diff --git a/content/en/integrations/guide/aws-manual-setup.md b/content/en/integrations/guide/aws-manual-setup.md index dd5b883a13412..6a3ae5f3c5dcd 100644 --- a/content/en/integrations/guide/aws-manual-setup.md +++ b/content/en/integrations/guide/aws-manual-setup.md @@ -53,7 +53,7 @@ To set up the AWS integration manually, create an IAM policy and IAM role in you {{< site-region region="gov" >}}
- Setting up S3 Log Archives using Role Delegation is currently in limited availability. Contact Datadog Support to request this feature in your Datadog for Government account. + Setting up S3 Log Archives using Role Delegation is in limited availability. Contact Datadog Support to request this feature in your Datadog for Government account.
{{< /site-region >}} @@ -61,7 +61,7 @@ To set up the AWS integration manually, create an IAM policy and IAM role in you ### Generate an external ID -1. In the [AWS integration configuration page][1], click **Add AWS Account**, and then select **Manually**. +1. In the [AWS integration configuration page][1], click **Add AWS Account(s)**, and then select **Manually**. 2. Choose which AWS partition your AWS account is scoped to. The partition is either `aws` for commercial regions, `aws-cn` for China*, or `aws-us-gov` for GovCloud. See [Partitions][9] in the AWS documentation for more information. {{< site-region region="us,us3,us5,eu,ap1" >}} 3. Select `Role Delegation` for the access type. Role delegation is only supported for AWS accounts scoped to AWS commercial regions. @@ -70,60 +70,62 @@ To set up the AWS integration manually, create an IAM policy and IAM role in you 3. Select `Role Delegation` for the access type. Role delegation is only supported for AWS accounts scoped to AWS commercial or AWS GovCloud regions. {{< /site-region >}} 4. Copy the `AWS External ID`. For more information about the external ID, read the [IAM User Guide][2]. - **Note**: The External ID remains available and is not regenerated for 48 hours, unless explicitly changed by a user or another AWS account is added to Datadog during this period. You can return to the **Add New AWS Account** page within that time period to complete the process of adding an account without the External ID changing. + **Note**: The External ID remains available and is not regenerated for 48 hours, unless explicitly changed by a user or another AWS account is added to Datadog during this period. You can return to the **Add AWS Account(s)** page within that time period to complete the process of adding an account without the External ID changing. -### AWS IAM role for Datadog -Create an IAM role for Datadog to use the permissions defined in the IAM policy. +### Create a Datadog integration IAM role -5. Create a role in the AWS [IAM Console][4]. -6. Select **AWS account** for the trusted entity type, and **Another AWS account**. +Datadog assumes this role to collect data on your behalf. + +1. Go to the AWS [IAM Console][4] and click `Create role`. +2. Select **AWS account** for the trusted entity type, and **Another AWS account**. {{< site-region region="us,us3,us5,eu" >}} -7. Enter `464622532012` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. +3. Enter `464622532012` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} {{< site-region region="ap1" >}} -8. Enter `417141415827` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. +3. Enter `417141415827` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} {{< site-region region="gov" >}} -8. If the AWS account you want to integrate is a GovCloud account, enter `065115117704` as the `Account ID`, otherwise enter `392588925713`. This is Datadog's account ID, and grants Datadog access to your AWS data. +3. If the AWS account you want to integrate is a GovCloud account, enter `065115117704` as the `Account ID`, otherwise enter `392588925713`. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} -9. Select **Require external ID** and enter the external ID copied in the [Generate an external ID](#generate-an-external-id) section. -Ensure to leave `Require MFA` disabled. For more details, see the [How to use an external ID when granting access to your AWS resources to a third party][2] AWS documentation. -10. Click **Next**. -11. If you've already created the policy, search for it on this page and select it. Otherwise, click **Create Policy**, which opens in a new window, and follow the instructions from the previous section. -12. Attach the AWS SecurityAudit Policy to the role to enable [resource collection][5]. -13. Click **Next**. -14. Give the role a name such as `DatadogIntegrationRole`, as well as an apt description. -15. Click **Create Role**. - -### AWS IAM Policy for Datadog -Create an inline IAM policy with the [necessary permissions](#aws-integration-iam-policy) and link it to Datadog's integration role in your AWS account to take advantage of every AWS integration offered by Datadog. As other components are added to an integration, these permissions may change. - -16. Navigate back to the created role in the AWS [IAM Console][3]. -17. Click **Add permissions**. -18. Select **Create inline policy**. -19. Select the **JSON** tab. Paste the [permission policies](#aws-integration-iam-policy) in the textbox.
+4. Select **Require external ID** and enter the external ID copied in the previous section. +Leave `Require MFA` disabled. For more details, see the [How to use an external ID when granting access to your AWS resources to a third party][2] AWS documentation. +5. Click **Next**. +6. To enable [resource collection][5], attach the AWS SecurityAudit Policy to the role. +7. Click **Next**. +8. Give the role a name such as `DatadogIntegrationRole`. Optionally, provide a description and add tags to the role. +9. Click **Create Role**. + +### Create an inline IAM policy for the Datadog integration role + +This policy defines the permissions necessary for the Datadog integration role to collect data for every AWS integration offered by Datadog. These permissions may change as new AWS services are added to this integration. + +1. Select the Datadog integration role on the [IAM roles page][4]. +2. Click **Add permissions**, and select **Create inline policy**. +3. Select the **JSON** tab. +4. Paste the [permission policies](#aws-integration-iam-policy) in the textbox.
**Note**: Optionally, you can add [Condition][7] elements to the IAM policy. For example, conditions can be used to [restrict monitoring to certain regions][8]. -20. Name the policy `DatadogIntegrationPolicy` or one of your own choosing, and provide an apt description. -21. Click **Create policy**. - +5. Click **Next**. +6. Give the policy a name such a `DatadogIntegrationPolicy`. +7. Click **Create policy**. ### Complete the setup in Datadog -22. Return to the AWS integration configuration page for manually adding an account in Datadog that you had open in another tab. Click the checkbox to confirm the Datadog IAM role was added to the AWS account. -23. Enter the account ID **without dashes**, for example: `123456789012`. Your Account ID can be found in the ARN of the role created for Datadog. -24. Enter the name of the role created in the previous section, and click **Save**. - **Note**: The role name you enter in the integration tile is case sensitive and must exactly match the role name in AWS. -25. If there is a [Datadog is not authorized to perform sts:AssumeRole][6] error, follow the troubleshooting steps recommended in the UI, or read the [troubleshooting guide][6]. -26. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure. +1. Return to the manual setup section of the [AWS integration configuration page][1]. +2. Click the `I confirm that the Datadog IAM Role has been added to the AWS Account` checkbox. +3. In the **Account ID** section, enter your account ID **without dashes**; for example, `123456789012`. You can find the account ID in the ARN of the Datadog integration role, which follows the format `arn:aws:iam:::role/`. +4. In the **AWS Role Name** section, enter the name of the Datadog integration role previously created. + **Note**: The role name is case sensitive and must exactly match the role name in AWS. +5. Click **Save**. +6. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS Overview Dashboard to see metrics sent by your AWS services and infrastructure. + +
If there is a Datadog is not authorized to perform sts:AssumeRole error, follow the troubleshooting steps recommended in the UI, or read the troubleshooting guide.
*\* All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the [Restricted Service Locations][10] section on our website.* [1]: https://app.datadoghq.com/integrations/amazon-web-services [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html -[3]: https://console.aws.amazon.com/iam/home#/policies [4]: https://console.aws.amazon.com/iam/home#/roles [5]: /integrations/amazon_web_services/#resource-collection -[6]: /integrations/guide/error-datadog-not-authorized-sts-assume-role/ [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html [8]: https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/ [9]: https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html