Cloud Storage

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Overview

Join the Limited Availability!

Scanning support for Amazon S3 buckets and RDS instances is in Limited Availability. To enroll, click Request Access.

Request Access

Deploy Datadog Agentless scanners in your environment to scan for sensitive information in your cloud storage resources. Agentless scanners are EC2 instances that you control and run within your environment. The scanners use Remote Configuration to retrieve a list of S3 buckets and RDS instances, as well as their dependencies. They scan many types of text files, such as CSVs and JSONs in your S3 buckets and tables in your RDS instances.

When an Agentless scanner finds a match with any of the SDS library rules, the scanning instance sends the rule type and location of the match to Datadog. Note: Cloud storage resources and their files are only read in your environment - no sensitive data that was scanned is sent back to Datadog.

In the Sensitive Data Scanner Summary page, you can see what cloud storage resources have been scanned and any matches found, including the rules that matched them.

This document walks you through:

Enable Remote Configuration

To use Sensitive Data Scanner in your AWS environments, you need to:

  1. Enable Remote Configuration. Remote Configuration allows Datadog to send information to scanners, such as which cloud storage resources should be scanned. See the Remote Configuration setup instructions.
  2. Use Remote-Configuration-enabled Datadog API keys for AWS accounts with scanners deployed to them. You need to manually enable Remote Configuration for the API keys you want to use for Agentless Scanning. See Enable Remote Configuration on the API key for instructions.

Notes:

  • Only AWS accounts that have scanners deployed to them need Remote-Configuration-enabled Datadog API keys.
  • Only admins with org_management permissions can enable Remote Configuration for your organization. After Remote Configuration has been enabled, only users with api_keys_write permission can enable Remote Configuration for individual API keys.

Security considerations

Because the scanner instances are potentially granted access to sensitive data, Datadog recommends restricting access to these instances solely to administrative users.

To further mitigate this risk, Datadog implements the following security measures:

  • The Datadog scanner operates within your infrastructure, ensuring that all data, including sensitive data results, remain isolated and secure.
  • All data transmission between the scanner and Datadog is encrypted using industry standard protocols (such as HTTPS) to ensure data confidentiality and integrity.
  • Datadog carefully reviews and limits the permissions needed by the scanner to ensure that it can conduct scans without unnecessary access. This means the scanner operates under the principle of least privilege and is granted only the minimum permissions necessary to perform effectively.
  • Unattended security updates are enabled on Datadog’s scanner instances. This feature automates the process of installing critical security patches and updates without requiring manual intervention.
  • The Datadog scanner instances are automatically rotated every 24 hours. This rotation ensures that the scanner instances are continually updated with the latest Ubuntu images.
  • Access to the scanner instances is tightly controlled through the use of security groups. No inbound access to the scanner is allowed, further reducing the risk of compromising the instance.

To scan Amazon S3 buckets, these permissions are required:

  • s3:GetObject
  • s3:ListBucket
  • kms:Decrypt
  • kms:GenerateDataKey

Deploy scanners

Agentless scanners are EC2 instances that run in your environment. They scan your S3 buckets and the tables in your RDS instances for sensitive information.

There are two methods for deploying scanners to your environment:

Automatically deploy scanners using CloudFormation

When you deploy Agentless scanners using CloudFormation, a single scanner is created per account and scans across all of the account’s regions. You set the region that the scanner is deployed on.

You can add a scanner to a new AWS account or an existing AWS account.

    1. Navigate to the Sensitive Data Scanner settings page.
    2. On the Storage tab, in the Cloud Settings section, click Add AWS accounts by following these steps.
    3. Leave Automatically using CloudFormation enabled.
    4. Select the AWS region in the dropdown menu.
    5. Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection. Note: Only users with api_keys_write permissions can enable Remote Configuration for individual API keys.
    6. If you want to send AWS logs to Datadog, leave Yes selected.
    7. Select Yes if you want to use Datadog Cloud Security Management.
    8. Enable Sensitive Data Scanner is automatically selected by default. This tells CloudFormation to add the AWS Managed SecurityAudit policy to your Datadog AWS Integration role and enable Agentless Scanning to start scanning your cloud data stores.
    9. Click Launch CloudFormation Template.
    1. Navigate to the Sensitive Data Scanner settings page.
    2. On the Storage tab, in the AWS section:
      • If you have Agentless scanning already enabled in an account:
        1. Click the pencil icon for the account.
        2. Toggle Enable Sensitive Data Scanning on to add the scanner to the account.
        3. Click Save.
      • If you don’t have Agentless scanning enabled in an account:
        1. Click on the plus icon for the account you want to enable sensitive data scanning for.
        2. Select that you want to add the scanner using CloudFormation.
        3. Select the AWS region in the dropdown menu.
        4. Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection.
        5. Toggle Enable Sensitive Data Scanning on to add the scanner to the account.
        6. Click Launch CloudFormation Template.

    Manually deploy scanners using Terraform

    You can deploy Agentless scanners using the Terraform Module Datadog Agentless Scanner. Datadog recommends that you choose one of these two setup options if you manually deploy scanners:

    • Create an AWS account dedicated to Agentless scanners. Deploy a scanner for every region that has cloud resources you want to scan.
    Diagram of Agentless scanning showing the Agentless scanner is deployed in a central Cloud account
    • Deploy a scanner for every region that has cloud resources that you want to scan.
    Diagram of Agentless scanning showing the Agentless scanner is deployed in each Cloud account

    Scanning groups

    In the Cloud Storage settings page, the Scanning Groups section is read-only. All library rules are applied within the scanning group.

    Cloud service provider cost

    When using Agentless Scanning, there are additional costs for running scanners in your cloud environments.

    To establish estimates on scanner costs, reach out to your Datadog Customer Success Manager.

    Disable Agentless scanning

    1. Navigate to the Sensitive Data Scanner settings page.
    2. Click the pencil icon next to the account for which you want to disable Agentless scanning.
    3. Toggle Enable Sensitive Data Scanning to off.

    Uninstall Agentless scanning

    To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.

    Further reading

    お役に立つドキュメント、リンクや記事:

    Learn more about out-of-the-box library rulesDOCUMENTATION more more Learn more about creating custom rulesDOCUMENTATION more more