cloudformation-datadog-ctblueprints

Datadog AWS Integration Blueprint

For use in deploying Datadog’s AWS Integration in a new AWS account with AWS Control Tower Account Factory Customization.

Datadog is the essential monitoring and security platform for cloud applications. We bring together end-to-end traces, metrics, and logs to make your applications, infrastructure, and third-party services entirely observable. These capabilities help businesses secure their systems, avoid downtime, and ensure customers are getting the best user experience.

This blueprint configures Datadog’s AWS Integration using a CloudFormation stack for a given AWS account so that Datadog can automatically start monitoring your AWS environment.

Architecture

Architecture for Account Factory Customization

How to use

This solution is designed to be deployed to your Home Region.

When you deploy this solution, you will need to provide the following parameters:

Name Description Type Default Allowed Values
DatadogApiKey API key for the Datadog account (find at https://app.datadoghq.com/organization-settings/api-keys) String    
DatadogAppKey APP key for the Datadog account (find at https://app.datadoghq.com/organization-settings/application-keys) String    
DatadogSite Your Datadog Site to send data to. String datadoghq.com datadoghq.com, datadoghq.eu, us3.datadoghq.com, us5.datadoghq.com, ddog-gov.com
DatadogSecretArn The secret containing your Datadog credentials. This should be as reference to the SecretsManager ARN where Datadog credentials are stored. If no ARN is provided, then you must supply a valid DatadogApiKey, DatadogAppKey, and DatadogSite. String    
IAMRoleName Customize the name of IAM role for Datadog AWS integration String DatadogIntegrationRole  
InstallLambdaLogForwarder Determines whether the default configuration for the Datadog Lambda Log Forwarder is installed as part of this stack. This is useful for sending logs to Datadog for use in Log Management or Cloud SIEM. Customers who want to customize this setup to include specific custom tags, data scrubbing or redaction rules, or send logs using AWS PrivateLink should select “no” and install this independently (https://docs.datadoghq.com/serverless/libraries_integrations/forwarder/#installation). String true true, false
DisableMetricCollection Disabling metric collection for this account will lead to a loss in visibility into your AWS services. Disable this if you only want to collect tags or resource configuration information from this AWS account, and do not want to use Datadog Infrastructure Monitoring. String false true, false
CloudSecurityPostureManagement Add the AWS Managed SecurityAudit policy to your Datadog AWS Integration role, and enable Datadog Cloud Security Posture Management (CSPM) to start performing configuration checks across your AWS account. Datadog CSPM is a product that automatically detects resource misconfigurations in your AWS account according to industry benchmarks. More info: https://www.datadoghq.com/product/security-platform/cloud-security-posture-management/ String false true, false
S3BucketName Name of the S3 bucket for your copy of the cloudformation blueprint templates. Keep the default bucket name unless you are customizing the template. Changing this prefix updates code references to point to a new blueprint location. String controltower-blueprints  
S3KeyPrefix S3 key prefix that is used to simulate a directory for your copy of the cloudformation blueprint. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new blueprint location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html String cloudformation-datadog-ctblueprints/  
S3BucketRegion AWS Region where the S3 bucket (S3BucketName) is hosted. String us-east-1  

See contribution guide for more info