For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/integrations/guide/aws-manual-setup.md. A documentation index is available at /llms.txt.

AWS Manual Setup Guide

To find out if this integration is available in your organization, see your Datadog Integrations page or ask your organization administrator.

To initiate an exception request to enable this integration for your organization, email support@ddog-gov.com.

Overview

Use this guide to manually set up the Datadog AWS Integration.

    To set up the AWS integration manually, create an IAM policy and IAM role in your AWS account, and configure the role with an AWS External ID generated in your Datadog account. This allows Datadog’s AWS account to query AWS APIs on your behalf, and pull data into your Datadog account. The sections below detail the steps for creating each of these components, and then completing the setup in your Datadog account.

    Setting up S3 Log Archives using Role Delegation is in limited availability. Contact Datadog Support to request this feature in your Datadog for Government account.

    Setup

    Changing the access type on an existing AWS account is a destructive operation. To switch methods (for example, from Access Keys to Role Delegation), delete the existing account entry and re-add it with the new access type. Per-account settings are not preserved when you re-add an account. This includes metric collection filters, log collection configuration, and tag customizations. Reconfigure these settings after re-adding the account.

    Generate an external ID

    1. In the AWS integration configuration page, click Add AWS Account(s), and then select Manually.

    2. Choose which AWS partition your AWS account is scoped to. The partition is either aws for commercial regions, aws-cn for China*, or aws-us-gov for GovCloud. See Partitions in the AWS documentation for more information.

      If your AWS account is in the aws-us-gov (GovCloud) partition, verify with your compliance team before connecting it to your Datadog site. Confirm that forwarding data from that account meets your organization's authorization boundary and data handling requirements. Applicable frameworks may include FedRAMP, ITAR, IL4, or IL5.

    1. Select Role Delegation for the access type. Role delegation is only supported for AWS accounts scoped to AWS commercial regions.

    1. Select Role Delegation for the access type. Role delegation is only supported for AWS accounts scoped to AWS commercial or AWS GovCloud regions.

    1. Copy the AWS External ID. For more information about the external ID, read the IAM User Guide. Note: The External ID remains available and is not regenerated for 48 hours, unless explicitly changed by a user or another AWS account is added to Datadog during this period. You can return to the Add AWS Account(s) page within that time period without the External ID changing.

    Create a Datadog integration IAM role

    Datadog assumes this role to collect data on your behalf.

    1. Go to the AWS IAM Console and click Create role.
    2. Select AWS account for the trusted entity type, and Another AWS account.

    1. Enter as the Account ID. This is Datadog’s account ID, and grants Datadog access to your AWS data.

    1. If the AWS account you want to integrate is a GovCloud account, enter as the Account ID, otherwise enter . This is Datadog’s account ID, and grants Datadog access to your AWS data.

    Note: Ensure that the DATADOG SITE selector on the right of this documentation page is set to your Datadog site before copying the account ID above.

    1. Select Require external ID and enter the external ID copied in the previous section. Leave Require MFA disabled. For more details, see the Access to AWS accounts owned by third parties page in the AWS documentation.
    2. Click Next.
    3. To enable resource collection, attach the AWS SecurityAudit Policy to the role.
    4. Click Next.
    5. Give the role a name such as DatadogIntegrationRole. Optionally, provide a description and add tags to the role.
    6. Click Create Role.

    Create an inline IAM policy for the Datadog integration role

    This policy defines the permissions necessary for the Datadog integration role to collect data for every AWS integration offered by Datadog. These permissions may change as new AWS services are added to this integration.

    1. Select the Datadog integration role on the IAM roles page.
    2. Click Add permissions, and select Create inline policy.
    3. Select the JSON tab.
    4. Paste the permission policies in the textbox.
      Note: Optionally, you can add Condition elements to the IAM policy. For example, conditions can be used to restrict monitoring to certain regions.
    5. Click Next.
    6. Give the policy a name such as DatadogIntegrationPolicy.
    7. Click Create policy.

    Complete the setup in Datadog

    1. Return to the manual setup section of the AWS integration configuration page.
    2. Click the I confirm that the Datadog IAM Role has been added to the AWS Account checkbox.
    3. In the Account ID section, enter your account ID without dashes; for example, 123456789012. You can find the account ID in the ARN of the Datadog integration role, which follows the format arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>.
    4. In the AWS Role Name section, enter the name of the Datadog integration role previously created. Note: The role name is case sensitive and must exactly match the role name in AWS.
    5. Click Save.
    6. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.

    Troubleshoot IAM role issues

    If the integration does not appear to be working after setup, verify the following:

    Common trust policy mistakes:

    • The Account ID in the trust policy must match the Datadog account ID for your Datadog site. Verify that the DATADOG SITE selector on this page is set correctly.
    • The External ID in the trust policy must match the value shown in the AWS integration configuration page. External IDs are regenerated after 48 hours if not used.
    • The role ARN entered in Datadog must exactly match the role ARN in AWS, including capitalization.

    Validate the integration in Datadog:

    After configuring the role, return to the AWS integration page and save the configuration. Datadog validates the role by attempting to assume it from Datadog’s own AWS account. If the role cannot be assumed, an error message appears in the UI. See Error: Datadog is not authorized to perform sts:AssumeRole for detailed troubleshooting steps.

    Service Control Policies (SCPs):

    If your AWS account is part of an AWS Organization, Service Control Policies can block the integration even when the IAM role and trust policy are correct. See Missing metrics in the troubleshooting guide for details.

    If there is a Datadog is not authorized to perform sts:AssumeRole error, follow the troubleshooting steps recommended in the UI, or read the troubleshooting guide.

    * All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the Restricted Service Locations section on our website.

    Setup

    Changing the access type on an existing AWS account is a destructive operation. To switch methods (for example, from Access Keys to Role Delegation), delete the existing account entry and re-add it with the new access type. Per-account settings are not preserved when you re-add an account. This includes metric collection filters, log collection configuration, and tag customizations. Reconfigure these settings after re-adding the account.

    AWS

    1. In your AWS console, create an IAM user to be used by the Datadog integration with the necessary permissions.
    2. Generate an access key and secret key for the Datadog integration IAM user.

    Datadog

    1. In the AWS integration tile, click Add AWS Account, and then select Manually.

    2. Select the Access Keys tab.

    3. Choose which AWS partition your AWS account is scoped to. The partition is either aws for commercial regions, aws-cn for China*, or aws-us-gov for GovCloud. See [Partitions][9] in the AWS documentation for more information.

      Access keys authentication is supported only for AWS accounts in the aws-us-gov (GovCloud) and aws-cn (China) partitions. For AWS accounts in the aws (commercial) partition, use Role Delegation instead.
      If your AWS account is in the aws-us-gov (GovCloud) partition, verify with your compliance team before connecting it to your Datadog site. Confirm that forwarding data from that account meets your organization's authorization boundary and data handling requirements. Applicable frameworks may include FedRAMP, ITAR, IL4, or IL5.

    4. Click the I confirm that the IAM User for the Datadog Integration has been added to the AWS Account checkbox.

    5. Enter your Account ID, AWS Access Key and AWS Secret Key.

    6. Click Save.

    7. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure.

    * All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the Restricted Service Locations section on our website.

    AWS IAM permissions

    AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events and other data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.

    AWS integration IAM policy

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetAccountInformation",
        "airflow:GetEnvironment",
        "airflow:ListEnvironments",
        "apigateway:GET",
        "appsync:ListGraphqlApis",
        "autoscaling:Describe*",
        "backup:List*",
        "batch:DescribeJobDefinitions",
        "batch:DescribeJobQueues",
        "batch:DescribeJobs",
        "batch:ListJobs",
        "bcm-data-exports:GetExport",
        "bcm-data-exports:ListExports",
        "budgets:ViewBudget",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codebuild:BatchGetProjects",
        "codebuild:ListProjects",
        "codedeploy:BatchGet*",
        "codedeploy:List*",
        "cost-optimization-hub:GetRecommendation",
        "cost-optimization-hub:ListRecommendations",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dms:DescribeReplicationInstances",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:DescribeAccessPoints",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "es:DescribeElasticsearchDomains",
        "es:ListDomainNames",
        "es:ListTags",
        "events:CreateEventBus",
        "fsx:DescribeFileSystems",
        "fsx:ListTagsForResource",
        "glue:BatchGetJobs",
        "glue:GetJob",
        "glue:GetJobs",
        "glue:ListJobs",
        "health:DescribeAffectedEntities",
        "health:DescribeEventDetails",
        "health:DescribeEvents",
        "iam:ListAccountAliases",
        "iot:GetV2LoggingOptions",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "logs:DeleteSubscriptionFilter",
        "logs:DescribeDeliveries",
        "logs:DescribeDeliverySources",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeSubscriptionFilters",
        "logs:FilterLogEvents",
        "logs:GetDeliveryDestination",
        "logs:PutSubscriptionFilter",
        "logs:TestMetricFilter",
        "network-firewall:DescribeLoggingConfiguration",
        "network-firewall:ListFirewalls",
        "oam:ListAttachedLinks",
        "oam:ListSinks",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift-serverless:ListNamespaces",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "route53:List*",
        "route53resolver:ListResolverQueryLogConfigs",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutBucketNotification",
        "ses:Get*",
        "ses:List*",
        "sns:GetSubscriptionAttributes",
        "sns:List*",
        "sns:Publish",
        "sqs:ListQueues",
        "ssm:GetServiceSetting",
        "ssm:ListCommands",
        "states:DescribeStateMachine",
        "states:ListStateMachines",
        "support:DescribeTrustedAdvisor*",
        "support:RefreshTrustedAdvisorCheck",
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "timestream:DescribeEndpoints",
        "trustedadvisor:ListRecommendationResources",
        "trustedadvisor:ListRecommendations",
        "wafv2:ListLoggingConfigurations",
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

    AWS resource collection IAM policy

    To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

    Notes:

    • Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
    • To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
    • AWS China accounts are not supported.
    • Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable Usage (AWS/Usage) metrics in the Metric Collection tab of the Datadog AWS integration page.

    Additional helpful documentation, links, and articles:

    AWS IntegrationDOCUMENTATION more more Datadog Forwarder Lambda functionDOCUMENTATION more more Send AWS service logs with the Datadog Amazon Data Firehose destinationGUIDE more more Troubleshooting the AWS integrationGUIDE more more AWS CloudWatch metric streams with Amazon Data FirehoseGUIDE more more Key metrics for AWS monitoringBLOG more more How to monitor EC2 instances with DatadogBLOG more more Monitoring AWS Lambda with DatadogBLOG more more Introducing Datadog Cloud Security Posture ManagementBLOG more more Secure your infrastructure in real time with Datadog Cloud Workload SecurityBLOG more more Announcing Datadog Security MonitoringBLOG more more Best practices for tagging your infrastructure and applicationsBLOG more more