Prior to revoking your AWS Keys you'll want to configure AWS Role Delegation in your AWS Console, to do so:
- First, be certain your AWS Role has appropriate (read-only) privileges as outlined here
- Create a new role in the IAM Console. Name it anything you like, such as
- From the selection, choose Role for Cross-Account Access and click the Select button for Allows IAM users from a 3rd party AWS account to access this account.
- For Account ID, enter
464622532012(Datadog’s account ID). This means that you will grant Datadog and Datadog only read access to your AWS data.
For External ID, enter the one generated in the Role Delegation tab of the AWS Integration configuration page. For more information about the External ID, refer to this document in the IAM User Guide.
Leave Require MFA disabled.
- Select the policy you previously created for the access keys.
- Review what you selected and click the Create Role button.
- Update the credentials in Datadog by navigating to the in-app integration tile here:
- Click the tab for Role Delegation. The AWS Account ID and AWS External ID should be left to their default values. Enter the name you specified for the AWS Role in step 2. A green banner will be displayed (momentarily after entering the name) at the top of the account configuration section if the role was successfully validated.
- Scroll down to the bottom of the configuration page and click Update Configuration. A green banner will be displayed once the configuration has been validated and applied. This process will also remove the previously used Access Key credentials.
Once you've setup Datadog for AWS Roles please revoke your AWS Keys per this article:Security Credentials page by expanding the section for Access Keys and clicking the Make Inactive or Delete link for the appropriate Access Key ID.
If you encounter any issues or have additional questions, please email: firstname.lastname@example.org