Missing permissions for `DatadogIntegrationRole` - Githubissues

DataDog / cloudformation-template

Easily set up the Datadog AWS integration using CloudFormation

Apache License 2.0

34 stars 42 forks source link

Missing permissions for `DatadogIntegrationRole` #51

Closed mdupras closed 10 months ago

mdupras commented 1 year ago

Expected Behavior

When we install the Datadog CloudFormation template, we don't have to add more roles to the datadog policy.

Actual Behavior

We have to manually add some missing permissions.

Steps to Reproduce the Problem

Enabled Cloud SIEM in Datadog
Monitor Cloudtrails logs
Look at Datadog AccessDenied from the Cloudtrails logs.

Specifications

Datadog CloudFormation template version: Latest?

Stacktrace

I have bunch of error, but to get a sample :

 assumed-role/DatadogIntegrationRole/DatadogAWSIntegration is not authorized to perform: kms:GetKeyRotationStatus

Solution

Add the missing permissions to this file : https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml#L96

So far I've seen the template is missing the following permissions:

kms:GetKeyRotationStatus
s3:GetAccountPublicAccessBlock
s3:GetBucketPolicyStatus
s3:GetBucketEncryption
s3:GetBucketAcl
s3:GetBucketPublicAccessBlock
s3:GetBucketVersioning
sns:GetTopicAttributes
iam:GetAccountPasswordPolicy
iam:GetLoginProfile
iam:ListAttachedRolePolicies
support:RefreshTrustedAdvisorCheck

RaphaelAllier commented 10 months ago

Hello,

I believe the missing permissions are now added to the role, therefore I'll close this issue. I also wanted to point out that most of these permissions are used by our crawlers to audit an AWS account and are part of the AWS SecurityAudit policy. We require to attach this policy to the integration role in order to use most of our security products (documentation). Let us know if you a similar issue reoccurs