This is our DatadogAWSIntegrationPolicy inline policy.

DatadogAWSIntegrationPolicy.json

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"account:GetContactInformation",
				"apigateway:Get*",
				"autoscaling:Describe*",
				"backup:ListBackupPlans",
				"backup:ListProtectedResources",
				"backup:ListRecoveryPointsByBackupVault",
				"bedrock:GetAgent",
				"bedrock:GetAgentAlias",
				"bedrock:GetFlow",
				"bedrock:GetFlowAlias",
				"bedrock:GetGuardrail",
				"bedrock:GetImportedModel",
				"bedrock:GetInferenceProfile",
				"bedrock:GetMarketplaceModelEndpoint",
				"bedrock:ListAgentAliases",
				"bedrock:ListAgents",
				"bedrock:ListFlowAliases",
				"bedrock:ListFlows",
				"bedrock:ListGuardrails",
				"bedrock:ListImportedModels",
				"bedrock:ListInferenceProfiles",
				"bedrock:ListMarketplaceModelEndpoints",
				"bedrock:ListPromptRouters",
				"bedrock:ListProvisionedModelThroughputs",
				"budgets:ViewBudget",
				"cassandra:Select",
				"cloudfront:GetDistributionConfig",
				"cloudfront:ListDistributions",
				"cloudtrail:DescribeTrails",
				"cloudtrail:GetTrailStatus",
				"cloudtrail:LookupEvents",
				"cloudwatch:Describe*",
				"cloudwatch:Get*",
				"cloudwatch:List*",
				"codedeploy:BatchGet*",
				"codedeploy:List*",
				"directconnect:Describe*",
				"dynamodb:Describe*",
				"dynamodb:List*",
				"ec2:Describe*",
				"ec2:GetAllowedImagesSettings",
				"ec2:GetEbsDefaultKmsKeyId",
				"ec2:GetInstanceMetadataDefaults",
				"ec2:GetSerialConsoleAccessStatus",
				"ec2:GetSnapshotBlockPublicAccessState",
				"ec2:GetTransitGatewayPrefixListReferences",
				"ec2:SearchTransitGatewayRoutes",
				"ecs:Describe*",
				"ecs:List*",
				"elasticache:Describe*",
				"elasticache:List*",
				"elasticfilesystem:DescribeAccessPoints",
				"elasticfilesystem:DescribeFileSystems",
				"elasticfilesystem:DescribeTags",
				"elasticloadbalancing:Describe*",
				"elasticmapreduce:Describe*",
				"elasticmapreduce:List*",
				"es:DescribeElasticsearchDomains",
				"es:ListDomainNames",
				"es:ListTags",
				"events:CreateEventBus",
				"fsx:DescribeFileSystems",
				"fsx:ListTagsForResource",
				"glacier:GetVaultNotifications",
				"glue:ListRegistries",
				"health:DescribeAffectedEntities",
				"health:DescribeEventDetails",
				"health:DescribeEvents",
				"kinesis:Describe*",
				"kinesis:List*",
				"kms:GetKeyPolicy",
				"kms:GetKeyRotationStatus",
				"lambda:GetPolicy",
				"lambda:ListAliases",
				"lambda:ListEventSourceMappings",
				"lambda:ListFunctions",
				"lambda:ListLayers",
				"lambda:ListProvisionedConcurrencyConfigs",
				"lambda:ListTags",
				"lambda:ListVersionsByFunction",
				"lightsail:GetInstancePortStates",
				"logs:DeleteSubscriptionFilter",
				"logs:DescribeSubscriptionFilters",
				"logs:PutSubscriptionFilter",
				"logs:TestMetricFilter",
				"memorydb:DescribeACLs",
				"memorydb:DescribeMultiRegionClusters",
				"memorydb:DescribeParameterGroups",
				"memorydb:DescribeReservedNodes",
				"memorydb:DescribeSnapshots",
				"memorydb:DescribeSubnetGroups",
				"memorydb:DescribeUsers",
				"oam:ListAttachedLinks",
				"oam:ListSinks",
				"organizations:DescribeAccount",
				"organizations:DescribeCreateAccountStatus",
				"organizations:DescribeEffectivePolicy",
				"organizations:DescribeHandshake",
				"organizations:DescribeOrganization",
				"organizations:DescribeOrganizationalUnit",
				"organizations:DescribePolicy",
				"organizations:DescribeResourcePolicy",
				"organizations:ListAccounts",
				"organizations:ListAccountsForParent",
				"organizations:ListAWSServiceAccessForOrganization",
				"organizations:ListChildren",
				"organizations:ListCreateAccountStatus",
				"organizations:ListDelegatedAdministrators",
				"organizations:ListDelegatedServicesForAccount",
				"organizations:ListHandshakesForAccount",
				"organizations:ListHandshakesForOrganization",
				"organizations:ListOrganizationalUnitsForParent",
				"organizations:ListParents",
				"organizations:ListPolicies",
				"organizations:ListPoliciesForTarget",
				"organizations:ListRoots",
				"organizations:ListTagsForResource",
				"organizations:ListTargetsForPolicy",
				"rds:Describe*",
				"rds:List*",
				"redshift:DescribeClusters",
				"redshift:DescribeLoggingStatus",
				"route53:List*",
				"s3:GetBucketLocation",
				"s3:GetBucketLogging",
				"s3:GetBucketNotification",
				"s3:GetBucketTagging",
				"s3:ListAccessGrants",
				"s3:ListAllMyBuckets",
				"s3:PutBucketNotification",
				"savingsplans:DescribeSavingsPlanRates",
				"savingsplans:DescribeSavingsPlans",
				"ses:Get*",
				"sns:GetSubscriptionAttributes",
				"sns:List*",
				"sns:Publish",
				"sqs:ListQueues",
				"states:DescribeStateMachine",
				"states:ListStateMachines",
				"support:DescribeTrustedAdvisor*",
				"support:RefreshTrustedAdvisorCheck",
				"tag:GetResources",
				"tag:GetTagKeys",
				"tag:GetTagValues",
				"timestream:DescribeEndpoints",
				"timestream:ListTables",
				"waf-regional:ListRuleGroups",
				"waf-regional:ListRules",
				"waf:ListRuleGroups",
				"waf:ListRules",
				"wafv2:GetIPSet",
				"wafv2:GetLoggingConfiguration",
				"wafv2:GetRegexPatternSet",
				"wafv2:GetRuleGroup",
				"wafv2:ListLoggingConfigurations",
				"xray:BatchGetTraces",
				"xray:GetTraceSummaries"
			],
			"Resource": "*"
		}
	]
}