amazon-web-servicesamazon-iammonitoringdatadogaws-regions

How to restrict, select or filter AWS regions in Datadog for AWS integration?

Is there any way to restrict, select or filter AWS regions in Datadog for AWS integration?

I know that we can filter resources on the basis of tags but all the resources for all of the AWS services are not having a tag with the region specified. Also, there are more than 25 AWS accounts so adding that tag across all the resources in all the AWS services used would be a very long and tedious task.

Is there any quick way to do it?

The reason why we need that is to reduce the cost of the Get API calls caused by DataDog across all the AWS regions in all the AWS accounts. Also, we don't want to give unnecessary access to other AWS regions to Datadog.

Solution

  • There are 2 things you need to do to achieve this:

    1. Add region to be allowed in the AWS IAM role used by Datadog using a condition in its AWS IAM policy as follows:
                "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
    1. Add a list of regions to be excluded in the Datadog Integration for AWS using a cURL command as follows:
    export DD_API_KEY="*************"
export DD_APP_KEY="*************"
export AWS_ROLE_NAME="IAM-Role-Datadog"
export AWS_ACCOUNT_ID="12345678901"

curl -X PUT "https://api.datadoghq.com/api/v1/integration/aws?account_id=${AWS_ACCOUNT_ID}&role_name=${AWS_ROLE_NAME}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "account_id": "${AWS_ACCOUNT_ID}",
  "cspm_resource_collection_enabled": false,
  "excluded_regions": [
    "ap-northeast-1",
    "ap-northeast-2",
    "ap-northeast-3",
    "ap-south-1",
    "ap-southeast-1",
    "ap-southeast-2",
    "ca-central-1",
    "eu-central-1",
    "eu-north-1",
    "eu-west-1",
    "eu-west-2",
    "eu-west-3",
    "sa-east-1",
    "us-west-1"
  ],
  "metrics_collection_enabled": true,
  "resource_collection_enabled": false,
  "role_name": "${AWS_ROLE_NAME}"
}
EOF

    Further Elaboration: The 2nd step is enough but there could be a case that a new AWS account is added from the Datadog console/GUI and you forget to add the excluded regions because you cannot specify the excluded regions on the Datadog console/GUI. You have to use the Datadog API for that purpose. So, the 1st step can help us in identifying such configuration for an AWS account which is missing the excluded regions as it will show an error on Datadog Integration for AWS regarding access not allowed to regions. Also, 1st step adds an extra layer of security.