Amazon Web Services

Docs > Integrations > Amazon Web Services

Overview

Connect to Amazon Web Services (AWS) to:

See automatic AWS status updates in your Events Explorer
Get CloudWatch metrics for EC2 hosts without installing the Agent
Tag your EC2 hosts with EC2-specific information
See EC2 scheduled maintenance events in your stream
Collect CloudWatch metrics and events from many other AWS products
See CloudWatch alarms in your Events Explorer

To quickly get started using the AWS integration, check out the AWS getting started guide.

Datadog’s Amazon Web Services integration collects logs, events, and most metrics from CloudWatch for over 90 AWS services.

Setup

Use one of the following methods to integrate your AWS accounts into Datadog for metric, event, tag, and log collection.

Automatic

CloudFormation (Best for quickly getting started) To set up the AWS integration with CloudFormation, see the the AWS getting started guide.
Terraform To set up the AWS integration with Terraform, see the AWS integration with Terraform.
Control Tower To set up the AWS integration when provisioning a new AWS account with Control Tower Account Factory, see the Control Tower setup guide.
Multi-Account setup for AWS Organizations To set up the AWS Integration for multiple accounts within an AWS Organization, see the AWS Organizations setup guide.

Manual

Role delegation To set up the AWS integration manually with role delegation, see the manual setup guide.
Access keys (GovCloud or China* Only) To set up the AWS integration with access keys, see the manual setup guide.
* All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the Restricted Service Locations section on our website.

Note: After setup is complete, you can configure integration settings (such as which AWS regions and integrations to collect data from) in the Datadog AWS integration page.

AWS IAM permissions

AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events and other data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.

AWS integration IAM policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetAccountInformation",
        "airflow:GetEnvironment",
        "airflow:ListEnvironments",
        "apigateway:GET",
        "autoscaling:Describe*",
        "backup:List*",
        "bcm-data-exports:GetExport",
        "bcm-data-exports:ListExports",
        "budgets:ViewBudget",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codedeploy:BatchGet*",
        "codedeploy:List*",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:DescribeAccessPoints",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "es:DescribeElasticsearchDomains",
        "es:ListDomainNames",
        "es:ListTags",
        "events:CreateEventBus",
        "fsx:DescribeFileSystems",
        "fsx:ListTagsForResource",
        "health:DescribeAffectedEntities",
        "health:DescribeEventDetails",
        "health:DescribeEvents",
        "iam:ListAccountAliases",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "logs:DeleteSubscriptionFilter",
        "logs:DescribeDeliveries",
        "logs:DescribeDeliverySources",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeSubscriptionFilters",
        "logs:FilterLogEvents",
        "logs:GetDeliveryDestination",
        "logs:PutSubscriptionFilter",
        "logs:TestMetricFilter",
        "network-firewall:DescribeLoggingConfiguration",
        "network-firewall:ListFirewalls",
        "oam:ListAttachedLinks",
        "oam:ListSinks",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift-serverless:ListNamespaces",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "route53:List*",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:PutBucketNotification",
        "ses:Get*",
        "ses:List*",
        "sns:GetSubscriptionAttributes",
        "sns:List*",
        "sns:Publish",
        "sqs:ListQueues",
        "ssm:GetServiceSetting",
        "ssm:ListCommands",
        "states:DescribeStateMachine",
        "states:ListStateMachines",
        "support:DescribeTrustedAdvisor*",
        "support:RefreshTrustedAdvisorCheck",
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "timestream:DescribeEndpoints",
        "wafv2:ListLoggingConfigurations",
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS Govcloud and AWS China accounts are not currently supported.

Log collection

There are two ways of sending AWS service logs to Datadog:

Amazon Data Firehose destination: Use the Datadog destination in your Amazon Data Firehose delivery stream to forward logs to Datadog. It is recommended to use this approach when sending logs from CloudWatch in a very high volume.
Forwarder Lambda function: Deploy the Datadog Forwarder Lambda function, which subscribes to S3 buckets or your CloudWatch log groups and forwards logs to Datadog. Datadog also recommends you use this approach for sending logs from S3 or other resources that cannot directly stream data to Amazon Data Firehose.

Metric collection

There are two ways to send AWS metrics to Datadog:

Metric polling: API polling comes out of the box with the AWS integration. A metric-by-metric crawl of the CloudWatch API pulls data and sends it to Datadog. New metrics are pulled every ten minutes, on average.
Metric streams with Amazon Data Firehose: You can use Amazon CloudWatch Metric Streams and Amazon Data Firehose to see your metrics. Note: This method has a two to three minute latency, and requires a separate setup.

You can find a full list of the available sub-integrations on the Integrations page. Many of these integrations are installed by default when Datadog recognizes data coming in from your AWS account. See the AWS Integration Billing page for options to exclude specific resources for cost control.

Resource collection

Some Datadog products leverage information about how your AWS resources (such as S3 buckets, RDS snapshots, and CloudFront distributions) are configured. Datadog collects this information by making read-only API calls to your AWS account.

Note: If you use AWS CloudTrail or GuardDuty, there may be some associated costs. Datadog’s resource collection makes periodic calls to AWS APIs, which can increase CloudTrail log volume (affecting S3 storage costs) and may result in higher GuardDuty charges due to additional data being analyzed.

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS Govcloud and AWS China accounts are not currently supported.

Resource types and permissions

The following sections list the resource types collected for different Datadog products, and the associated permissions required for the Datadog IAM role to collect data on your behalf. Add these permissions to your existing AWS integration IAM policy (with attached SecurityAudit policy).

Cloud Cost Management (CCM)

Resource Type	Permissions
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:instance	ec2:DescribeInstances

Cloudcraft

Resource Type	Permissions
aws:apigateway:api	apigateway:GET
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:directconnect:connection	directconnect:DescribeConnections
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:customergateway	ec2:DescribeCustomerGateways
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:efs:mounttarget	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeMountTargetSecurityGroups, elasticfilesystem:DescribeMountTargets
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:elasticache:cachesubnetgroup	elasticache:DescribeCacheSubnetGroups
aws:elasticache:parametergroup	elasticache:DescribeCacheParameterGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:securitygroup	elasticache:DescribeCacheSecurityGroups
aws:elasticache:snapshot	elasticache:DescribeSnapshots
aws:elasticache:user	elasticache:DescribeUsers
aws:elasticache:usergroup	elasticache:DescribeUserGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:fsx:backup	fsx:DescribeBackups
aws:fsx:file-system	fsx:DescribeFileSystems
aws:glacier:vault	glacier:GetVaultNotifications, glacier:ListVaults
aws:keyspaces:keyspace	cassandra:Select
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:dbclusterparametergroup	rds:DescribeDBClusterParameterGroups
aws:rds:dbinstanceautomatedbackup	rds:DescribeDBInstanceAutomatedBackups
aws:rds:dbparametergroup	rds:DescribeDBParameterGroups
aws:rds:dbsubnetgroup	rds:DescribeDBSubnetGroups
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:exporttask	rds:DescribeExportTasks
aws:rds:instance	rds:DescribeDBInstances
aws:rds:optiongroup	rds:DescribeOptionGroups
aws:rds:securitygroup	rds:DescribeDBSecurityGroups
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:rds:reserveddbinstance	rds:DescribeReservedDBInstances
aws:redshift:eventsubscription	redshift:DescribeEventSubscriptions
aws:redshift:parametergroup	redshift:DescribeClusterParameterGroups
aws:redshift:securitygroup	redshift:DescribeClusterSecurityGroups
aws:redshift:snapshot	redshift:DescribeClusterSnapshots, redshift:DescribeClusters
aws:redshift:subnetgroup	redshift:DescribeClusterSubnetGroups, redshift:DescribeClusters
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:sns:subscription	sns:ListSubscriptions
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ec2:subnet	ec2:DescribeSubnets
aws:timestreamwrite:table	timestream:ListTables
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:waf:acl	waf:GetWebACL, waf:ListWebACLs
aws:waf:rule	waf:GetRule, waf:ListRules
aws:waf:rulegroup	waf:GetRuleGroup, waf:ListRuleGroups
aws:wafregional:acl	waf-regional:GetWebACL, waf-regional:ListWebACLs
aws:wafregional:rule	waf-regional:GetRule, waf-regional:ListRules
aws:wafregional:rulegroup	waf-regional:GetRuleGroup, waf-regional:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs

Cloud Security Monitoring (CSM)

Resource Type	Permissions
aws:accessanalyzer:analyzer	access-analyzer:GetAnalyzer, access-analyzer:ListAnalyzers
aws:account:account	organizations:DescribeOrganization, account:GetAlternateContact, account:GetContactInformation, account:GetPrimaryEmail, organizations:ListAccounts
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:apigateway:api	apigateway:GET
aws:apigateway:integration	apigateway:GetMethod, apigateway:GetResources, apigateway:GET
aws:apigateway:stage	apigateway:GET, apigateway:GET
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:route	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:stage	apigateway:GetApis, apigateway:GetStages
aws:applicationautoscaling:scalingactivity	applicationautoscaling:DescribeScalingActivities
aws:appsync:graphqlapi	appsync:GetGraphqlApi, appsync:ListGraphqlApis
aws:athena:workgroup	athena:GetWorkGroup, athena:ListWorkGroups
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:autoscaling:launchconfiguration	autoscaling:DescribeLaunchConfigurations
aws:backup:plan	backup:ListBackupPlans
aws:backup:recoverypoint	backup:ListBackupVaults, backup:ListRecoveryPointsByBackupVault
aws:cloudformation:stack	cloudformation:DescribeStacks, cloudformation:ListStacks
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:codebuild:project	codebuild:BatchGetProjects, codebuild:ListProjects
aws:cognitoidentity:identitypool	cognito-identity:DescribeIdentityPool, cognito-identity:GetIdentityPoolRoles, cognito-identity:ListIdentityPools
aws:cognitoidentityprovider:userpool	cognito-idp:DescribeUserPool, cognito-idp:ListIdentityProviders, cognito-idp:ListUserPools
aws:configservice:recorder	config:DescribeConfigurationRecorders
aws:configservice:recorderstatus	config:DescribeConfigurationRecorderStatus
aws:dms:endpoint	dms:DescribeEndpoints
aws:dms:replicationinstance	dms:DescribeReplicationInstances
aws:dms:replicationtask	dms:DescribeReplicationTasks
aws:dax:cluster	dax:DescribeClusters
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:launchtemplateversion	ec2:DescribeLaunchTemplateVersions, ec2:DescribeLaunchTemplates
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:publicimage	ec2:DescribeImages
aws:ec2:region	ec2:DescribeRegions
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcflowlog	ec2:DescribeFlowLogs
aws:ec2:elasticip	ec2:DescribeAddresses
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:routetable	ec2:DescribeRouteTables
aws:ec2:client-vpn-endpoint	ec2:DescribeClientVpnEndpoints
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:ecs:task-definition	ecs:DescribeServices, ecs:DescribeTaskDefinition, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticbeanstalk:environment	elasticbeanstalk:DescribeConfigurationSettings, elasticbeanstalk:DescribeEnvironments
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:targetgroup	elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:emr:cluster	elasticmapreduce:DescribeCluster, elasticmapreduce:GetAutoTerminationPolicy, elasticmapreduce:GetManagedScalingPolicy, elasticmapreduce:ListClusters
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:iam:account	organizations:DescribeOrganization, iam:GetAccountPasswordPolicy, iam:GetAccountSummary
aws:iam:instanceprofile	iam:GetInstanceProfile, iam:ListInstanceProfiles
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:group	iam:GetGroup, iam:ListAttachedGroupPolicies, iam:ListGroups
aws:iam:groupinlinepolicy	iam:GetGroupPolicy, iam:ListGroupPolicies, iam:ListGroups
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:roleinlinepolicy	iam:GetAccountAuthorizationDetails
aws:iam:accesskeymetadata	iam:GetUser, iam:ListAccessKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:userinlinepolicy	iam:GetUser, iam:GetUserPolicy, iam:ListUserPolicies, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:virtualmfadevice	iam:ListUsers, iam:ListVirtualMFADevices
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:kms:alias	kms:GetKeyPolicy, kms:ListAliases
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lambda:eventsourcemapping	lambda:ListEventSourceMappings, lambda:ListFunctions
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:lightsail:instance	lightsail:GetInstancePortStates, lightsail:GetInstances
aws:cloudwatch:metricalarm	cloudwatch:DescribeAlarms
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:opensearch:domain	es:DescribeDomain, es:ListDomainNames
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:instance	rds:DescribeDBInstances
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:route53:resourcerecordset	route53:ListHostedZones, route53:ListResourceRecordSets
aws:route53domains:domain	route53domains:ListDomains
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:sagemaker:notebookinstance	sagemaker:DescribeNotebookInstance, sagemaker:ListNotebookInstances
aws:secretsmanager:secret	secretsmanager:DescribeSecret, secretsmanager:GetResourcePolicy, secretsmanager:ListSecrets
aws:securityhub:hub	securityhub:DescribeHub
aws:sfn:statemachine	states:DescribeStateMachine, states:ListStateMachines
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ssm:instance	ssm:DescribeInstanceInformation, ssm:ListComplianceItems
aws:ec2:subnet	ec2:DescribeSubnets
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:iam:credentialreport	iam:GenerateCredentialReport, iam:GetCredentialReport

Cloud Network Monitoring (CNM)

Resource Type	Permissions
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:egressonlyinternetgateway	ec2:DescribeEgressOnlyInternetGateways
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcendpointconnectionnotification	ec2:DescribeVpcEndpointConnectionNotifications
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:ec2:transitgateway	ec2:DescribeTransitGateways

Resource Catalog

Resource Type	Permissions
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:iam:account	organizations:DescribeOrganization, iam:GetAccountPasswordPolicy, iam:GetAccountSummary
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:mq:broker	mq:DescribeBroker, mq:ListBrokers
aws:rds:instance	rds:DescribeDBInstances
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues

Upcoming releases

The permissions listed here reflect resources planned to be added within the next 30 days. Include these permissions in your existing AWS integration IAM policy (with attached SecurityAudit policy) to get the full benefits of Datadog’s resource coverage and tracking.

Permissions for upcoming releases

[
  "auditmanager:GetAssessment",
  "auditmanager:GetAssessmentFramework",
  "auditmanager:GetControl",
  "codeguru-profiler:ListFindingsReports",
  "codeguru-profiler:ListProfilingGroups",
  "codeguru-reviewer:ListCodeReviews",
  "codeguru-reviewer:ListRepositoryAssociations",
  "codeguru-security:GetFindings",
  "codeguru-security:GetScan",
  "codeguru-security:ListScans",
  "devicefarm:ListDeviceInstances",
  "devicefarm:ListDevicePools",
  "devicefarm:ListDevices",
  "devicefarm:ListInstanceProfiles",
  "devicefarm:ListNetworkProfiles",
  "devicefarm:ListRemoteAccessSessions",
  "devicefarm:ListTestGridProjects",
  "devicefarm:ListTestGridSessions",
  "devicefarm:ListUploads",
  "devicefarm:ListVPCEConfigurations",
  "frauddetector:DescribeDetector",
  "frauddetector:DescribeModelVersions",
  "frauddetector:GetBatchImportJobs",
  "frauddetector:GetBatchPredictionJobs",
  "frauddetector:GetDetectorVersion",
  "frauddetector:GetEntityTypes",
  "frauddetector:GetEventTypes",
  "frauddetector:GetExternalModels",
  "frauddetector:GetLabels",
  "frauddetector:GetListsMetadata",
  "frauddetector:GetModels",
  "frauddetector:GetOutcomes",
  "frauddetector:GetRules",
  "frauddetector:GetVariables",
  "gamelift:DescribeGameSessionQueues",
  "gamelift:DescribeMatchmakingConfigurations",
  "gamelift:DescribeMatchmakingRuleSets",
  "gamelift:ListAliases",
  "gamelift:ListContainerFleets",
  "gamelift:ListContainerGroupDefinitions",
  "gamelift:ListGameServerGroups",
  "gamelift:ListLocations",
  "gamelift:ListScripts",
  "greengrass:GetBulkDeploymentStatus",
  "greengrass:GetGroup",
  "iotfleetwise:GetCampaign",
  "iotfleetwise:GetSignalCatalog",
  "iotfleetwise:GetStateTemplate",
  "iotfleetwise:GetVehicle",
  "iotfleetwise:ListCampaigns",
  "iotfleetwise:ListDecoderManifests",
  "iotfleetwise:ListFleets",
  "iotfleetwise:ListSignalCatalogs",
  "iotfleetwise:ListStateTemplates",
  "iotfleetwise:ListVehicles",
  "lakeformation:GetDataLakeSettings",
  "lakeformation:ListPermissions",
  "refactor-spaces:ListApplications",
  "refactor-spaces:ListEnvironments",
  "refactor-spaces:ListRoutes",
  "refactor-spaces:ListServices",
  "textract:GetAdapter",
  "textract:GetAdapterVersion",
  "textract:ListAdapterVersions",
  "textract:ListAdapters",
  "workspaces-web:GetBrowserSettings",
  "workspaces-web:GetDataProtectionSettings",
  "workspaces-web:GetIdentityProvider",
  "workspaces-web:GetIpAccessSettings",
  "workspaces-web:GetNetworkSettings",
  "workspaces-web:GetTrustStore",
  "workspaces-web:GetUserAccessLoggingSettings",
  "workspaces-web:GetUserSettings",
  "workspaces-web:ListBrowserSettings",
  "workspaces-web:ListDataProtectionSettings",
  "workspaces-web:ListIdentityProviders",
  "workspaces-web:ListIpAccessSettings",
  "workspaces-web:ListNetworkSettings",
  "workspaces-web:ListPortals",
  "workspaces-web:ListTrustStores",
  "workspaces-web:ListUserAccessLoggingSettings",
  "workspaces-web:ListUserSettings"
]

Cloud Security

Setup

If you do not have the AWS integration set up for your AWS account, complete the set up process above. Ensure that you enable Cloud Security when mentioned.

Note: The AWS integration must be set up with Role delegation to use this feature.

To add Cloud Security to an existing AWS integration, follow the steps below to enable resource collection.

Provide the necessary permissions to the Datadog IAM role by attaching the AWS managed SecurityAudit policy to your Datadog AWS IAM role. You can find this policy in the AWS console.
Complete the setup in the Datadog AWS integration page with the steps below. Alternatively, you can use the Update an AWS Integration API endpoint.
1. Select the AWS account where you wish to enable resource collection.
2. On the Resource collection tab, click Enable next to Cloud Security. You are redirected to the Cloud Security Setup page, and a setup dialog automatically opens for the selected account.
3. On the setup dialog, switch the Enable Resource Scanning toggle to the on position.
4. Click Done to complete the setup.

Alarm collection

There are two ways to send AWS CloudWatch alarms to the Datadog Events Explorer:

Alarm polling: Alarm polling comes out of the box with the AWS integration and fetches metric alarms through the DescribeAlarmHistory API. If you follow this method, your alarms are categorized under the event source Amazon Web Services. Note: The crawler does not collect composite alarms.
SNS topic: You can see all AWS CloudWatch alarms in your Events Explorer by subscribing the alarms to an SNS topic, then forwarding the SNS messages to Datadog. To learn how to receive SNS messages as events in Datadog, see Receive SNS messages. If you follow this method, your alarms are categorized under the event source Amazon SNS.

Data Collected

Metrics


aws.logs.delivery_errors (count)	The number of log events for which CloudWatch Logs received an error when forwarding data to the subscription destination. Shown as event
aws.logs.delivery_throttling (count)	The number of log events for which CloudWatch Logs was throttled when forwarding data to the subscription destination. Shown as event
aws.logs.forwarded_bytes (gauge)	The volume of log events in compressed bytes forwarded to the subscription destination. Shown as byte
aws.logs.forwarded_log_events (count)	The number of log events forwarded to the subscription destination. Shown as event
aws.logs.incoming_bytes (gauge)	The volume of log events in uncompressed bytes uploaded to Cloudwatch Logs. Shown as byte
aws.logs.incoming_log_events (count)	The number of log events uploaded to Cloudwatch Logs. Shown as event
aws.usage.call_count (count)	The number of specified operations performed in your account Shown as operation
aws.usage.resource_count (count)	The number of specified resources in your account Shown as resource

Note: You can enable the collection of AWS custom metrics, as well as metrics from services that Datadog doesn’t have an integration for. See the AWS Integration and CloudWatch FAQ for more information.

Events

Events from AWS are collected on a per AWS-service basis. See your AWS service’s documentation to learn more about collected events.

Integration	Datadog Tag Keys
All	`region`
API Gateway	`apiid`, `apiname`, `method`, `resource`, `stage`
App Runner	`instance`, `serviceid`, `servicename`
Auto Scaling	`autoscalinggroupname`, `autoscaling_group`
Billing	`account_id`, `budget_name`, `budget_type`, `currency`, `servicename`, `time_unit`
CloudFront	`distributionid`
CodeBuild	`project_name`
CodeDeploy	`application`, `creator`, `deployment_config`, `deployment_group`, `deployment_option`, `deployment_type`, `status`
DirectConnect	`connectionid`
DynamoDB	`globalsecondaryindexname`, `operation`, `streamlabel`, `tablename`
EBS	`volumeid`, `volume-name`, `volume-type`
EC2	`autoscaling_group`, `availability-zone`, `image`, `instance-id`, `instance-type`, `kernel`, `name`, `security_group_name`
ECS	`clustername`, `servicename`, `instance_id`
EFS	`filesystemid`
ElastiCache	`cachenodeid`, `cache_node_type`, `cacheclusterid`, `cluster_name`, `engine`, `engine_version`, `preferred_availability-zone`, `replication_group`
ElasticBeanstalk	`environmentname`, `enviromentid`
ELB	`availability-zone`, `hostname`, `loadbalancername`, `name`, `targetgroup`
EMR	`cluster_name`, `jobflowid`
ES	`dedicated_master_enabled`, `ebs_enabled`, `elasticsearch_version`, `instance_type`, `zone_awareness_enabled`
Firehose	`deliverystreamname`
FSx	`filesystemid`, `filesystemtype`
Health	`event_category`, `status`, `service`
IoT	`actiontype`, `protocol`, `rulename`
Kinesis	`streamname`, `name`, `state`
KMS	`keyid`
Lambda	`functionname`, `resource`, `executedversion`, `memorysize`, `runtime`
Machine Learning	`mlmodelid`, `requestmode`
MQ	`broker`, `queue`, `topic`
OpsWorks	`stackid`, `layerid`, `instanceid`
Polly	`operation`
RDS	`auto_minor_version_upgrade`, `dbinstanceclass`, `dbclusteridentifier`, `dbinstanceidentifier`, `dbname`, `engine`, `engineversion`, `hostname`, `name`, `publicly_accessible`, `secondary_availability-zone`
RDS Proxy	`proxyname`, `target`, `targetgroup`, `targetrole`
Redshift	`clusteridentifier`, `latency`, `nodeid`, `service_class`, `stage`, `wlmid`
Route 53	`healthcheckid`
S3	`bucketname`, `filterid`, `storagetype`
SES	Tag keys are custom set in AWS.
SNS	`topicname`
SQS	`queuename`
VPC	`nategatewayid`, `vpnid`, `tunnelipaddress`
WorkSpaces	`directoryid`, `workspaceid`

Service Checks

aws.status

Returns CRITICAL if one or more AWS regions are experiencing issues. Returns OK otherwise.

Statuses: ok, critical

Troubleshooting

See the AWS Integration Troubleshooting guide to resolve issues related to the AWS integration.

Amazon Web Services

Overview

Setup

Automatic

Manual

AWS IAM permissions

AWS integration IAM policy

AWS resource collection IAM policy

Log collection

Metric collection

Resource collection

AWS resource collection IAM policy

Resource types and permissions

Cloud Cost Management (CCM)

Cloudcraft

Cloud Security Monitoring (CSM)

Cloud Network Monitoring (CNM)

Resource Catalog

Upcoming releases

Permissions for upcoming releases

Cloud Security

Setup

Alarm collection

Data Collected

Metrics

Events

Tags

Service Checks

Troubleshooting

Further Reading