Set up the Datadog AWS integration
If you haven’t already, set up the Amazon Web Services integration. You must also add the required permissions for resource collection.
Enable CSM for your AWS accounts
Use one of the following methods to enable CSM for your AWS accounts:
CSM Setup page
- On the Cloud Security Management Setup page, click Cloud accounts.
- Expand the AWS section.
- To enable resource collection for an account, click the Resource Scanning toggle.
- Click Done.
Amazon Web Services integration page
- On the Amazon Web Services Integration page, select an AWS account.
- On the Resource Collection tab, select the Cloud Security Posture Management Collection checkbox.
- Click Save.
Exclude resources from evaluation
You can use resource tags to create filters that include or exclude resources from being evaluated by CSM. The filters must be specified as a comma-separated list of key:value
pairs.
Note: Resource evaluation filters can only be used with hosts that are scanned by cloud integrations.
Format | Value |
---|
Allowlist | key:value |
Blocklist | !key:value |
Single character wildcard | ? |
Multiple characters wildcard | * |
The allowlist enables you to specify tags that must be applied to a resource in order for CSM to evaluate it. Allowlist tags are evaluated as OR statements. In other words, at least one of the allowlist tags must be present in order for a resource to be evaluated. In contrast, blocklisted tags are evaluated as AND statements and take precedence over allowlist tags.
Examples:
!env:staging
excludes resources that have the env:staging
tag.datadog:monitored, env:prod*
collects metrics for resources that have at least one of these tags.!env:staging, !testing
excludes resources that have both the env:staging
and testing
tags.datadog:monitored !region:us-east1
collects metrics for resources that have the datadog:monitored
tag, so long as the resource does not have the region:us-east1
tag applied to it.
- On the Cloud Security Management Setup page, click Cloud accounts.
- Expand the AWS section.
- Under Resource Evaluation Filters (Optional), click the Plus (+) icon.
- Enter a comma-separated list of
key:value
pairs for the tags you want to allowlist or blocklist. - Click Save.
Set up the Datadog Azure integration
If you haven’t already, set up the Microsoft Azure integration.
Note: To access the full set of Azure compliance rules for CSM Misconfigurations, you must enable the Application.Read.All
, Directory.Read.All
, Group.Read.All
, Policy.Read.All
, and User.Read.All
permissions for the Microsoft Graph API.
Enable CSM for your Azure subscriptions
Use one of the following methods to enable CSM for your Azure subscriptions:
CSM Setup page
- On the Cloud Security Management Setup page, click Cloud accounts.
- Expand the Azure section.
- To enable resource collection for a subscription, click the Resource Scanning toggle.
- Click Done.
Azure integration page
- On the Azure Integration page, select an Azure app registration.
- Under Resource Collection, select the Collect resources for Cloud Security Posture Management checkbox.
- Click Submit Changes.
Exclude resources from evaluation
You can use resource tags to create filters that include or exclude resources from being evaluated by CSM. The filters must be specified as a comma-separated list of key:value
pairs.
Note: Resource evaluation filters can only be used with hosts that are scanned by cloud integrations.
Format | Value |
---|
Allowlist | key:value |
Blocklist | !key:value |
Single character wildcard | ? |
Multiple characters wildcard | * |
The allowlist enables you to specify tags that must be applied to a resource in order for CSM to evaluate it. Allowlist tags are evaluated as OR statements. In other words, at least one of the allowlist tags must be present in order for a resource to be evaluated. In contrast, blocklisted tags are evaluated as AND statements and take precedence over allowlist tags.
Examples:
!env:staging
excludes resources that have the env:staging
tag.datadog:monitored, env:prod*
collects metrics for resources that have at least one of these tags.!env:staging, !testing
excludes resources that have both the env:staging
and testing
tags.datadog:monitored !region:us-east1
collects metrics for resources that have the datadog:monitored
tag, so long as the resource does not have the region:us-east1
tag applied to it.
- On the Cloud Security Management Setup page, click Cloud accounts.
- Expand the Azure section.
- Under Resource Evaluation Filters (Optional), click the Plus (+) icon.
- Enter a comma-separated list of
key:value
pairs for the tags you want to allowlist or blocklist. - Click Save.
The Datadog Google Cloud Platform integration uses service accounts to create an API connection between Google Cloud and Datadog. To enable metric collection, create a service account, and then provide Datadog with the service account credentials to begin making API calls on your behalf.
Note: Google Cloud billing, the Cloud Monitoring API, the Compute Engine API, and the Cloud Asset API must all be enabled for the projects you wish to monitor.
Google Cloud
- Navigate to the Google Cloud Credentials page for the Google Cloud project where you would like to set up the Datadog integration.
- Click Create credentials and select Service account.
- Give the service account a unique name and click Create and Continue.
- Add the following roles to the service account, then click Continue:
- Compute Viewer
- Monitoring Viewer
- Cloud Asset Viewer
- Select the service account at the bottom of the page.
- On the Keys tab, click New Key, then select Create new key.
- Select JSON and click Create to download the JSON key.
Datadog
- In Datadog, navigate to the Google Cloud Platform Integration page.
- On the Configuration tab, locate the service account and select Upload Private Key File to integrate the project with Datadog.
- Upload the JSON file, then click Update Configuration.
- To monitor multiple projects, use one of the following methods:
- Repeat the process above to use multiple service accounts.
- Use the same service account by updating the
project_id
in the downloaded JSON file. Then, upload the file to Datadog as described in steps 1-3.
Enable CSM for your Google Cloud projects
Use one of the following methods to enable CSM for your Google Cloud projects:
CSM Setup page
- On the Cloud Security Management Setup page, click Cloud accounts.
- Expand the GCP section.
- To enable resource collection for a project, click the Resource Scanning toggle.
- Click Done.
Google Cloud Platform integration page
- On the Google Cloud Platform Integration page, select a Google Cloud project.
- Under Resource Collection, select the Enable Cloud Security Posture Management checkbox.
- Click Save.
Exclude resources from evaluation
You can use resource tags to create filters that include or exclude resources from being evaluated by CSM. The filters must be specified as a comma-separated list of key:value
pairs.
Note: Resource evaluation filters can only be used with hosts that are scanned by cloud integrations.
Format | Value |
---|
Allowlist | key:value |
Blocklist | !key:value |
Single character wildcard | ? |
Multiple characters wildcard | * |
The allowlist enables you to specify tags that must be applied to a resource in order for CSM to evaluate it. Allowlist tags are evaluated as OR statements. In other words, at least one of the allowlist tags must be present in order for a resource to be evaluated. In contrast, blocklisted tags are evaluated as AND statements and take precedence over allowlist tags.
Examples:
!env:staging
excludes resources that have the env:staging
tag.datadog:monitored, env:prod*
collects metrics for resources that have at least one of these tags.!env:staging, !testing
excludes resources that have both the env:staging
and testing
tags.datadog:monitored !region:us-east1
collects metrics for resources that have the datadog:monitored
tag, so long as the resource does not have the region:us-east1
tag applied to it.
- On the Cloud Security Management Setup page, click Cloud accounts.
- Expand the GCP section.
- Under Resource Evaluation Filters (Optional), click the Plus (+) icon.
- Enter a comma-separated list of
key:value
pairs for the tags you want to allowlist or blocklist. - Click Save.