Skip to content

Updates to iam policy for iam, kms, s3 and sns #47

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#48
Closed
Updates to iam policy for iam, kms, s3 and sns#47
#48
@arcaven

Description

@arcaven
arcaven
opened on Feb 8, 2023

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Datadog continues to improve Cloud services observability with its AWS Integration. While their documentation on required and recommended IAM policies is lagging somewhat behind deployed functionality, datadog users with CloudTrail ingress can spot the not-yet-documented improvements.

Expected Behavior

DatadogAWSIntegration should not be generating access errors in CloudTrail logs except where users choose not to authorize Datadog to access specific APIs. DatadogAWSIntegration should collect all the information and signals needed to maximize its value stream to its user base, within the confines of whatever restrictions those users wish to place on this third-party access to the users cloud computing environment.

Use Case

Allow DatadogAWSIntegration to provide observability to the maximum extent possible without obliging the AWS account owner to unexpected service fees, while generating the least number of errors in the CloudTrail logs.

Describe Ideal Solution

All safe and acceptable (to the AWS account owner) DatadogAWSIntegration actions that can deliver value should be allowed so that errors and security problems can be more readily identified. All specific permissions should be clearly defined for AWS account owners so that specific risk decisions can be made about each data point that is collected.

Alternatives Considered

The IAM policy document associated with the DatadogAWSIntegration could be expanded with more wildcard permissions, especially in the topic:Get*, topic:List* and topic:Describe* APIs. This will make an easier to maintain and smaller policy document, at the expense of hiding the details of what DatadogAWSIntegration can and tries to collect.

Additional Context

The following API calls have been observed as new behavoir that is blocked by the existing version of this module's iam policy document:

  •  "iam:GetAccountPasswordPolicy",

  •  "iam:GetLoginProfile",

  •  "iam:ListAttachedRolePolicies",

  •  "kms:GetKeyRotationStatus",

  •  "s3:GetAccountPublicAccessBlock",

  •  "s3:GetBucketAcl",

  •  "s3:GetBucketEncryption",

  •  "s3:GetBucketPolicyStatus",

  •  "s3:GetBucketWebsite",

  •  "s3:GetBucketVersioning",

  •  "sns:GetTopicAttributes",

The official documentation from Datadog is out of date, but available here: https://docs.datadoghq.com/integrations/amazon_web_services/?tab=roledelegation#aws-iam-permissions
An issue discussing proposing adding some of these to the documentation is open here:
DataDog/cloudformation-template#51

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions