Enabling ASM for AWS Lambda

ASM support for AWS Lambda is in beta. Threat detection is done by using the Lambda extension.

You can monitor your functions running in AWS Lambda with Datadog Application Security Management (ASM). See Compatibility for information about what ASM features are supported for serverless functions.

In general, setting up ASM for AWS Lambda involves:

  1. Identifying functions that are vulnerable or are under attack, which would most benefit from ASM. Find them on the Security tab of your Service Catalog.
  2. Setting up ASM instrumentation by using the Datadog Serverless Framework plugin or manually setting the different layers.
  3. Triggering security signals in your application and seeing how Datadog displays the resulting information.

Prerequisites

  • Serverless APM is configured on the Lambda function to send traces directly to Datadog. The X-Ray integration for sending trace data to APM does not support the data ASM needs to monitor functions.

Get started

    The Datadog Serverless Framework plugin automatically configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.

    To install and configure the Datadog Serverless Framework plugin:

    1. Install the Datadog Serverless Framework plugin:
      serverless plugin install --name serverless-plugin-datadog
    2. Enable ASM by updating your serverless.yml (or whichever way you set environment variables for your function):
      environment:
  AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper
  DD_SERVERLESS_APPSEC_ENABLED: true
    3. Redeploy the function and invoke it. After a few minutes, it appears in ASM views.

    1. Install the Datadog tracer:

      • Python

        # Use this format for x86-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:72

   # Use this format for arm64-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>-ARM:72

   # Use this format for x86-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:72

   # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>-ARM:72
   ```
   Replace `<AWS_REGION>` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38` and `Python39`.

      • Node

        # Use this format for AWS commercial regions
  arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:91

  # Use this format for AWS GovCloud regions
  arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:91
  ```  
  Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`. The available RUNTIME options are `Node12-x`, `Node14-x`, `Node16-x` and         `Node18-x`.

      • Java: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

        # In AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-java:8
# In AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:8

      • Go: The Go tracer doesn’t rely on a layer and is a regular Go module. You can upgrade to its latest version with:

        go get -u github.com/DataDog/datadog-lambda-go

      • .NET: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

        # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-dotnet:6
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-dotnet-ARM:6
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet:6
# arm64-based Lambda  in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet-ARM:6
    2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace <AWS_REGION> with a valid AWS region such as us-east-1:
      # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:36
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:36
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:36
# arm64-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:36

    1. Install the Datadog tracer:

      • Python

        # Use this format for x86-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:72

   # Use this format for arm64-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>-ARM:72

   # Use this format for x86-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:72

   # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>-ARM:72
   ```
   Replace `<AWS_REGION>` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38`, `Python39`, `Python310`, and `Python311`.

      • Node

        # Use this format for AWS commercial regions
  arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:91

  # Use this format for AWS GovCloud regions
  arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:91
  ```  
  Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`. The available RUNTIME options are `Node12-x`, `Node14-x`, `Node16-x` and         `Node18-x`.

      • Java: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

        # In AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:dd-trace-java:8
# In AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:8

      • Go: The Go tracer doesn’t rely on a layer and is a regular Go module. You can upgrade to its latest version with:

        go get -u github.com/DataDog/datadog-lambda-go

      • .NET: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

        # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:dd-trace-dotnet:6
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:dd-trace-dotnet-ARM:6
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet:6
# arm64-based Lambda  in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet-ARM:6

    2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

      # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:Datadog-Extension:36
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:Datadog-Extension-ARM:36
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:36
# arm64-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:36

    1. Enable ASM by adding the following environment variables on your function deployment:

      environment:
  AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper
  DD_SERVERLESS_APPSEC_ENABLED: true

      For NodeJS or Python functions also add:

      environment:
  DD_TRACE_ENABLED: true

    2. For Node and Python functions only, double-check that the function’s handler is set correctly:

      • Node: Set your function’s handler to /opt/nodejs/node_modules/datadog-lambda-js/handler.handler.
        • Also, set the environment variable DD_LAMBDA_HANDLER to your original handler, for example, myfunc.handler.
      • Python: Set your function’s handler to datadog_lambda.handler.handler.
        • Also, set the environment variable DD_LAMBDA_HANDLER to your original handler, for example, myfunc.handler.

    3. Redeploy the function and invoke it. After a few minutes, it appears in ASM views.

    To see Application Security Management threat detection in action, send known attack patterns to your application. For example, send an HTTP header with value acunetix-product to trigger a security scanner attack attempt:

    curl -H 'My-ASM-Test-Header: acunetix-product' https://your-function-url/existing-route

    A few minutes after you enable your application and exercise it, threat information appears in the Application Signals Explorer.

    Security Signal details page showing tags, metrics, suggested next steps, and attacker IP addresses associated with a threat.

    Further reading

    Additional helpful documentation, links, and articles:

    How Application Security WorksDOCUMENTATION more more OOTB Application Security Management RulesDOCUMENTATION more more Troubleshooting Application Security ManagementDOCUMENTATION more more Application Threat Monitoring and ProtectionDOCUMENTATION more more