when mentioned.
  2. If you already have the AWS Integration setup for other Datadog products, but do not yet have resource collection enabled, do one of the following:
    1. Automatic - Update your CloudFormation Template
      1. In the CloudFormation console, find the main stack you used to install the datadog integration and select Update
      2. Select Replace current template
      3. Select Amazon S3 URL, enter and click next
      4. Set CloudSecurityPostureManagementPermissions to true and click next without modifying other existing parameters until you reach the Review page. Here you can verify the change set preview.
      5. Check the two acknowledgment boxes at the bottom and click Update stack.
    2. Manual
      1. Attach the AWS managed SecurityAudit policy to your Datadog AWS IAM role. You can find this policy in the AWS console.
  3. Go to the Datadog AWS integration tile and do the following:
    1. Click on the AWS account where you wish to enable resource collection.
    2. Go to the Resource collection section for that account and check the box Route resource data to the Cloud Security Posture Management product
    3. At the bottom left of the tile, click Update Configuration

Alarm collection

There are two ways to send AWS CloudWatch alarms to the Datadog Event Stream:

  • Alarm polling: Alarm polling comes out of the box with the AWS integration and fetches metric alarms through the DescribeAlarmHistory API. If you follow this method, your alarms are categorized under the event source Amazon Web Services. Note: The crawler does not collect composite alarms.
  • SNS topic: You can see all AWS CloudWatch alarms in your event stream by subscribing the alarms to an SNS topic, then forwarding the SNS messages to Datadog. To learn how to receive SNS messages as events in Datadog, see Receive SNS messages. If you follow this method, your alarms are categorized under the event source Amazon SNS.

Data Collected


The volume of log events in uncompressed bytes uploaded to Cloudwatch Logs.
Shown as byte
The number of log events uploaded to Cloudwatch Logs.
Shown as event
The volume of log events in compressed bytes forwarded to the subscription destination.
Shown as byte
The number of log events forwarded to the subscription destination.
Shown as event
The number of log events for which CloudWatch Logs received an error when forwarding data to the subscription destination.
Shown as event
The number of log events for which CloudWatch Logs was throttled when forwarding data to the subscription destination.
Shown as event
Measures the number of times a target is invoked for a rule in response to an event. This includes successful and failed invocations but does not include throttled or retried attempts until they fail permanently.
Measures the number of invocations that failed permanently. This does not include invocations that are retried or that succeeded after a retry attempt
Measures the number of triggered rules that matched with any event.
Measures the number of events that matched with any rule.
Measures the number of triggered rules that are being throttled.
The number of specified operations performed in your account
Shown as operation
The number of specified resources in your account
Shown as resource


Events from AWS are collected on a per AWS-service basis. See the documentation of specific AWS services to learn more about the events collected.


The following tags are collected from AWS integrations. Note: Some tags only display on specific metrics.

Integration Datadog Tag Keys
All region
API Gateway apiid, apiname, method, resource, stage
App Runner instance, serviceid, servicename
Auto Scaling autoscalinggroupname, autoscaling_group
Billing account_id, budget_name, budget_type, currency, servicename, time_unit
CloudFront distributionid
CodeBuild project_name
CodeDeploy application, creator, deployment_config, deployment_group, deployment_option, deployment_type, status
DirectConnect connectionid
DynamoDB globalsecondaryindexname, operation, streamlabel, tablename
EBS volumeid, volume-name, volume-type
EC2 autoscaling_group, availability-zone, image, instance-id, instance-type, kernel, name, security_group_name
ECS clustername, servicename, instance_id
EFS filesystemid
ElastiCache cachenodeid, cache_node_type, cacheclusterid, cluster_name, engine, engine_version, preferred_availability-zone, replication_group
ElasticBeanstalk environmentname, enviromentid
ELB availability-zone, hostname, loadbalancername, name, targetgroup
EMR cluster_name, jobflowid
ES dedicated_master_enabled, ebs_enabled, elasticsearch_version, instance_type, zone_awareness_enabled
Firehose deliverystreamname
FSx filesystemid, filesystemtype
Health event_category, status, service
IoT actiontype, protocol, rulename
Kinesis streamname, name, state
KMS keyid
Lambda functionname, resource, executedversion, memorysize, runtime
Machine Learning mlmodelid, requestmode
MQ broker, queue, topic
OpsWorks stackid, layerid, instanceid
Polly operation
RDS auto_minor_version_upgrade, dbinstanceclass, dbclusteridentifier, dbinstanceidentifier, dbname, engine, engineversion, hostname, name, publicly_accessible, secondary_availability-zone
RDS Proxy proxyname, target, targetgroup, targetrole
Redshift clusteridentifier, latency, nodeid, service_class, stage, wlmid
Route 53 healthcheckid
S3 bucketname, filterid, storagetype
SES Tag keys are custom set in AWS.
SNS topicname
SQS queuename
VPC nategatewayid, vpnid, tunnelipaddress
WorkSpaces directoryid, workspaceid

Service Checks

Returns CRITICAL if one or more AWS regions are experiencing issues. Returns OK otherwise.
Statuses: ok, critical


Discrepancy between your data in CloudWatch and Datadog

There are two important distinctions to be aware of:

  1. In AWS for counters, a graph that is set to ‘sum’ ‘1minute’ shows the total number of occurrences in one minute leading up to that point, that is the rate per 1 minute. Datadog is displaying the raw data from AWS normalized to per second values, regardless of the time frame selected in AWS. This is why you might see Datadog’s value as lower.
  2. Overall, min/max/avg have a different meaning within AWS than in Datadog. In AWS, average latency, minimum latency, and maximum latency are three distinct metrics that AWS collects. When Datadog pulls metrics from AWS CloudWatch, the average latency is received as a single timeseries per ELB. Within Datadog, when you are selecting ‘min’, ‘max’, or ‘avg’, you are controlling how multiple timeseries are combined. For example, requesting system.cpu.idle without any filter would return one series for each host that reports that metric and those series need to be combined to be graphed. On the other hand, if you requested system.cpu.idle from a single host, no aggregation would be necessary and switching between average and max would yield the same result.

Metrics delayed

When using the AWS integration, Datadog pulls in your metrics through the CloudWatch API. You may see a slight delay in metrics from AWS due to some constraints that exist for their API.

To begin, the CloudWatch API only offers a metric-by-metric crawl to pull data. The CloudWatch APIs have a rate limit that varies based on the combination of authentication credentials, region, and service. Metrics are made available by AWS dependent on the account level. For example, if you are paying for “detailed metrics” within AWS, they are available more quickly. This level of service for detailed metrics also applies to granularity, with some metrics being available per minute and others per five minutes.

Datadog has the ability to prioritize certain metrics within an account to pull them in faster, depending on the circumstances. Contact Datadog support for more info.

To obtain metrics with virtually zero delay, install the Datadog Agent on the host. For more information, see Datadog’s blog post Don’t fear the Agent: Agent-based monitoring.

Missing metrics

CloudWatch’s API returns only metrics with data points, so if for instance an ELB has no attached instances, it is expected not to see metrics related to this ELB in Datadog.

Wrong count of aws.elb.healthy_host_count

When the cross-zone load balancing option is enabled on an ELB, all the instances attached to this ELB are considered part of all availability zones (on CloudWatch’s side), so if you have 2 instances in 1a and 3 in ab, the metric displays 5 instances per availability zone. As this can be counter intuitive, the metrics aws.elb.healthy_host_count_deduped and aws.elb.un_healthy_host_count_deduped display the count of healthy and unhealthy instances per availability zone, regardless of if this cross-zone load balancing option is enabled or not.

Duplicated hosts when installing the Agent

When installing the Agent on an AWS host, you might see duplicated hosts on the infra page for a few hours if you manually set the hostname in the Agent’s configuration. This second host disappears a few hours later, and does not affect your billing.

EC2 metadata with IMDS v2

In your Agent configuration, if the parameter ec2_prefer_imdsv2, is set to true (defaults to false), the Agent requests EC2 metadata using IMDS v2, which offers additional security for accessing metadata. In some situations, additional configuration may be required in AWS, for example: using a containerized Agent on a plain EC2 instance. See the AWS guidelines for further details.

Further Reading

Additional helpful documentation, links, and articles: