Missing permissions for `DatadogIntegrationRole`

[mdupras]

Expected Behavior

When we install the Datadog CloudFormation template, we don't have to add more roles to the datadog policy.

Actual Behavior

We have to manually add some missing permissions.

Steps to Reproduce the Problem

1. Enabled Cloud SIEM in Datadog
2. Monitor Cloudtrails logs
3. Look at Datadog AccessDenied from the Cloudtrails logs.

Specifications

• Datadog CloudFormation template version: Latest?

Stacktrace

I have bunch of error, but to get a sample :

assumed-role/DatadogIntegrationRole/DatadogAWSIntegration is not authorized to perform: kms:GetKeyRotationStatus

Solution

Add the missing permissions to this file :
https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml#L96

So far I've seen the template is missing the following permissions:

• kms:GetKeyRotationStatus
• s3:GetAccountPublicAccessBlock
• s3:GetBucketPolicyStatus
• s3:GetBucketEncryption
• s3:GetBucketAcl
• s3:GetBucketPublicAccessBlock
• s3:GetBucketVersioning
• sns:GetTopicAttributes
• iam:GetAccountPasswordPolicy
• iam:GetLoginProfile
• iam:ListAttachedRolePolicies
• support:RefreshTrustedAdvisorCheck

[RaphaelAllier]

Hello,

I believe the missing permissions are now added to the role, therefore I'll close this issue.
I also wanted to point out that most of these permissions are used by our crawlers to audit an AWS account and are part of the AWS SecurityAudit policy. We require to attach this policy to the integration role in order to use most of our security products (documentation).
Let us know if you a similar issue reoccurs