amazon-web-services amazon-s3 amazon-iam datadog aws-iam-policy

DataDog CloudTrail integration missing ListObject permission

I installed the DataDog AWS CloudTrail Integration on my AWS account today (it creates a CloudFormation stack and creates, amongst other things, a Lambda that forwards logs from your CloudTrails logs in S3 onto your DataDog account).

After installing the integration I am seeing an error in the DataDog configuration screen:

<MY_AWS_ACCOUNT_ID>

management-events - aws-cloudtrail-logs-<redacted>-<redacted>

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

Does anybody have any idea what IAM Permissions I need to grant to the IAM Role that DataDog created (as part of this CF stack) so that it can ListObjects? I'm guessing this is an S3-related permission?

I see that the DataDog stack also created an S3 bucket for me called datadogintegration-forwarderstack-forwarderbucket-<redacted> and its current bucket policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::datadogintegration-forwarderstack-forwarderbucket-<redacted>",
                "arn:aws:s3:::datadogintegration-forwarderstack-forwarderbucket-<redacted>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

But I'm not sure if I need to make a change to this policy or an IAM permission or something else.

Can anyone spot where I'm going awry?

Solution

You would need to assign Appropriate policy to IAM role create by Cfn

Flow would:

create policy
attach it to your role

The policy will be this, add appropriate permissions if you need more access.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetObject",
            "s3:GetObjectAcl"
        ],
        "Resource": [
             "arn:aws:s3:::<bucketname>",
            "arn:aws:s3:::<bucketname>/*"
        ],
        "Effect": "Allow"
    }
 ]
}

Side Note:

You can always check your access for role or service to particular resource by using AWS policy simulator

You can also do this using a bucket policy but in my opinion

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNT-A:role/xxxx"
                },
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket-name/*"
                ]
            }
        ]
    }

I use bucket policy when I am about to face 3 situations like these, although it's your preference to choose IAM policy or bucket policy:

if the only AWS service you’re using is S3, you may find it easier to manage permissions directly within S3 via bucket policies
where you may want to use bucket policies is for allowing access from a different AWS account.
where you might need to use bucket policies is for when you want to allow access to S3 resources based on something other than AWS IAM identity. For example, you could limit S3 access to requests from particular IP addresses. You could also limit access to media assets in your S3 bucket to requests from a specific referrer so as to only allow your website to display images and video.

Since your existing bucket policy enforces make sure to access s3 bucket https otherwise you won't be able to access.