--- title: Set up App and API Protection for Go on AWS Fargate description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Enabling App and API Protection for Go > Set up App and API Protection for Go on AWS Fargate --- # Set up App and API Protection for Go on AWS Fargate {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Prerequisites{% #prerequisites %} - AWS Fargate environment - Go application containerized with Docker - Instrumented with the Datadog Go tracing library (see [version requirements](https://docs.datadoghq.com/security/application_security/setup/compatibility/go/)) - AWS CLI configured with appropriate permissions - Your Datadog API key ## 1. Installing the Datadog Agent Install the Datadog Agent in your Fargate task definition: ```json { "containerDefinitions": [ { "name": "datadog-agent", "image": "public.ecr.aws/datadog/agent:latest", "environment": [ { "name": "DD_API_KEY", "value": "" }, { "name": "DD_APM_ENABLED", "value": "true" }, { "name": "DD_APM_NON_LOCAL_TRAFFIC", "value": "true" } ] } ] } ``` ## 2. Enabling App and API Protection monitoring ### Building your application with Orchestrion{% #building-your-application-with-orchestrion %} To enable App and API Protection for Go, you need to compile your application with [Orchestrion](https://datadoghq.dev/orchestrion), Datadog's compile-time instrumentation tool. Update your Dockerfile to install Orchestrion and build your application: ```dockerfile FROM golang:1.23 AS builder # Install Orchestrion RUN go install github.com/DataDog/orchestrion@latest WORKDIR /app COPY go.mod go.sum ./ RUN go mod download # Register Orchestrion as a Go module RUN orchestrion pin COPY . . # Build with Orchestrion using the appsec tag RUN orchestrion go build -tags=appsec -o myapp . FROM gcr.io/distroless/base-debian12 # If building without CGO, ensure glibc libraries are available # COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/ # COPY --from=builder /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/ # COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/ COPY --from=builder /app/myapp /myapp CMD ["/myapp"] ``` {% collapsible-section %} ### APM Tracing Enabled Update your task definition to include the Go application container with App and API Protection configuration: ```json { "containerDefinitions": [ { "name": "your-go-app", "image": "your-go-app-image", "environment": [ { "name": "DD_APPSEC_ENABLED", "value": "true" }, { "name": "DD_SERVICE", "value": "" }, { "name": "DD_ENV", "value": "" } ] } ] } ``` {% /collapsible-section %} {% collapsible-section %} ### APM Tracing Disabled To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false. Update your task definition to include the Go application container with App and API Protection configuration with APM tracing disabled: ```json { "containerDefinitions": [ { "name": "your-go-app", "image": "your-go-app-image", "environment": [ { "name": "DD_APPSEC_ENABLED", "value": "true" }, { "name": "DD_APM_TRACING_ENABLED", "value": "false" }, { "name": "DD_SERVICE", "value": "" }, { "name": "DD_ENV", "value": "" } ] } ] } ``` {% /collapsible-section %} ## 3. Run your application Deploy your Fargate task with the updated configuration: ```bash aws ecs register-task-definition --cli-input-json file://task-definition.json aws ecs run-task --cluster your-cluster --task-definition your-task-definition ``` ## 4. Verify your setup To verify that App and API Protection is working correctly, send known attack patterns to your application. For example, trigger the [Security Scanner Detected](https://docs.datadoghq.com/security/default_rules/security-scan-detected/) rule by running a file that contains the following curl script: ```bash for ((i=1;i<=250;i++)); do # Target existing service's routes curl https://your-application-url/existing-route -A Arachni/v1.0; # Target non existing service's routes curl https://your-application-url/non-existing-route -A Arachni/v1.0; done ``` A few minutes after you enable your application and exercise it, threat information appears in the [Application Trace and Signals Explorer](https://app.datadoghq.com/security/appsec) in Datadog. ## Troubleshooting{% #troubleshooting %} If you encounter issues while setting up App and API Protection for your Go application, see the [Go App and API Protection troubleshooting guide](https://docs.datadoghq.com/security/application_security/setup/go/troubleshooting). ## Further Reading{% #further-reading %} - [How App and API Protection Works](https://docs.datadoghq.com/security/application_security/how-it-works/) - [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules/?category=cat-application-security) - [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting)