AWS Integration Multi-Account setup for AWS Organizations
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.
This guide provides an overview of the process for setting up the AWS Integration
with multiple accounts within an AWS Organization.
The CloudFormation StackSet template provided by Datadog automates the creation of the required IAM role and associated policies in every AWS account under an Organization or Organizational Unit (OU), and configures the accounts within Datadog, eliminating the need for manual setup. Once set up, the integration automatically starts collecting AWS metrics and events for you to start monitoring your infrastructure.
The Datadog CloudFormation StackSet performs the following steps:
- Deploys the Datadog AWS CloudFormation Stack in every account under an AWS Organization or Organizational Unit.
- Automatically creates the necessary IAM role and policies in the target accounts.
- Automatically initiates ingestion of AWS CloudWatch metrics and events from the AWS resources in the accounts.
- Optionally disables metric collection for the AWS infrastructure. This is useful for Cloud Cost Management (CCM) or Cloud Security Management Misconfigurations (CSM Misconfigurations) specific use cases.
- Optionally configures CSM Misconfigurations to monitor resource misconfigurations in your AWS accounts.
Note: The StackSet does not set up log forwarding in the AWS accounts. To set up logs, follow the steps in the Log Collection
- Access to the management account: Your AWS user needs to be able to access the AWS management account.
- An account administrator has enabled Trusted Access with AWS Organizations: Refer to Enable trusted access with AWS Organizations
to enable trusted access between StackSets and Organizations, to create and deploy stacks using service-managed permissions.
To get started, go to the AWS Integration configuration page
in Datadog and click on Add AWS Account(s) -> Add Multiple AWS Accounts -> CloudFormation StackSet.
Click Launch CloudFormation StackSet. This opens the AWS Console and loads a new CloudFormation StackSet. Keep the default choice of
Service-managed permissions on AWS.
Follow the steps below on the AWS console to create and deploy your StackSet:
Choose a Template
Copy the Template URL from the Datadog AWS integration configuration page to use in the
Specify Template parameter in the StackSet.
Specify StackSet details
Select your Datadog API key on Datadog AWS integration configuration page and use it in the
DatadogApiKey parameter in the StackSet.
Select your Datadog APP key on Datadog AWS integration configuration page and use it in the
DatadogAppKey parameter in the StackSet.
a. Enable Cloud Security Management Misconfigurations
(CSM Misconfigurations) to scan your cloud environment, hosts, and containers for misconfigurations and security risks.
b. Disable metric collection if you do not want to monitor your AWS infrastructure. This is recommended only for Cloud Cost Management
(CCM) or CSM Misconfigurations
specific use cases.
Configure StackSet options
Keep the Execution configuration option as
Inactive so the StackSet performs one operation at a time.
Set deployment options
You can set your
Deployment targets to either deploy the Datadog integration across an Organization or one or more Organizational Units.
Automatic deployment enabled in order to automatically deploy the Datadog AWS Integration in new accounts that are added to the Organization or OU.
Under Specify regions, select a single region in which you’d like to deploy the integration in each AWS account.
NOTE: The StackSet creates global IAM resources that are not region specific. If multiple regions are selected in this step, the deployment fails.
Set the default settings under Deployment options to be sequential, so StackSets operations are deployed into one region at a time.
Go to the Review page and click Submit. This launches the creation process for the Datadog StackSet. This could take several minutes depending on how many accounts need to be integrated. Ensure that the StackSet successfully creates all resources before proceeding.
After the stacks are created, go back to the AWS integration config page in Datadog and click Done. It may take a few minutes to see metrics and events reporting from your newly integrated AWS accounts.
Enable integrations for individual AWS services
See the Integrations page
for a full listing of the available sub-integrations that can be enabled on each monitored AWS account. Any sub-integration sending data to Datadog is automatically installed when data is received from the integration.
The StackSet does not set up log forwarding in the AWS accounts. To set up logs, follow the steps in the Log Collection
Uninstall AWS Integration
To uninstall the AWS integration from all AWS accounts and regions in an Organization, first delete all StackInstances and then the StackSet. Follow the steps outlined in Delete a stack set
to delete the created StackInstances and StackSet.
Additional helpful documentation, links, and articles: