AWS
Datadog

Datadog AWS Integration 設定(IAM Role)

More than 1 year has passed since last update.

先日(2016/07/08) Datadogでセキュリティインシデントが発生したとのことです。
AWS Integration の設定について、アクセスキーでの設定ではなく、IAM Roleの委任での設定が推奨されるとの通知がありました。
自環境では IAM User でのデータ収集を行っており、IAM Roleでの設定は行っていなかったので設定を変更しました。

事前準備

IAM Role 作成に必要になる JSON ファイルを準備します。

ポリシーファイル作成

DatadogAWSIntegrationPolicy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:list*",
        "dynamodb:describe*",
        "ec2:Describe*",
        "ec2:Get*",
        "ecs:Describe*",
        "ecs:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:List*",
        "elasticmapreduce:Describe*",
        "kinesis:List*",
        "kinesis:Describe*",
        "logs:Get*",
        "logs:Describe*",
        "logs:FilterLogEvents",
        "logs:TestMetricFilter",
        "rds:Describe*",
        "rds:List*",
        "route53:List*",
        "ses:Get*",
        "sns:List*",
        "sns:Publish",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "support:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

AssumeRolePolicyDocument.json.base

  • Trust Relationships の内容(ID部分は後続手順にて置換)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::__DDACCOUNTID__:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "__DDEXTERNALID__"
        }
      }
    }
  ]
}

各設定値(名称)

各リソースの名称は以下を使用します。

種別 名称
PolicyName DatadogAWSIntegrationPolicy
PolicyDocument DatadogAWSIntegrationPolicy.json
RoleName DatadogAWSIntegrationRole
AssumeRolePolicyDocument AssumeRolePolicyDocument.json
$ PolicyName="DatadogAWSIntegrationPolicy" ; echo "PolicyName: ${PolicyName}"
PolicyName: DatadogAWSIntegrationPolicy
$ PolicyDocument="DatadogAWSIntegrationPolicy.json" ; echo "PolicyDocument: ${PolicyDocument}"
PolicyDocument: DatadogAWSIntegrationPolicy.json
$ RoleName="DatadogAWSIntegrationRole" ; echo "RoleName: ${RoleName}"
RoleName: DatadogAWSIntegrationRole
$ AssumeRolePolicyDocument="AssumeRolePolicyDocument.json" ; echo "AssumeRolePolicyDocument: ${AssumeRolePolicyDocument}"
AssumeRolePolicyDocument: AssumeRolePolicyDocument.json

IAM role 作成

ポリシー作成

$ aws iam create-policy --policy-name ${PolicyName} --policy-document file://${PolicyDocument}
{
    "Policy": {
        "PolicyName": "DatadogAWSIntegrationPolicy",
        "CreateDate": "2016-07-DDTHH:MM:SS.923Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPXXXXXXXXXXXXXXXXXX",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy",
        "UpdateDate": "2016-07-DDTHH:MM:SS.923Z"
    }
}

ARN設定

  • 上記 create-policy の結果からARNを""部分に設定(もしくはCLIで代入)
$ ARN="arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy" ; echo "ARN: ${ARN}"
# CLIで代入
# ARN=$(aws iam list-policies --scope Local | jq -r '.Policies[] | select(.PolicyName == "'${PolicyName}'") | .Arn') ; echo "ARN: ${ARN}"
ARN: arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy

Datadogから必要情報を取得

AccountID

$ DDACID=464622532012 ; echo "DatadogAccountID: ${DDACID}"
DatadogAccountID: 464622532012

ExternalID

  • 設定から取得
  • Integrations -> AmazonWebService -> Configure

20160710_04_DD_externalID.png

  • Add another account -> AWS External ID

20160710_05_DD_externalID.png

  • 払い出されたIDを代入
$ DDEXTID="4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ; echo "DatadogExternalID: ${DDEXTID}"
DatadogExternalID: 4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX

PolicyDocument.json 生成(置換)

$ sed -e "s%__DDACCOUNTID__%${DDACID}%" -e "s%__DDEXTERNALID__%${DDEXTID}%" ${AssumeRolePolicyDocument}.base > ${AssumeRolePolicyDocument}
diff ${AssumeRolePolicyDocument}.base ${AssumeRolePolicyDocument}
7c7
<         "AWS": "arn:aws:iam::__DDACCOUNTID__:root"
---
>         "AWS": "arn:aws:iam::464622532012:root"
12c12
<           "sts:ExternalId": "__DDEXTERNALID__"
---
>           "sts:ExternalId": "4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

IAMロール作成

# IAMロール作成
$ aws iam create-role --role-name ${RoleName} --assume-role-policy-document file://${AssumeRolePolicyDocument}
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROXXXXXXXXXXXXXXXXXX",
        "CreateDate": "2016-07-DDTHH:MM:SS.552Z",
        "RoleName": "DatadogAWSIntegrationRole",
        "Path": "/",
        "Arn": "arn:aws:iam::9XXXXXXXXXXX:role/DatadogAWSIntegrationRole"
    }
}
# ポリシー付与
$ aws iam attach-role-policy --role-name ${RoleName} --policy-arn ${ARN}
# ポリシー付与確認
$ aws iam list-attached-role-policies --role-name ${RoleName}
{
    "AttachedPolicies": [
        {
            "PolicyName": "DatadogAWSIntegrationPolicy",
            "PolicyArn": "arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy"
        }
    ]
}

IAM 作成結果

  • Policy

20160710_01_Policy.png

  • IAM role

20160710_02_IAMrole.png

20160710_03_IAMrole.png

Datadog Integration に設定

  • 作成したIAMロールをインテグレーションに設定

20160710_06_DD_setting.png

結果

対象AWSアカウントからの情報取得が行われます。

20160710_07_result.png