Use the following instructions to enable Misconfigurations and Identity Risks (CIEM).

Enable resource scanning

To enable resource scanning for your cloud accounts, you must first set up the integration and then enable CSM for each AWS account, Azure subscription, and Google Cloud project.

Collecting events using Cloud Security Management will affect your billing. For more information, see Datadog Pricing.

Set up the Datadog AWS integration

If you haven’t already, set up the Amazon Web Services integration. You must also add the required permissions for resource collection.

Enable CSM for your AWS accounts

Use one of the following methods to enable CSM for your AWS accounts:

CSM Setup page

  1. On the Cloud Security Management Setup page, click Cloud Integrations.
  2. Expand the AWS section.
  3. To enable resource scanning for an account, click the Plus button, then switch the Enable Resource Scanning toggle to the on position.
  4. Click Done.
  5. To create a filter that excludes certain resources from being evaluated by CSM, click the Plus (+) icon under Resource Evaluation Filters (Optional). For more information, see Use Filters to Exclude Resources from Evaluation.
  6. Click Done.

Amazon Web Services integration page

  1. On the Amazon Web Services Integration page, select an AWS account.
  2. On the Resource Collection tab, select Enable Cloud Security Management.
  3. Click Save.

Set up the Datadog Azure integration

If you haven’t already, set up the Microsoft Azure integration.

Note: To access the full set of Azure compliance rules for CSM Misconfigurations, you must enable the Application.Read.All, Directory.Read.All, Group.Read.All, Policy.Read.All, and User.Read.All permissions for the Microsoft Graph API.

Enable CSM for your Azure subscriptions

Use one of the following methods to enable CSM for your Azure subscriptions:

CSM Setup page

  1. On the Cloud Security Management Setup page, click Cloud Integrations.
  2. Expand the Azure section.
  3. To enable resource scanning for a subscription, switch the Resource Scanning toggle to the on position.
  4. To create a filter that excludes certain resources from being evaluated by CSM, click the Plus (+) icon under Resource Evaluation Filters (Optional). For more information, see Use Filters to Exclude Resources from Evaluation.
  5. Click Done.

Azure integration page

  1. On the Azure Integration page, select an Azure app registration.
  2. Under Resource Collection, select Enable Cloud Security Management.
  3. Click Submit Changes.

Set up the Datadog Google Cloud Platform integration

The Datadog Google Cloud Platform integration uses service accounts to create an API connection between Google Cloud and Datadog. To enable metric collection, create a service account, and then provide Datadog with the service account credentials to begin making API calls on your behalf. For step-by-step instructions, see Create your Google Cloud service account.

Note: Google Cloud billing, the Cloud Monitoring API, the Compute Engine API, and the Cloud Asset API must all be enabled for the projects you wish to monitor.

Datadog

  1. In Datadog, navigate to the Google Cloud Platform Integration page.
  2. On the Configuration tab, locate the service account and select Upload Private Key File to integrate the project with Datadog.
  3. Upload the JSON file, then click Update Configuration.
  4. To monitor multiple projects, use one of the following methods:
    • Repeat the process above to use multiple service accounts.
    • Use the same service account by updating the project_id in the downloaded JSON file. Then, upload the file to Datadog as described in steps 1-3.

Enable CSM for your Google Cloud projects

Use one of the following methods to enable CSM for your Google Cloud projects:

CSM Setup page

  1. On the Cloud Security Management Setup page, click Cloud Integrations.
  2. Expand the GCP section.
  3. To enable resource scanning for a project, switch the Resource Scanning toggle to the on position.
  4. To create a filter that excludes certain resources from being evaluated by CSM, click the Plus (+) icon under Resource Evaluation Filters (Optional). For more information, see Use Filters to Exclude Resources from Evaluation.
  5. Click Done.

Google Cloud Platform integration page

  1. On the Google Cloud Platform Integration page, select a Google Cloud project.
  2. Under Resource Collection, select Enable Cloud Security Management.
  3. Click Save.

Disable resource scanning

To disable resource scanning for your cloud accounts, navigate to either the CSM Setup page or the cloud account integration page. Disabling resource scanning does not affect your ability to access historical findings. You can still review data from the past 15 months.

CSM Setup page

  1. On the Cloud Security Management Setup page, click Cloud Integrations.
  2. Expand the AWS section.
  3. To stop resource collection for an account, click the Edit button and switch the Enable Resource Scanning toggle to the off position.
  4. Click Done.

Amazon Web Services integration page

  1. On the Amazon Web Services Integration page, select an AWS account.
  2. On the Resource Collection tab, clear the Enable Cloud Security Management checkbox.
  3. Click Save.

CSM Setup page

  1. On the Cloud Security Management Setup page, click Cloud Integrations.
  2. Expand the Azure section.
  3. To stop resource collection for a subscription, switch the Resource Scanning toggle to the off position.
  4. Click Done.

Azure integration page

  1. On the Azure Integration page, select an app registration.
  2. On the Resource Collection tab, clear the Enable Cloud Security Management checkbox.
  3. Click Save.

CSM Setup page

  1. On the Cloud Security Management Setup page, click Cloud Integrations.
  2. Expand the GCP section.
  3. To stop resource collection for a project, switch the Resource Scanning toggle to the off position.
  4. Click Done.

Google Cloud Platform integration page

  1. On the Google Cloud Platform Integration page, select a Google Cloud account.
  2. On the Resource Collection tab, clear the Enable Cloud Security Management checkbox.
  3. Click Save.