Set up App and API Protection for Python on AWS Fargate
This product is not supported for your selected
Datadog site. (
).
Overview
App and API Protection leverages the Datadog Python library to monitor and secure your Python service. The library integrates seamlessly with your existing application without requiring code changes.
For detailed compatibility information, including supported Python versions, frameworks, and deployment environments, see Python Compatibility Requirements.
This guide explains how to set up App and API Protection (AAP) for Python applications. The setup involves:
- Installing the Datadog Agent
- Enabling App and API Protection monitoring
- Running your Python application with the Datadog Agent
- Verifying the setup
Prerequisites
- AWS Fargate environment
- Python application containerized with Docker
- AWS CLI configured with appropriate permissions
- Your Datadog API key
- Datadog Python tracing library (see version requirements)
1. Installing the Datadog Agent
Install the Datadog Agent in your Fargate task definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
"image": "public.ecr.aws/datadog/agent:latest",
"environment": [
{
"name": "DD_API_KEY",
"value": "<YOUR_API_KEY>"
},
{
"name": "DD_APM_ENABLED",
"value": "true"
},
{
"name": "DD_APM_NON_LOCAL_TRAFFIC",
"value": "true"
}
]
}
]
}
2. Enabling App and API Protection monitoring
Automatically enabling App and API Protection through Remote Configuration
You can enable remote configuration on your services dashboard.
Simply check the box for the service you want to enable App and API Protection for under "Activate on your APM services".
Manually enabling App and API Protection monitoring
Install the Datadog Python tracing library in your application environment:
Configure and run your service with Datadog:
Update your task definition to include the Python agent and App and API Protection configuration:
{
"containerDefinitions": [
{
"name": "your-python-app",
"image": "your-python-app-image",
"environment": [
{
"name": "DD_APPSEC_ENABLED",
"value": "true"
},
{
"name": "DD_SERVICE",
"value": "<YOUR_SERVICE_NAME>"
},
{
"name": "DD_ENV",
"value": "<YOUR_ENVIRONMENT>"
}
],
"command": [
"ddtrace-run",
"python",
"app.py"
]
}
]
}
To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false.
Update your task definition to include the Python agent and App and API Protection configuration with APM tracing disabled:
{
"containerDefinitions": [
{
"name": "your-python-app",
"image": "your-python-app-image",
"environment": [
{
"name": "DD_APPSEC_ENABLED",
"value": "true"
},
{
"name": "DD_APM_TRACING_ENABLED",
"value": "false"
},
{
"name": "DD_SERVICE",
"value": "<YOUR_SERVICE_NAME>"
},
{
"name": "DD_ENV",
"value": "<YOUR_ENVIRONMENT>"
}
],
"command": [
"ddtrace-run",
"python",
"app.py"
]
}
]
}
3. Run your application
Deploy your Fargate task with the updated configuration:
aws ecs register-task-definition --cli-input-json file://task-definition.json
aws ecs run-task --cluster your-cluster --task-definition your-task-definition
4. Verify setup
To verify that App and API Protection is working correctly:
- Send some traffic to your application.
- Check for security signals and vulnerabilities in the Application Signals Explorer in Datadog.
Troubleshooting
If you encounter issues while setting up App and API Protection for your Python application, see the Python App and API Protection troubleshooting guide.
Further Reading
Additional helpful documentation, links, and articles:
