VOOZH about

URL: https://docs.datadoghq.com/infrastructure/resource_catalog/policies/

⇱ Policies

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/infrastructure/resource_catalog/policies.md. A documentation index is available at /llms.txt.
This product is not supported for your selected Datadog site. ().
Join the Preview!

Resource Policies are in Preview.

Request Access

Overview

In Resource Policies, you can define policies on the desired optimal configuration of your infrastructure resources based on governance best practices in your organization. Some examples include improving ownership tag coverage on resources, or ensuring versioning on critical resources is up-to-date. Instead of writing custom scripts or Lambdas that scan every resource, Datadog gives you visibility into problematic resources so that you can focus on remediation.

Specifically, you can:

  • Define a custom policy, which involves choosing a resource type, the attribute on the resource type, and target values the attribute should have.
  • Start from a set of out-of-the-box policy templates that span infrastructure reliability, cost optimization, operational excellence, and versioning.
  • Define a tagging policy, which involves a resource type and the desired tag key and value the resource type should have.
  • Access a dedicated view for each policy where you can see its list of non-compliant resources and compliance score.
  • Filter policies by team (or any custom tag) to create a shareable view for each team.
  • Group policies by team (or any custom tag) to assess compliance and prioritize outreach to low-performing teams.

Example Resource Policies

Create a custom policy

Custom policies require specific values in your cloud resource attributes within Datadog based on your organization’s infrastructure best practices.

To create a custom policy:

  1. In the side navigation, click on Resources > Policies.
  2. Click the New Custom Policy button.
  3. Select a resource type from the dropdown menu.
  4. Optionally, search for additional dataset filters, such as env: prod to only include resources in production.
  5. Select a target resource attribute and desired value.
  6. Optionally, add instructions for remediation.
  7. A name is automatically generated based on the data entered, but you can modify it.
  8. Click Create Custom Policy.

Click the new policy to review all non-compliant resources and filter them by region, environment, account, service, or team. You can also group them by attributes or tags.

Selecting values for your target attribute

Custom policies let you define a target resource attribute and a desired value, providing flexibility in creating policies for your cloud resources without requiring complex query languages. The following features are available:

  • Access data in nested attributes: Validate more of your configurations (for example, require that TLS 1.2, which is data stored in a multi-level property, is used for Amazon CloudFront).
  • Use advanced condition matching: Use operators like >, <, or != (for example, enforcing Kubernetes version > 1.25).
  • Use multi-attribute logic: Chain multiple attributes in one policy (for example, require AWS CloudTrail logging and multi-region to be enabled).

Start with an out-of-the-box policy template

For insights into your infrastructure’s reliability, cost optimization, operational excellence, and versioning, Datadog provides out-of-the-box policy templates. These templates are curated using cloud provider best practices and customer stories. Since each organization has unique requirements, filters can be applied to limit the set of resources evaluated against a policy, and an attribute’s target values can be customized as needed.

Remediate with Native Actions

All policy templates come equipped with suggested remediation steps based on industry best practices, as well as Datadog Native Actions in some cases. Using Native Actions, you can remediate misconfigurations without ever leaving Datadog for the following policy templates:

  • Amazon RDS instances should be configured with Multi-AZ deployment
  • Amazon EBS volume type should be upgraded from GP2 to GP3
  • Amazon DynamoDB point-in-time recovery should be enabled
  • Google Compute instances should have automatic restart enabled

As shown in the video below, on the policy template, you can enable an action and provide instructions for the responsible team to remediate non-compliant resources. This enables them to update cloud resource configurations directly from Datadog. To ensure the team can perform these actions, create a connection and give read/write permissions to the appropriate team members to run the action.

Create a tagging policy

Tagging policies require specific tag keys and tag value formats on your infrastructure resources across Datadog.

To create a tagging policy:

  1. In the side navigation, click on Resources > Policies.
  2. Click the New Tagging Policy button.
  3. Choose the resource types the policy applies to.
  4. Define the required tag key and its allowed values.
  5. A name is automatically generated based on the data entered, but you can modify it.
  6. Click Create Tagging Policy.

Click the new policy to review all non-compliant resources and filter them by cloud, region, environment, account, service, team, or tag. You can also group them by attributes or tags.

Updating policies

To update a policy, click the policy, then click the Edit button and modify as needed.

Deleting policies

To delete a custom or tagging policy, click the policy, then click the Delete button.

Exporting policies

To export the list of non-compliant resources for a policy, click the policy, then click the Export as CSV button.

Further Reading