Cloud Security Posture Management is not currently available in this site.

Cloud Security Posture Management (CSPM) comes with more than 400 out-of-the-box compliance rules that evaluate the configuration of your cloud resources and identify potential misconfigurations. Each compliance rule maps to one or more controls within the following compliance standards and industry benchmarks:

*To pass the Monitoring Section of the CIS AWS Foundations benchmark, you must enable Cloud SIEM and forward Cloudtrail logs to Datadog.

**Some CIS Kubernetes Benchmark compliance rules only apply to self-hosted Kubernetes clusters.

Datadog also provides Essential Cloud Security Controls, a set of recommendations developed by Datadog internal security experts. Based on common cloud security risks we have observed at Datadog, this ruleset aims to help users new to cloud security easily remediate high-impact misconfigurations across their cloud environments.


  • CSPM provides visibility into whether your resources are configured in accordance with certain compliance rules. These rules address various regulatory frameworks, benchmarks, and standards (Security Posture Frameworks). CSPM does not provide an assessment of your actual compliance with any Security Posture Framework, and the compliance rules may not address all configuration settings that are relevant to a given framework. Datadog recommends that you use CSPM in consultation with your legal counsel or compliance experts.
  • The compliance rules for the CIS benchmarks follow the CIS automated recommendations. If you’re obtaining CIS certification, Datadog recommends also reviewing the manual recommendations as part of your overall security assessment.

View your compliance posture

View a high-level overview of your compliance posture for each framework on the CSPM Overview page.

  • Framework Overview: A detailed report that gives you insight into how you score against a framework’s requirements and rules.
  • Explore Resources: A filtered view of the Findings page that shows resources with findings for the selected framework.
  • Configure Rules: Customize how your environment is scanned and set notification targets by modifying the compliance rules for each framework.
The compliance reports section of the CSPM overview page provides a high-level overview of your compliance posture

Explore compliance framework reports

Compliance framework reports show which rules are failing in your environment, along with details about the misconfigured resources.

The summary at the top of the report shows the number of rules with pass/fail findings, the top three high-severity rule failures, and a detailed breakdown of the rules based on severity. You can also explore your past posture with the time selector, download a PDF copy of the report, and filter the page by account, team, service, and environment tags.

Below the summary is a complete listing of all rules associated with the framework, organized by requirements and controls, along with the number of resources checked by the rule, and the percentage of failures.

The CIS AWS compliance framework report provides details on critical rule failures

Select a rule to view details about the misconfigured resources, the rule description, its framework or industry benchmark mapping, and suggested remediation steps.

The compliance rule side panel includes information about the rule and resources with failed findings

Further reading