DataDog · hestonhoffman · May 14, 2026 · May 13, 2026 · May 14, 2026
@@ -388,6 +388,26 @@ export default {
     gov2: 'The private link service for US2-FED is not supported.',
     gov: 'The private link service for GOV is not supported.'
   },
+  aws_customer_access_id: {
+    us: '464622532012',
+    us3: '464622532012',
+    us5: '464622532012',
+    eu: '464622532012',
+    ap1: '417141415827',
+    ap2: '412381753143',
+    gov2: '382742775718',
+    gov: '392588925713'
+  },
+  aws_customer_access_govcloud_id: {
+    us: 'N/A',
+    us3: 'N/A',
+    us5: 'N/A',
+    eu: 'N/A',
+    ap1: 'N/A',
+    ap2: 'N/A',
+    gov2: '486737091498',
+    gov: '065115117704'
+  },
   ip_ranges_url: {
     us: 'https://ip-ranges.datadoghq.com',
     us3: 'https://ip-ranges.us3.datadoghq.com',

@@ -86,17 +86,11 @@ Datadog assumes this role to collect data on your behalf.
 
 1. Go to the AWS [IAM Console][4] and click `Create role`.
 2. Select **AWS account** for the trusted entity type, and **Another AWS account**.
-{{< site-region region="us,us3,us5,eu" >}}
-3. Enter `464622532012` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.
-{{< /site-region >}}
-{{< site-region region="ap1" >}}
-3. Enter `417141415827` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.
-{{< /site-region >}}
-{{< site-region region="ap2" >}}
-3. Enter `412381753143` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.
+{{< site-region region="us,us3,us5,eu,ap1,ap2" >}}
+3. Enter {{< region-param key="aws_customer_access_id" code="true" >}} as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data.
 {{< /site-region >}}
 {{< site-region region="gov,gov2" >}}
-3. If the AWS account you want to integrate is a GovCloud account, enter `065115117704` as the `Account ID`, otherwise enter `392588925713`. This is Datadog's account ID, and grants Datadog access to your AWS data.
+3. If the AWS account you want to integrate is a GovCloud account, enter {{< region-param key="aws_customer_access_govcloud_id" code="true" >}} as the `Account ID`, otherwise enter {{< region-param key="aws_customer_access_id" code="true" >}}. This is Datadog's account ID, and grants Datadog access to your AWS data.
 {{< /site-region >}}
 **Note**: Ensure that the **DATADOG SITE** selector on the right of this documentation page is set to your Datadog site before copying the account ID above.
 

@@ -387,7 +387,7 @@ resource "datadog_integration_aws_account" "datadog_integration" {
 [2]: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws
 {{< /site-region >}}
 
-{{< site-region region="gov,gov2" >}}
+{{< site-region region="gov" >}}
 2. Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes:
    * `AWS_ACCOUNT_ID`: Your AWS account ID.
 
@@ -631,6 +631,250 @@ See the [Terraform Registry][2] for further example usage and the full list of o
 [2]: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws
 {{< /site-region >}}
 
+{{< site-region region="gov2" >}}
+2. Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes:
+   * `AWS_ACCOUNT_ID`: Your AWS account ID.
+
+{{< tabs >}}
+
+{{% tab "AWS Commercial Cloud" %}}
+
+```hcl
+data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::382742775718:root"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values = [
+        "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
+      ]
+    }
+  }
+}
+
+data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
+
+locals {
+  all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
+
+  max_policy_size = 6144
+  target_chunk_size = 5900
+
+  permission_sizes = [
+    for perm in local.all_permissions :
+    length(perm) + 3
+  ]
+  cumulative_sizes = [
+    for i in range(length(local.permission_sizes)) :
+    sum(slice(local.permission_sizes, 0, i + 1))
+  ]
+
+  chunk_assignments = [
+    for cumulative_size in local.cumulative_sizes :
+    floor(cumulative_size / local.target_chunk_size)
+  ]
+  chunk_numbers = distinct(local.chunk_assignments)
+  permission_chunks = [
+    for chunk_num in local.chunk_numbers : [
+      for i, perm in local.all_permissions :
+      perm if local.chunk_assignments[i] == chunk_num
+    ]
+  ]
+}
+
+data "aws_iam_policy_document" "datadog_aws_integration" {
+  count = length(local.permission_chunks)
+
+  statement {
+    actions   = local.permission_chunks[count.index]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "datadog_aws_integration" {
+  count = length(local.permission_chunks)
+
+  name   = "DatadogAWSIntegrationPolicy-${count.index + 1}"
+  policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
+}
+resource "aws_iam_role" "datadog_aws_integration" {
+  name               = "DatadogIntegrationRole"
+  description        = "Role for Datadog AWS Integration"
+  assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
+}
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
+  count = length(local.permission_chunks)
+
+  role       = aws_iam_role.datadog_aws_integration.name
+  policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
+}
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
+  role       = aws_iam_role.datadog_aws_integration.name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
+resource "datadog_integration_aws_account" "datadog_integration" {
+  account_tags   = []
+  aws_account_id = "<ACCOUNT_ID>"
+  aws_partition  = "aws"
+  aws_regions {
+    include_all = true
+  }
+  auth_config {
+    aws_auth_config_role {
+      role_name = "DatadogIntegrationRole"
+    }
+  }
+  resources_config {
+    cloud_security_posture_management_collection = false
+    extended_collection                          = true
+  }
+  traces_config {
+    xray_services {
+    }
+  }
+  logs_config {
+    lambda_forwarder {
+    }
+  }
+  metrics_config {
+    namespace_filters {
+    }
+  }
+}
+```
+
+{{% /tab %}}
+
+{{% tab "AWS GovCloud" %}}
+
+```hcl
+data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws-us-gov:iam::486737091498:root"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values = [
+        "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
+      ]
+    }
+  }
+}
+
+data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
+
+locals {
+  all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
+
+  max_policy_size = 6144
+  target_chunk_size = 5900
+
+  permission_sizes = [
+    for perm in local.all_permissions :
+    length(perm) + 3
+  ]
+  cumulative_sizes = [
+    for i in range(length(local.permission_sizes)) :
+    sum(slice(local.permission_sizes, 0, i + 1))
+  ]
+
+  chunk_assignments = [
+    for cumulative_size in local.cumulative_sizes :
+    floor(cumulative_size / local.target_chunk_size)
+  ]
+  chunk_numbers = distinct(local.chunk_assignments)
+  permission_chunks = [
+    for chunk_num in local.chunk_numbers : [
+      for i, perm in local.all_permissions :
+      perm if local.chunk_assignments[i] == chunk_num
+    ]
+  ]
+}
+
+data "aws_iam_policy_document" "datadog_aws_integration" {
+  count = length(local.permission_chunks)
+
+  statement {
+    actions   = local.permission_chunks[count.index]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "datadog_aws_integration" {
+  count = length(local.permission_chunks)
+
+  name   = "DatadogAWSIntegrationPolicy-${count.index + 1}"
+  policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
+}
+resource "aws_iam_role" "datadog_aws_integration" {
+  name               = "DatadogIntegrationRole"
+  description        = "Role for Datadog AWS Integration"
+  assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
+}
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
+  count = length(local.permission_chunks)
+
+  role       = aws_iam_role.datadog_aws_integration.name
+  policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
+}
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
+  role       = aws_iam_role.datadog_aws_integration.name
+  policy_arn = "arn:aws-us-gov:iam::aws:policy/SecurityAudit"
+}
+
+resource "datadog_integration_aws_account" "datadog_integration" {
+  account_tags   = []
+  aws_account_id = "<ACCOUNT_ID>"
+  aws_partition  = "aws-us-gov"
+  aws_regions {
+    include_all = true
+  }
+  auth_config {
+    aws_auth_config_role {
+      role_name = "DatadogIntegrationRole"
+    }
+  }
+  resources_config {
+    cloud_security_posture_management_collection = false
+    extended_collection                          = true
+  }
+  traces_config {
+    xray_services {
+    }
+  }
+  logs_config {
+    lambda_forwarder {
+    }
+  }
+  metrics_config {
+    namespace_filters {
+    }
+  }
+}
+```
+
+{{% /tab %}}
+
+{{< /tabs >}}
+
+See the [Terraform Registry][2] for further example usage and the full list of optional parameters, as well as additional Datadog resources.
+
+<div class="alert alert-info">By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under <code>resources_config</code>, set <code>cloud_security_posture_management_collection = true</code>.</div>
+
+[1]: /integrations/amazon_web_services/?tab=manual#aws-iam-permissions
+[2]: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws
+{{< /site-region >}}
+
 3. Run `terraform apply`. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box [AWS overview dashboard][4] to see metrics sent by your AWS services and infrastructure.
 
 {{< partial name="whats-next/whats-next.html" >}}

@@ -13,7 +13,7 @@ This error usually indicates an issue with the trust policy associated with the
 
 Check the following points for the AWS account mentioned in the error:
 
-{{< site-region region="us,us3,us5,eu,gov,gov2" >}}
+{{< site-region region="us,us3,us5,eu,ap1,ap2" >}}
 1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3].
 
 2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below:
@@ -26,7 +26,7 @@ Check the following points for the AWS account mentioned in the error:
         {
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:aws:iam::464622532012:root"
+                "AWS": "arn:aws:iam::{{< region-param key="aws_customer_access_id" >}}:root"
             },
             "Action": "sts:AssumeRole",
             "Condition": {
@@ -44,41 +44,10 @@ Check the following points for the AWS account mentioned in the error:
 [3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml
 {{< /site-region >}}
 
-{{< site-region region="ap1" >}}
+{{< site-region region="gov,gov2" >}}
 1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3].
 
-2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below:
-
-{{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}}
-
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::417141415827:root"
-            },
-            "Action": "sts:AssumeRole",
-            "Condition": {
-                "StringEquals": {
-                    "sts:ExternalId": "<YOUR_AWS_EXTERNAL_ID>"
-                }
-            }
-        }
-    ]
-}
-
-{{< /code-block >}}
-
-[2]: https://ap1.datadoghq.com/integrations/amazon-web-services
-[3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml
-{{< /site-region >}}
-
-{{< site-region region="ap2" >}}
-1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3].
-
-2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below:
+2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured with the correct Datadog account ID for your AWS partition. Use {{< region-param key="aws_customer_access_id" code="true" >}} for commercial AWS accounts or {{< region-param key="aws_customer_access_govcloud_id" code="true" >}} for GovCloud accounts:
 
 {{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}}
 
@@ -88,7 +57,7 @@ Check the following points for the AWS account mentioned in the error:
         {
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:aws:iam::412381753143:root"
+                "AWS": "arn:aws:iam::{{< region-param key="aws_customer_access_id" >}}:root"
             },
             "Action": "sts:AssumeRole",
             "Condition": {
@@ -102,7 +71,7 @@ Check the following points for the AWS account mentioned in the error:
 
 {{< /code-block >}}
 
-[2]: https://ap2.datadoghq.com/integrations/amazon-web-services
+[2]: https://app.ddog-gov.com/integrations/amazon-web-services
 [3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml
 {{< /site-region >}}