Datadog can ingest AWS metrics and logs without needing extensive IAM permissions if you scope them correctly.
Here’s how to set up the Datadog AWS integration across multiple accounts, focusing on the principle of least privilege.
The Core Problem: Datadog Needs to See Your AWS Stuff
Datadog needs read-only access to specific AWS resources to pull metrics, logs, and traces. The challenge is granting this access securely across potentially many AWS accounts without giving it carte blanche. The standard approach involves creating an IAM role in each AWS account that Datadog can assume.
The Datadog Side: The Integration Configuration
First, you’ll initiate the integration setup within Datadog. Navigate to Integrations -> Cloud Integrations, search for AWS, and click "Add Account."
Datadog will present you with two main options:
- Automatic Setup (Recommended): This uses CloudFormation or Terraform to deploy the necessary IAM roles and permissions in your AWS accounts. This is generally the easiest and most robust method.
- Manual Setup: You’ll manually create the IAM roles and policies in each AWS account. This gives you granular control but requires more effort.
Regardless of the setup method, Datadog provides you with a Role ARN and a Web Identity Token File path. The Role ARN is the identifier for the IAM role you’ll create in AWS, and the Web Identity Token File is how Datadog authenticates to assume that role.
The AWS Side: Creating the IAM Role (Manual Setup Example)
Let’s walk through the manual setup for a single AWS account. You’ll repeat this for each account you want to integrate.
1. Create an IAM Policy for Datadog:
This policy defines what Datadog can access. Datadog provides a recommended policy, but you can customize it. For a basic setup, you’ll need read-only access to ec2:DescribeInstances, ec2:DescribeVolumes, cloudwatch:ListMetrics, cloudwatch:GetMetricStatistics, s3:ListBucket, s3:GetObject (for logs), and potentially others depending on the services you want to monitor.
Example Policy JSON (This is a subset for illustration; use Datadog’s recommended policy for full coverage):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "*"
}
]
}
2. Create an IAM Role:
In your AWS account, go to IAM -> Roles -> Create role.
-
Select trusted entity type: "Custom trust policy."
-
Paste the trust policy: This is crucial. It tells AWS who can assume this role. Datadog uses an AWS account ID and a specific role name for this. You’ll get this information from the Datadog UI when you add your AWS account. It will look something like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<DATADOG_AWS_ACCOUNT_ID>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<YOUR_UNIQUE_EXTERNAL_ID>" } } } ] }<DATADOG_AWS_ACCOUNT_ID>: This is the AWS account ID of Datadog’s IAM entity, which Datadog provides.<YOUR_UNIQUE_EXTERNAL_ID>: This is a unique identifier Datadog generates for your integration. It prevents confused deputy problems. You must use the exact External ID provided by Datadog.
-
Attach Permissions: Attach the IAM policy you created in step 1 to this role.
-
Name the Role: Give it a descriptive name, e.g.,
DatadogAWSIntegrationRole.
3. Get the Role ARN:
Once the role is created, copy its ARN (Amazon Resource Name). It will look like arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/DatadogAWSIntegrationRole.
4. Configure Datadog:
Back in Datadog, when prompted for the manual setup:
- Role ARN: Paste the ARN you just copied.
- External ID: Paste the unique External ID provided by Datadog.
- Account ID: Enter your AWS Account ID.
Datadog will then use these credentials to assume the role and start collecting data.
Multi-Account Strategy
For multiple accounts, you have two primary strategies:
-
One IAM Role Per Account: This is the most common and secure. You create a
DatadogAWSIntegrationRole(or similar) in each AWS account you want to integrate. Each role has the same policy but is associated with its own AWS account ID. You then add each account to Datadog with its respective Role ARN and External ID. This isolates permissions to individual accounts. -
Centralized Cross-Account Role (Less Common for Datadog): In some scenarios, you might have a central "management" AWS account with an IAM role that has permissions to assume roles in other accounts. Datadog can be configured to use this central role, but it’s more complex and generally less secure than the per-account method because the central role needs broader permissions. The per-account method is Datadog’s standard recommendation.
Key Takeaways and Troubleshooting
- External ID is Critical: If the trust policy is correct but the integration fails, 90% of the time it’s a mismatch in the
ExternalId. Double-check it. - Policy Scope: Be precise with your IAM policies. Datadog provides a comprehensive policy; if you’re customizing, ensure you include all necessary
ActionandResourceelements. For logs, S3 access is vital. - Role Assumption: Datadog assumes your role using
sts:AssumeRolewith the providedRole ARNandExternalId. The IAM policy attached to the role grants Datadog the read-only permissions to your AWS resources. - Datadog Account ID: Ensure you’re using the correct Datadog AWS Account ID in the trust policy.
- Re-authentication: Datadog periodically re-authenticates. If your role expires or is modified incorrectly, the integration will break.
The next thing you’ll likely encounter is configuring Datadog to collect logs from S3 buckets, which requires specific S3 bucket policies and ensuring your logs are formatted correctly.