Set up App and API Protection for PHP on AWS Fargate
This product is not supported for your selected
Datadog site. (
).
Overview
App and API Protection leverages the Datadog PHP library to monitor and secure your PHP service. The library integrates seamlessly with your existing application without requiring code changes.
For detailed compatibility information, including supported PHP versions, frameworks, and deployment environments, see PHP Compatibility Requirements.
This guide explains how to set up App and API Protection (AAP) for PHP applications. The setup involves:
- Installing the Datadog Agent
- Enabling App and API Protection monitoring
- Running your PHP application with the Datadog Agent
- Verifying the setup
Prerequisites
- AWS Fargate environment
- PHP application containerized with Docker
- AWS CLI configured with appropriate permissions
- Your Datadog API key
- Datadog PHP tracing library (see version requirements)
1. Installing the Datadog Agent
Install the Datadog Agent in your Fargate task definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
"image": "public.ecr.aws/datadog/agent:latest",
"environment": [
{
"name": "DD_API_KEY",
"value": "<YOUR_API_KEY>"
},
{
"name": "DD_APM_ENABLED",
"value": "true"
},
{
"name": "DD_APM_NON_LOCAL_TRAFFIC",
"value": "true"
},
{
"name": "DD_SITE",
"value": ""
}
]
}
]
}
2. Enabling App and API Protection monitoring
Automatically enabling App and API Protection through Remote Configuration
You can enable remote configuration on your services dashboard.
Simply check the box for the service you want to enable App and API Protection for under "Activate on your APM services".
Manually enabling App and API Protection monitoring
Ensure your Dockerfile includes the Datadog PHP library:
Add the following to your Dockerfile:
# Install dd-trace-php
RUN curl -LO https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php
RUN php datadog-setup.php --php-bin=all
# Enable appsec
ENV DD_APPSEC_ENABLED=true
# Configure your service
ENV DD_SERVICE=<YOUR_SERVICE_NAME>
ENV DD_ENV=<YOUR_ENVIRONMENT>
Update your task definition to include the PHP application container with App and API Protection configuration:
{
"containerDefinitions": [
{
"name": "your-php-app",
"image": "your-php-app-image",
"environment": [
{
"name": "DD_APPSEC_ENABLED",
"value": "true"
},
{
"name": "DD_SERVICE",
"value": "<YOUR_SERVICE_NAME>"
},
{
"name": "DD_ENV",
"value": "<YOUR_ENVIRONMENT>"
},
{
"name": "DD_SITE",
"value": "<span class="js-region-param region-param" data-region-param="dd_site"></span>"
}
]
}
]
}
To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false.
Update your task definition to include the PHP application container with App and API Protection configuration:
{
"containerDefinitions": [
{
"name": "your-php-app",
"image": "your-php-app-image",
"environment": [
{
"name": "DD_APPSEC_ENABLED",
"value": "true"
},
{
"name": "DD_APM_TRACING_ENABLED",
"value": "false"
},
{
"name": "DD_SERVICE",
"value": "<YOUR_SERVICE_NAME>"
},
{
"name": "DD_ENV",
"value": "<YOUR_ENVIRONMENT>"
},
{
"name": "DD_SITE",
"value": "<span class="js-region-param region-param" data-region-param="dd_site"></span>"
}
]
}
]
}
3. Running your application
Deploy your Fargate task with the updated configuration:
aws ecs register-task-definition --cli-input-json file://task-definition.json
aws ecs run-task --cluster your-cluster --task-definition your-task-definition
4. Verify setup
To verify that App and API Protection is working correctly:
- Send some traffic to your application
- Check the Application Signals Explorer in Datadog
- Look for security signals and vulnerabilities
Troubleshooting
If you encounter issues while setting up App and API Protection for your PHP application, see the PHP App and API Protection troubleshooting guide.
Further reading
Additional helpful documentation, links, and articles:
