Safety Center

Datadog Safety Center is in public beta.

Overview

Datadog’s Safety Center in Organization Settings is a centralized location for security alerts and best practices. Administrators of an organization can open this page to review recommendations and take action on high priority security warnings and alerts.

Safety Center Overview page

Security Alerts

If your organization has a high priority security alert, it appears in the Security Alerts section of Safety Center. Safety Center supports two types of alerts: leaked application keys and leaked API keys.

A leaked key alert means that one or more private keys (application or API) have been compromised or publicly exposed on the internet. Exposed keys have to be revoked as soon as possible to minimize security risks to your organization. Removing the file containing the key from a public site such as GitHub does not guarantee it was not already accessed by another party.

Revoking leaked API key

Configuration

The Configuration tab in Safety Center allows setting Security Contacts - primary and secondary email addresses to receive security notifications for your Datadog organization. Upon detecting security issues, like publicly exposed Datadog keys needing rotation, your assigned Security Contacts gets notified.

Setting Security Contacts

It is important to keep Security Contacts up to date to ensure that potential security risks are promptly addressed and mitigated. The Safety Center page reminds you to review assigned Security Contacts every 6 months.

Access & Sharing

The Access & Sharing section in Safety Center lists entities that allow external access to your Datadog organization. It highlights:

  • OAuth applications that have been inactive for 60+ days or have write access and have been inactive for 30+ days.
  • API keys that have been unused for 30+ days.

OAuth Apps

Inactive OAuth applications can pose a potential security risk to your organization if compromised. They should be reviewed regularly and those applications that are no longer in use should be disabled.

Disabling unused OAuth app

API Keys

Unused API keys can facilitate unauthorized access to your organization if they become exposed on the internet. Unused keys need to be reviewed and revoked if your organization’s infrastructure does not rely on them.

Revoking unused API key

Users

In order to keep your organization safe it is important to follow best practices for user management. The Users page in Safety Center surfaces user-related security recommendations:

  • User invites that have not been accepted for 30+ days.
  • Admin users in the event their number exceeds 10% of all users within an organization.

Pending Invites

Having inactive user accounts or stale pending user invites increases the surface for a potential account takeover attack. That can be especially dangerous if inactive user accounts have high-privilege access. To keep the number of inactive users to a minimum consider either resending old pending invites or deleting them if those users do not need access to the Datadog platform.

Resending pending invite
Deleting pending invite

Admins

Giving admin access to users without careful consideration increases potential security risks in the event where a user account with elevated privileges gets compromised. To keep the number of users with admin access low, review your admin users regularly and revoke admin privileges if users do not require them.

Editing admin user

Further reading

Additional helpful documentation, links, and articles:

API and application keysDOCUMENTATION more more User managementDOCUMENTATION more more OAuth AppsDOCUMENTATION more more