Setting Up Cloud Security Management

Docs > Datadog Security > Cloud Security Management > Setting Up Cloud Security Management

Cloud Security Management offerings are now available in three separate packages: CSM Enterprise, CSM Pro, and CSM Workload Security. For more information, see Changes to Datadog Cloud Security Management.

Cloud Security Management (CSM) delivers real-time threat detection and continuous configuration audits across your entire cloud infrastructure, all in a unified view for seamless collaboration and faster remediation.

You can enable features that aren’t included in your package at any time by following the instructions on the CSM Setup page.

CSM is available in three packages: CSM Enterprise, CSM Pro, and CSM Workload Security. Each package includes access to a specific set of features, as shown in the following table:

Package	Features
CSM Enterprise	Threats Misconfigurations (cloud accounts and Agent) Identity Risks Vulnerabilities (container images and hosts)
CSM Pro	Misconfigurations (cloud accounts) Vulnerabilities (container images)
CSM Workload Security	Threats

Prerequisites

CSM Enterprise requires Datadog Agent 7.46 or later. Additionally, see the following requirements for CSM Threats and CSM Vulnerabilities:

CSM Threats

CSM Threats supports the following Linux distributions:

Ubuntu LTS (18.04, 20.04, and 22.04)
Debian 10 or later
Amazon Linux 2 (kernels 4.15, 5.4, and 5.10) and 2023
SUSE Linux Enterprise Server 12 and 15
Red Hat Enterprise Linux 7, 8, and 9
Oracle Linux 7, 8, and 9
CentOS 7
Custom kernel builds are not supported.

Notes:

For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see the Troubleshooting page.
Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.15.0+ or have eBPF features backported.

CSM Vulnerabilities

Helm Chart v3.33.6 or later (Kubernetes only).
containerd v1.5.6 or later (Kubernetes and hosts only).

Note: CSM Vulnerabilities is not available for CRI-O runtime.

CSM Identity Risks

Note: At this time, CSM Identity Risks is available for AWS only.

To use CSM Identity Risks, you must enable resource collection for AWS. If you’ve already done this, no additional setup is required.

Notes:

If you’ve enabled CSM Misconfigurations for your AWS accounts, you already have cloud resource collection enabled.
Although not required, when you enable CloudTrail logs forwarding, you get additional insights based on the actual usage (or non-usage) of resources in your infrastructure, for example, users and roles with significant gaps between provisioned and used permissions.

CSM Pro requires Datadog Agent 7.46 or later. Additionally, see the following requirements for CSM Vulnerabilities:

Helm Chart v3.33.6 or later (Kubernetes only).
containerd v1.5.6 or later (Kubernetes and hosts only).

Note: CSM Vulnerabilities is not available for CRI-O runtime.

Datadog Agent 7.46 or later.
CSM Threats supports the following Linux distributions:
- Ubuntu LTS (18.04, 20.04, and 22.04)
- Debian 10 or later
- Amazon Linux 2 (kernels 4.15, 5.4, and 5.10) and 2023
- SUSE Linux Enterprise Server 12 and 15
- Red Hat Enterprise Linux 7, 8, and 9
- Oracle Linux 7, 8, and 9
- CentOS 7
- Custom kernel builds are not supported.

Notes:

Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.15.0+ or have eBPF features backported.
For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see the Troubleshooting page.

Next steps

To get started setting up CSM, navigate to the Security > Setup section in Datadog, which has detailed steps on how to set up and configure CSM. For detailed instructions, see the CSM Enterprise, CSM Pro, and CSM Workload Security setup docs.

Setting Up Cloud Security Management

Prerequisites

CSM Threats

CSM Vulnerabilities

CSM Identity Risks

Next steps

Further Reading