Setting up Cloud Security Management

Cloud Security Management Misconfigurations is not supported for your selected Datadog site ().

Overview

Cloud Security Management (CSM) delivers real-time threat detection and continuous configuration audits across your entire cloud infrastructure, all in a unified view for seamless collaboration and faster remediation.

CSM is available in three packages: CSM Enterprise, CSM Pro, and CSM Workload Security. For more information, see Changes to Datadog Cloud Security Management. Each package includes access to a specific set of features, as shown in the following table:

Note: You can enable features that aren’t included in your package at any time by following the instructions on the CSM Setup page.

Prerequsites

  • The minimum Datadog Agent version required for CSM is 7.46 or higher.

Supported deployment types and features

The following table summarizes the CSM features available relative to each deployment type.

For more details, click each of the CSM feature headings to review additional requirements for that feature.
TypeAgent Required (7.46+)CSM MisconfigurationsCSM ThreatsCSM VulnerabilitiesCSM Identity Risks
Docker
Kubernetes
Linux
Amazon ECS/EKS
AWS Account
Azure Account
GCP Account
Windowsbeta
AWS Fargate ECS/EKSbeta

The following tables represent additional prerequisites relative to each CSM feature.

CSM Threats

CSM Threats supports the following Linux distributions:

Linux DistributionsSupported Versions
Ubuntu LTS18.04, 20.04, 22.04
Debian10 or later
Amazon Linux 2Kernels 4.15, 5.4, 5.10, and 2023
SUSE Linux Enterprise Server12 and 15
Red Hat Enterprise Linux7, 8, and 9
Oracle Linux7, 8, and 9
CentOS7

Notes:

  • Custom kernel builds are not supported.
  • For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see the Troubleshooting page.
  • Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.15.0+ or have eBPF features backported.

CSM Vulnerabilities

ComponentVersion/Requirement
Helm Chartv3.49.6 or later (Kubernetes only)
containerdv1.5.6 or later (Kubernetes and hosts only)

Note: CSM Vulnerabilities is not available for the following container runtimes:

  • CRI-O runtime
  • podman runtime

CSM Identity Risks

Note: At this time, CSM Identity Risks is available for AWS only.

To use CSM Identity Risks, you must enable resource collection for AWS. If you’ve already done this, no additional setup is required.

Notes:

Scope of coverage

The following table summarizes the scope of coverage available relative to each CSM feature.

Resources typesCSM MisconfigurationsCSM ThreatsCSM VulnerabilitiesCSM Identity Risks
Resources in AWS Account
Resources in Azure Subscription
Resources in GCP Project
Kubernetes Cluster
Docker Host
Linux Host
Docker Container
Container Image
IAM in AWS Account

Note: CSM Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, RDS, S3, and ELB.

Next steps

To get started setting up CSM, navigate to the Security > Setup section in Datadog, which has detailed steps on how to configure CSM. For detailed setup instructions, see the CSM Enterprise, CSM Pro, and CSM Workload Security setup docs.

Further Reading