Overview
Use AWS Identity and Access Management (IAM) Access Analyzer across your Amazon account to continuously analyze IAM permissions granted with any of your account policies. Datadog integrates with Amazon IAM Access Analyzer using a Lambda function that ships its findings as logs to Datadog.
Additionally, if you use Cloud Security, Datadog sends Amazon IAM Access Analyzer findings to Cloud Security Identity Risks, so you can Access Analyzer’s unused-access findings to recommend downsized policies and enrich permissions-gap detections. You can use it to extend the time frame beyond Datadog’s usual permissions-gap detections, which cover 90 days, by configuring Access Analyzer to analyze more (for example, 180 or 360 days).
Setup
Log collection
If you haven’t already, set up the Datadog Forwarder Lambda function.
Create a new rule with type Rule with an event pattern in Amazon EventBridge.
For the event source configuration, select Other. For Creation method, select Custom pattern (JSON editor). For Event pattern, copy and paste the following JSON:
{
"source": ["aws.access-analyzer"]
}
Select AWS service to use as the target type. Select Lambda function as the target and select the Datadog Forwarder Lambda or enter the ARN.
Save your rule.
Once the AWS Access Analyzer runs and produces findings, the events will be picked up by the Datadog Lambda Forwarder tagged with source:access-analyzer. See the Log Explorer to start exploring your logs.
Data Collected
Metrics
This integration does not include any metrics.
Service Checks
This integration does not include any service checks.
Logs
This integration can be configured to send logs.
Events
This integration does not include any events.
Troubleshooting
Need help? Contact Datadog support.
