Setting up Cloud Security Management

Docs > Datadog Security > Cloud Security Management > Setting up Cloud Security Management

Overview

Cloud Security Management (CSM) delivers real-time threat detection and continuous configuration audits across your entire cloud infrastructure, all in a unified view for seamless collaboration and faster remediation.

CSM is available in three packages: CSM Enterprise, CSM Pro, and CSM Workload Security. For more information, see Changes to Datadog Cloud Security Management. Each package includes access to a specific set of features, as shown in the following table:

Package	Features
CSM Enterprise	Threats Misconfigurations (cloud accounts, Agent, and KSPM) Identity Risks Vulnerabilities (container images and hosts) Agentless Scanning (container images and hosts)
CSM Pro	Misconfigurations (cloud accounts, Agent, and KSPM) Vulnerabilities (container images) Agentless Scanning (container images)
CSM Workload Security	Threats

Note: You can enable features that aren’t included in your package at any time by following the instructions on the CSM Setup page.

Prerequsites

The minimum Datadog Agent version required for CSM is 7.46 or higher.

Supported deployment types and features

The following table summarizes the CSM features available relative to each deployment type.

For more details, click each of the CSM feature headings to review additional requirements for that feature.

Deployment type	CSM Threats	CSM Agentless Scanning
Docker
Kubernetes
Linux
Amazon ECS/EKS
AWS Account		beta
Azure Account
GCP Account
Windows
AWS Fargate ECS/EKS	beta
Terraform		beta

The following tables represent additional prerequisites relative to each CSM feature.

CSM Threats

CSM Threats supports the following Linux distributions:

Linux Distributions	Supported Versions
Ubuntu LTS	18.04, 20.04, 22.04
Debian	10 or later
Amazon Linux 2	Kernels 4.15, 5.4, 5.10, and 2023
SUSE Linux Enterprise Server	12 and 15
Red Hat Enterprise Linux	7, 8, and 9
Oracle Linux	7, 8, and 9
CentOS	7

Notes:

Custom kernel builds are not supported.
For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see the Troubleshooting page.
Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.15.0+ or have eBPF features backported.

CSM Vulnerabilities

Component	Version/Requirement
Helm Chart	v3.49.6 or later (Kubernetes only)
containerd	v1.5.6 or later (Kubernetes and hosts only)

Note: CSM Vulnerabilities is not available for CRI-O runtime and podman runtime.

Vulnerability scanning is supported for hosts and containers running the following OS versions:

OS	Supported Versions	Package Managers
Alpine Linux	2.2-2.7, 3.0-3.19 (edge is not supported)	apk
Wolfi Linux	N/A	apk
Chainguard	N/A	apk
Red Hat Enterprise Linux	6, 7, 8	dnf/yum/rpm
CentOS	6, 7, 8	dnf/yum/rpm
AlmaLinux	8, 9	dnf/yum/rpm
Rocky Linux	8, 9	dnf/yum/rpm
Oracle Linux	5, 6, 7, 8	dnf/yum/rpm
CBL-Mariner	1.0, 2.0	dnf/yum/rpm
Amazon Linux	1, 2, 2023	dnf/yum/rpm
openSUSE Leap	42, 15	zypper/rpm
SUSE Enterprise Linux	11, 12, 15	zypper/rpm
Photon OS	1.0, 2.0, 3.0, 4.0	tndf/yum/rpm
Debian GNU/Linux	7, 8, 9, 10, 11, 12 (unstable/sid is not supported)	apt/dpkg
Ubuntu	All versions supported by Canonical	apt/dpkg

CSM Identity Risks

Note: CSM Identity Risks is available for AWS and Azure.

To use CSM Identity Risks, you must enable resource collection for AWS. If you’ve already done this, no additional setup is required.

Notes:

If you’ve enabled CSM Misconfigurations for your AWS accounts, you already have cloud resource collection enabled.
Although not required, when you enable CloudTrail logs forwarding, you get additional insights based on the actual usage (or non-usage) of resources in your infrastructure, for example, users and roles with significant gaps between provisioned and used permissions.

Scope of coverage

The following table summarizes the scope of coverage available relative to each CSM feature.

Resources monitored	CSM Misconfigurations	CSM Threats	CSM Vulnerabilities	CSM Identity Risks	CSM Agentless scanning
Resources in AWS Account
Resources in Azure Subscription
Resources in GCP Project
Kubernetes Cluster
Docker Host
Linux Host
Docker Container
Container Image
IAM in AWS Account

Note: CSM Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, RDS, S3, and ELB.

Next steps

To get started setting up CSM, navigate to the Cloud Security Management Setup page in Datadog, which has detailed steps on how to configure CSM. For detailed setup instructions, see the CSM Enterprise, CSM Pro, CSM Workload Security, and CSM Agentless Scanning setup docs.