Edited at

Datadog AWS Integration 設定(IAM Role)

More than 3 years have passed since last update.

先日(2016/07/08) Datadogでセキュリティインシデントが発生したとのことです。

AWS Integration の設定について、アクセスキーでの設定ではなく、IAM Roleの委任での設定が推奨されるとの通知がありました。

自環境では IAM User でのデータ収集を行っており、IAM Roleでの設定は行っていなかったので設定を変更しました。


事前準備

IAM Role 作成に必要になる JSON ファイルを準備します。


ポリシーファイル作成


DatadogAWSIntegrationPolicy.json

{

"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:list*",
"dynamodb:describe*",
"ec2:Describe*",
"ec2:Get*",
"ecs:Describe*",
"ecs:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:List*",
"elasticmapreduce:Describe*",
"kinesis:List*",
"kinesis:Describe*",
"logs:Get*",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:TestMetricFilter",
"rds:Describe*",
"rds:List*",
"route53:List*",
"ses:Get*",
"sns:List*",
"sns:Publish",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"support:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}


AssumeRolePolicyDocument.json.base


  • Trust Relationships の内容(ID部分は後続手順にて置換)

{

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::__DDACCOUNTID__:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "__DDEXTERNALID__"
}
}
}
]
}


各設定値(名称)

各リソースの名称は以下を使用します。

種別
名称

PolicyName
DatadogAWSIntegrationPolicy

PolicyDocument
DatadogAWSIntegrationPolicy.json

RoleName
DatadogAWSIntegrationRole

AssumeRolePolicyDocument
AssumeRolePolicyDocument.json

$ PolicyName="DatadogAWSIntegrationPolicy" ; echo "PolicyName: ${PolicyName}"

PolicyName: DatadogAWSIntegrationPolicy
$ PolicyDocument="DatadogAWSIntegrationPolicy.json" ; echo "PolicyDocument: ${PolicyDocument}"
PolicyDocument: DatadogAWSIntegrationPolicy.json
$ RoleName="DatadogAWSIntegrationRole" ; echo "RoleName: ${RoleName}"
RoleName: DatadogAWSIntegrationRole
$ AssumeRolePolicyDocument="AssumeRolePolicyDocument.json" ; echo "AssumeRolePolicyDocument: ${AssumeRolePolicyDocument}"
AssumeRolePolicyDocument: AssumeRolePolicyDocument.json


IAM role 作成


ポリシー作成

$ aws iam create-policy --policy-name ${PolicyName} --policy-document file://${PolicyDocument}

{
"Policy": {
"PolicyName": "DatadogAWSIntegrationPolicy",
"CreateDate": "2016-07-DDTHH:MM:SS.923Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ANPXXXXXXXXXXXXXXXXXX",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy",
"UpdateDate": "2016-07-DDTHH:MM:SS.923Z"
}
}


ARN設定


  • 上記 create-policy の結果からARNを""部分に設定(もしくはCLIで代入)

$ ARN="arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy" ; echo "ARN: ${ARN}"

# CLIで代入
# ARN=$(aws iam list-policies --scope Local | jq -r '.Policies[] | select(.PolicyName == "'${PolicyName}'") | .Arn') ; echo "ARN: ${ARN}"
ARN: arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy


Datadogから必要情報を取得


AccountID

$ DDACID=464622532012 ; echo "DatadogAccountID: ${DDACID}"

DatadogAccountID: 464622532012


ExternalID


  • 設定から取得

  • Integrations -> AmazonWebService -> Configure

20160710_04_DD_externalID.png


  • Add another account -> AWS External ID

20160710_05_DD_externalID.png


  • 払い出されたIDを代入

$ DDEXTID="4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ; echo "DatadogExternalID: ${DDEXTID}"

DatadogExternalID: 4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX


PolicyDocument.json 生成(置換)

$ sed -e "s%__DDACCOUNTID__%${DDACID}%" -e "s%__DDEXTERNALID__%${DDEXTID}%" ${AssumeRolePolicyDocument}.base > ${AssumeRolePolicyDocument}

diff ${AssumeRolePolicyDocument}.base ${AssumeRolePolicyDocument}
7c7
< "AWS": "arn:aws:iam::__DDACCOUNTID__:root"
---
> "AWS": "arn:aws:iam::464622532012:root"
12c12
< "sts:ExternalId": "__DDEXTERNALID__"
---
> "sts:ExternalId": "4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX"


IAMロール作成

# IAMロール作成

$ aws iam create-role --role-name ${RoleName} --assume-role-policy-document file://${AssumeRolePolicyDocument}
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
},
"RoleId": "AROXXXXXXXXXXXXXXXXXX",
"CreateDate": "2016-07-DDTHH:MM:SS.552Z",
"RoleName": "DatadogAWSIntegrationRole",
"Path": "/",
"Arn": "arn:aws:iam::9XXXXXXXXXXX:role/DatadogAWSIntegrationRole"
}
}
# ポリシー付与
$ aws iam attach-role-policy --role-name ${RoleName} --policy-arn ${ARN}
# ポリシー付与確認
$ aws iam list-attached-role-policies --role-name ${RoleName}
{
"AttachedPolicies": [
{
"PolicyName": "DatadogAWSIntegrationPolicy",
"PolicyArn": "arn:aws:iam::5XXXXXXXXXXX:policy/DatadogAWSIntegrationPolicy"
}
]
}


IAM 作成結果


  • Policy

20160710_01_Policy.png


  • IAM role

20160710_02_IAMrole.png

20160710_03_IAMrole.png


Datadog Integration に設定


  • 作成したIAMロールをインテグレーションに設定

20160710_06_DD_setting.png


結果

対象AWSアカウントからの情報取得が行われます。

20160710_07_result.png