---
title: AWS Manual Setup Guide
description: Steps for manually setting up the Datadog AWS Integration
breadcrumbs: Docs > Integrations > Integration Guides > AWS Manual Setup Guide
---

# AWS Manual Setup Guide

## Overview{% #overview %}

Use this guide to manually set up the Datadog [AWS Integration](https://docs.datadoghq.com/integrations/amazon_web_services/).

{% tab title="Role delegation" %}
To set up the AWS integration manually, create an IAM policy and IAM role in your AWS account, and configure the role with an AWS External ID generated in your Datadog account. This allows Datadog's AWS account to query AWS APIs on your behalf, and pull data into your Datadog account. The sections below detail the steps for creating each of these components, and then completing the setup in your Datadog account.

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com



{% alert level="danger" %}
*Setting up S3 Log Archives using Role Delegation is in limited availability. Contact [Datadog Support](https://docs.datadoghq.com/help/) to request this feature in your Datadog for Government account*.
{% /alert %}


{% /callout %}

## Setup{% #setup %}

### Generate an external ID{% #generate-an-external-id %}

1. In the [AWS integration configuration page](https://app.datadoghq.com/integrations/amazon-web-services), click **Add AWS Account(s)**, and then select **Manually**.
1. Choose which AWS partition your AWS account is scoped to. The partition is either `aws` for commercial regions, `aws-cn` for China*, or `aws-us-gov` for GovCloud. See [Partitions](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html) in the AWS documentation for more information.

{% callout %}
# Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu, ap1.datadoghq.com, ap2.datadoghq.com


Select `Role Delegation` for the access type. Role delegation is only supported for AWS accounts scoped to AWS commercial regions.

{% /callout %}

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com


Select `Role Delegation` for the access type. Role delegation is only supported for AWS accounts scoped to AWS commercial or AWS GovCloud regions.

{% /callout %}
Copy the `AWS External ID`. For more information about the external ID, read the [IAM User Guide](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html). **Note**: The External ID remains available and is not regenerated for 48 hours, unless explicitly changed by a user or another AWS account is added to Datadog during this period. You can return to the **Add AWS Account(s)** page within that time period without the External ID changing.
### Create a Datadog integration IAM role{% #create-a-datadog-integration-iam-role %}

Datadog assumes this role to collect data on your behalf.

1. Go to the AWS [IAM Console](https://console.aws.amazon.com/iam/home#/roles) and click `Create role`.
1. Select **AWS account** for the trusted entity type, and **Another AWS account**.

{% callout %}
# Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu


Enter `464622532012` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.

{% /callout %}

{% callout %}
# Important note for users on the following Datadog sites: ap1.datadoghq.com


Enter `417141415827` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.

{% /callout %}

{% callout %}
# Important note for users on the following Datadog sites: ap2.datadoghq.com


Enter `412381753143` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.

{% /callout %}

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com


If the AWS account you want to integrate is a GovCloud account, enter `065115117704` as the `Account ID`, otherwise enter `392588925713`. This is Datadog's account ID, and grants Datadog access to your AWS data.

{% /callout %}

**Note**: Ensure that the **DATADOG SITE** selector on the right of this documentation page is set to your Datadog site before copying the account ID above.
Select **Require external ID** and enter the external ID copied in the previous section. Leave `Require MFA` disabled. For more details, see the [Access to AWS accounts owned by third parties](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) page in the AWS documentation.Click **Next**.To enable [resource collection](https://docs.datadoghq.com/integrations/amazon_web_services/#resource-collection), attach the AWS SecurityAudit Policy to the role.Click **Next**.Give the role a name such as `DatadogIntegrationRole`. Optionally, provide a description and add tags to the role.Click **Create Role**.
### Create an inline IAM policy for the Datadog integration role{% #create-an-inline-iam-policy-for-the-datadog-integration-role %}

This policy defines the permissions necessary for the Datadog integration role to collect data for every AWS integration offered by Datadog. These permissions may change as new AWS services are added to this integration.

1. Select the Datadog integration role on the [IAM roles page](https://console.aws.amazon.com/iam/home#/roles).
1. Click **Add permissions**, and select **Create inline policy**.
1. Select the **JSON** tab.
1. Paste the permission policies in the textbox.**Note**: Optionally, you can add [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) elements to the IAM policy. For example, conditions can be used to [restrict monitoring to certain regions](https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/).
1. Click **Next**.
1. Give the policy a name such as `DatadogIntegrationPolicy`.
1. Click **Create policy**.

### Complete the setup in Datadog{% #complete-the-setup-in-datadog %}

1. Return to the manual setup section of the [AWS integration configuration page](https://app.datadoghq.com/integrations/amazon-web-services).
1. Click the `I confirm that the Datadog IAM Role has been added to the AWS Account` checkbox.
1. In the **Account ID** section, enter your account ID **without dashes**; for example, `123456789012`. You can find the account ID in the ARN of the Datadog integration role, which follows the format `arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>`.
1. In the **AWS Role Name** section, enter the name of the Datadog integration role previously created. **Note**: The role name is case sensitive and must exactly match the role name in AWS.
1. Click **Save**.
1. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.

{% alert level="danger" %}
If there is a `Datadog is not authorized to perform sts:AssumeRole` error, follow the troubleshooting steps recommended in the UI, or read the troubleshooting guide.
{% /alert %}

\* *All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the [Restricted Service Locations](https://www.datadoghq.com/legal/restricted-service-locations/) section on our website.*
{% /tab %}

{% tab title="Access keys" %}
## Setup{% #setup %}

### AWS{% #aws %}

1. In your AWS console, create an IAM user to be used by the Datadog integration with the necessary permissions.
1. Generate an access key and secret key for the Datadog integration IAM user.

### Datadog{% #datadog %}
In the [AWS integration tile](https://app.datadoghq.com/integrations/amazon-web-services), click **Add AWS Account**, and then select **Manually**.Select the **Access Keys** tab.Choose which AWS partition your AWS account is scoped to. The partition is either `aws` for commercial regions, `aws-cn` for China*, or `aws-us-gov` for GovCloud. See [Partitions][9] in the AWS documentation for more information.Click the **I confirm that the IAM User for the Datadog Integration has been added to the AWS Account** checkbox.Enter your `Account ID`, `AWS Access Key` and `AWS Secret Key`.Click **Save**.Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.
\* *All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the [Restricted Service Locations](https://www.datadoghq.com/legal/restricted-service-locations/) section on our website.*
{% /tab %}

## AWS IAM permissions{% #aws-iam-permissions %}

AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events and other data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the **Datadog AWS Integration IAM Role** in your AWS account.

### AWS integration IAM policy{% #aws-integration-iam-policy %}

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetAccountInformation",
        "airflow:GetEnvironment",
        "airflow:ListEnvironments",
        "apigateway:GET",
        "appsync:ListGraphqlApis",
        "autoscaling:Describe*",
        "backup:List*",
        "batch:DescribeJobDefinitions",
        "batch:DescribeJobQueues",
        "batch:DescribeJobs",
        "batch:ListJobs",
        "bcm-data-exports:GetExport",
        "bcm-data-exports:ListExports",
        "budgets:ViewBudget",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codebuild:BatchGetProjects",
        "codebuild:ListProjects",
        "codedeploy:BatchGet*",
        "codedeploy:List*",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dms:DescribeReplicationInstances",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:DescribeAccessPoints",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "es:DescribeElasticsearchDomains",
        "es:ListDomainNames",
        "es:ListTags",
        "events:CreateEventBus",
        "fsx:DescribeFileSystems",
        "fsx:ListTagsForResource",
        "glue:BatchGetJobs",
        "glue:GetJob",
        "glue:GetJobs",
        "glue:ListJobs",
        "health:DescribeAffectedEntities",
        "health:DescribeEventDetails",
        "health:DescribeEvents",
        "iam:ListAccountAliases",
        "iot:GetV2LoggingOptions",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "logs:DeleteSubscriptionFilter",
        "logs:DescribeDeliveries",
        "logs:DescribeDeliverySources",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeSubscriptionFilters",
        "logs:FilterLogEvents",
        "logs:GetDeliveryDestination",
        "logs:PutSubscriptionFilter",
        "logs:TestMetricFilter",
        "network-firewall:DescribeLoggingConfiguration",
        "network-firewall:ListFirewalls",
        "oam:ListAttachedLinks",
        "oam:ListSinks",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift-serverless:ListNamespaces",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "route53:List*",
        "route53resolver:ListResolverQueryLogConfigs",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutBucketNotification",
        "ses:Get*",
        "ses:List*",
        "sns:GetSubscriptionAttributes",
        "sns:List*",
        "sns:Publish",
        "sqs:ListQueues",
        "ssm:GetServiceSetting",
        "ssm:ListCommands",
        "states:DescribeStateMachine",
        "states:ListStateMachines",
        "support:DescribeTrustedAdvisor*",
        "support:RefreshTrustedAdvisorCheck",
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "timestream:DescribeEndpoints",
        "trustedadvisor:ListRecommendationResources",
        "trustedadvisor:ListRecommendations",
        "wafv2:ListLoggingConfigurations",
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
```

### AWS resource collection IAM policy{% #aws-resource-collection-iam-policy %}

To use [resource collection](https://docs.datadoghq.com/integrations/amazon_web_services/#resource-collection), you must attach AWS's managed SecurityAudit Policy to your Datadog IAM role.

**Notes**:

- Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
- To enable Datadog to collect account management resources from `account.GetAlternateContact` and `account.GetContactInformation`, you need to [enable trusted access for AWS account management](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html).
- AWS China accounts are not supported.
- Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable **Usage** (`AWS/Usage`) metrics in the **Metric Collection** tab of the [Datadog AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services/).

- [AWS Integration](https://docs.datadoghq.com/integrations/amazon_web_services/)
- [Datadog Forwarder Lambda function](https://docs.datadoghq.com/serverless/libraries_integrations/forwarder/)
- [Send AWS service logs with the Datadog Amazon Data Firehose destination](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-kinesis-firehose-destination/)
- [Troubleshooting the AWS integration](https://docs.datadoghq.com/integrations/guide/aws-integration-troubleshooting/)
- [AWS CloudWatch metric streams with Amazon Data Firehose](https://docs.datadoghq.com/integrations/guide/aws-cloudwatch-metric-streams-with-kinesis-data-firehose/)
- [Key metrics for AWS monitoring](https://www.datadoghq.com/blog/aws-monitoring/)
- [How to monitor EC2 instances with Datadog](https://www.datadoghq.com/blog/monitoring-ec2-instances-with-datadog/)
- [Monitoring AWS Lambda with Datadog](https://www.datadoghq.com/blog/monitoring-aws-lambda-with-datadog/)
- [Introducing Datadog Cloud Security Posture Management](https://www.datadoghq.com/blog/cloud-security-posture-management/)
- [Secure your infrastructure in real time with Datadog Cloud Workload Security](https://www.datadoghq.com/blog/datadog-workload-security/)
- [Announcing Datadog Security Monitoring](https://www.datadoghq.com/blog/announcing-cloud-siem/)
- [Best practices for tagging your infrastructure and applications](https://www.datadoghq.com/blog/tagging-best-practices/#aws)