Amazon web services – How to restrict, select or filter AWS regions in Datadog for AWS integration?

There are 2 things you need to do to achieve this:

1. Add region to be allowed in the AWS IAM role used by Datadog using a condition in its AWS IAM policy as follows:

            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }

2. Add a list of regions to be excluded in the Datadog Integration for AWS using a cURL command as follows:

export DD_API_KEY="*************"
export DD_APP_KEY="*************"
export AWS_ROLE_NAME="IAM-Role-Datadog"
export AWS_ACCOUNT_ID="12345678901"

curl -X PUT "https://api.datadoghq.com/api/v1/integration/aws?account_id=${AWS_ACCOUNT_ID}&role_name=${AWS_ROLE_NAME}" 
-H "Accept: application/json" 
-H "Content-Type: application/json" 
-H "DD-API-KEY: ${DD_API_KEY}" 
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" 
-d @- << EOF
{
  "account_id": "${AWS_ACCOUNT_ID}",
  "cspm_resource_collection_enabled": false,
  "excluded_regions": [
    "ap-northeast-1",
    "ap-northeast-2",
    "ap-northeast-3",
    "ap-south-1",
    "ap-southeast-1",
    "ap-southeast-2",
    "ca-central-1",
    "eu-central-1",
    "eu-north-1",
    "eu-west-1",
    "eu-west-2",
    "eu-west-3",
    "sa-east-1",
    "us-west-1"
  ],
  "metrics_collection_enabled": true,
  "resource_collection_enabled": false,
  "role_name": "${AWS_ROLE_NAME}"
}
EOF

Further Elaboration: The 2nd step is enough but there could be a case that a new AWS account is added from the Datadog console/GUI and you forget to add the excluded regions because you cannot specify the excluded regions on the Datadog console/GUI. You have to use the Datadog API for that purpose. So, the 1st step can help us in identifying such configuration for an AWS account which is missing the excluded regions as it will show an error on Datadog Integration for AWS regarding access not allowed to regions. Also, 1st step adds an extra layer of security.