Enabling CSM Enterprise for Cloud Accounts

Use the following instructions to enable CSM Misconfigurations and CSM Identity Risks for your cloud accounts. To learn more about the supported deployment types for each CSM feature, see Setting Up Cloud Security Management.

Enable resource scanning

To enable resource scanning for your cloud accounts, you must first set up the integration and then enable CSM for each AWS account, Azure subscription, and Google Cloud project.

    Set up the Datadog AWS integration

    If you haven’t already, set up the Amazon Web Services integration. You must also add the required permissions for resource collection.

    Enable CSM for your AWS accounts

    Use one of the following methods to enable CSM for your AWS accounts:

    CSM Setup page

    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the AWS section.
    3. To enable resource collection for an account, click the Resource Scanning toggle.
    4. To create a filter that excludes certain resources from being evaluated by CSM, click the Plus (+) icon under Resource Evaluation Filters (Optional). For more information, see Use Filters to Exclude Resources from Evaluation.
    5. Click Done.

    Amazon Web Services integration page

    1. On the Amazon Web Services Integration page, select an AWS account.
    2. On the Resource Collection tab, select the Cloud Security Posture Management Collection checkbox.
    3. Click Save.

    Set up the Datadog Azure integration

    If you haven’t already, set up the Microsoft Azure integration.

    Note: To access the full set of Azure compliance rules for CSM Misconfigurations, you must enable the Application.Read.All, Directory.Read.All, Group.Read.All, Policy.Read.All, and User.Read.All permissions for the Microsoft Graph API.

    Enable CSM for your Azure subscriptions

    Use one of the following methods to enable CSM for your Azure subscriptions:

    CSM Setup page

    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the Azure section.
    3. To enable resource collection for a subscription, click the Resource Scanning toggle.
    4. To create a filter that excludes certain resources from being evaluated by CSM, click the Plus (+) icon under Resource Evaluation Filters (Optional). For more information, see Use Filters to Exclude Resources from Evaluation.
    5. Click Done.

    Azure integration page

    1. On the Azure Integration page, select an Azure app registration.
    2. Under Resource Collection, select the Collect resources for Cloud Security Posture Management checkbox.
    3. Click Submit Changes.

    Set up the Datadog Google Cloud Platform integration

    The Datadog Google Cloud Platform integration uses service accounts to create an API connection between Google Cloud and Datadog. To enable metric collection, create a service account, and then provide Datadog with the service account credentials to begin making API calls on your behalf. For step-by-step instructions, see Create your Google Cloud service account.

    Note: Google Cloud billing, the Cloud Monitoring API, the Compute Engine API, and the Cloud Asset API must all be enabled for the projects you wish to monitor.

    Datadog

    1. In Datadog, navigate to the Google Cloud Platform Integration page.
    2. On the Configuration tab, locate the service account and select Upload Private Key File to integrate the project with Datadog.
    3. Upload the JSON file, then click Update Configuration.
    4. To monitor multiple projects, use one of the following methods:
      • Repeat the process above to use multiple service accounts.
      • Use the same service account by updating the project_id in the downloaded JSON file. Then, upload the file to Datadog as described in steps 1-3.

    Enable CSM for your Google Cloud projects

    Use one of the following methods to enable CSM for your Google Cloud projects:

    CSM Setup page

    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the GCP section.
    3. To enable resource collection for a project, click the Resource Scanning toggle.
    4. To create a filter that excludes certain resources from being evaluated by CSM, click the Plus (+) icon under Resource Evaluation Filters (Optional). For more information, see Use Filters to Exclude Resources from Evaluation.
    5. Click Done.

    Google Cloud Platform integration page

    1. On the Google Cloud Platform Integration page, select a Google Cloud project.
    2. Under Resource Collection, select the Enable Cloud Security Posture Management checkbox.
    3. Click Save.

    Set up CloudTrail logs forwarding

    Set up the Datadog AWS integration

    If you haven’t already, set up the Amazon Web Services integration.

    Enable AWS CloudTrail logging

    Enable AWS CloudTrail logging so that logs are sent to a S3 bucket.

    1. Click Create trail on the CloudTrail dashboard.
    2. Enter a name for your trail.
    3. Create a new S3 bucket or use an existing S3 bucket to store the CloudTrail logs.
    4. Create a new AWS KMS key or use an existing AWS KMS key. Click Next.
    5. Leave the event type with the default management read and write events, or choose additional event types you want to send to Datadog.
    6. Click Next.
    7. Review and click Create trail.

    Send AWS CloudTrail logs to Datadog

    Set up a trigger on your Datadog Forwarder Lambda function to send CloudTrail logs stored in the S3 bucket to Datadog for monitoring.

    1. Go to the Datadog Forwarder Lambda that was created during the AWS integration set up.
    2. Click Add trigger.
    3. Select S3 for the trigger.
    4. Select the S3 bucket you are using to collect AWS CloudTrail logs.
    5. For Event type, select All object create events.
    6. Click Add.
    7. See CloudTrail logs in Datadog’s Log Explorer.