Setting up Cloud Security Management
Overview
Cloud Security Management (CSM) delivers real-time threat detection and continuous configuration audits across your entire cloud infrastructure, all in a unified view for seamless collaboration and faster remediation.
CSM is available in three packages: CSM Enterprise, CSM Pro, and CSM Workload Security. For more information, see Changes to Datadog Cloud Security Management. Each package includes access to a specific set of features, as shown in the following table:
Note: You can enable features that aren’t included in your package at any time by following the instructions on the CSM Setup page.
Prerequsites
- The minimum Datadog Agent version required for CSM is
7.46
or higher.
Supported deployment types and features
The following table summarizes the CSM features available relative to each deployment type.
For more details, click each of the CSM feature headings to review additional requirements for that feature.
The following tables represent additional prerequisites relative to each CSM feature.
CSM Threats
CSM Threats supports the following Linux distributions:
Linux Distributions | Supported Versions |
---|
Ubuntu LTS | 18.04, 20.04, 22.04 |
Debian | 10 or later |
Amazon Linux 2 | Kernels 4.15, 5.4, 5.10, and 2023 |
SUSE Linux Enterprise Server | 12 and 15 |
Red Hat Enterprise Linux | 7, 8, and 9 |
Oracle Linux | 7, 8, and 9 |
CentOS | 7 |
Notes:
- Custom kernel builds are not supported.
- For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see the Troubleshooting page.
- Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.15.0+ or have eBPF features backported.
CSM Vulnerabilities
Component | Version/Requirement |
---|
Helm Chart | v3.49.6 or later (Kubernetes only) |
containerd | v1.5.6 or later (Kubernetes and hosts only) |
Note: CSM Vulnerabilities is not available for CRI-O runtime and podman runtime.
Vulnerability scanning is supported for hosts and containers running the following OS versions:
OS | Supported Versions | Package Managers |
---|
Alpine Linux | 2.2-2.7, 3.0-3.19 (edge is not supported) | apk |
Wolfi Linux | N/A | apk |
Chainguard | N/A | apk |
Red Hat Enterprise Linux | 6, 7, 8 | dnf/yum/rpm |
CentOS | 6, 7, 8 | dnf/yum/rpm |
AlmaLinux | 8, 9 | dnf/yum/rpm |
Rocky Linux | 8, 9 | dnf/yum/rpm |
Oracle Linux | 5, 6, 7, 8 | dnf/yum/rpm |
CBL-Mariner | 1.0, 2.0 | dnf/yum/rpm |
Amazon Linux | 1, 2, 2023 | dnf/yum/rpm |
openSUSE Leap | 42, 15 | zypper/rpm |
SUSE Enterprise Linux | 11, 12, 15 | zypper/rpm |
Photon OS | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
Debian GNU/Linux | 7, 8, 9, 10, 11, 12 (unstable/sid is not supported) | apt/dpkg |
Ubuntu | All versions supported by Canonical | apt/dpkg |
CSM Identity Risks
Note: CSM Identity Risks is available for AWS and Azure.
To use CSM Identity Risks, you must enable resource collection for AWS. If you’ve already done this, no additional setup is required.
Notes:
Scope of coverage
The following table summarizes the scope of coverage available relative to each CSM feature.
Resources monitored | CSM Misconfigurations | CSM Threats | CSM Vulnerabilities | CSM Identity Risks | CSM Agentless scanning |
---|
Resources in AWS Account | | | | | |
Resources in Azure Subscription | | | | | |
Resources in GCP Project | | | | | |
Kubernetes Cluster | | | | | |
Docker Host | | | | | |
Linux Host | | | | | |
Docker Container | | | | | |
Container Image | | | | | |
IAM in AWS Account | | | | | |
Note: CSM Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, RDS, S3, and ELB.
Next steps
To get started setting up CSM, navigate to the Cloud Security Management Setup page in Datadog, which has detailed steps on how to configure CSM. For detailed setup instructions, see the CSM Enterprise, CSM Pro, CSM Workload Security, and CSM Agentless Scanning setup docs.
Further Reading
Additional helpful documentation, links, and articles: