Setting Up CSPM

Cloud Security Posture Management (CSPM) makes it easier to assess and visualize the current and historic security posture of your cloud resources, automate audit evidence collection, and catch misconfigurations that leave your organization vulnerable to attacks.

Enable CSPM for your cloud resources

CSPM provides agentless onboarding using existing Datadog integrations with cloud providers such as AWS, Azure, GCP, Docker, and Kubernetes. For details on how to configure CSPM, select your cloud provider and follow the instructions:

Set up the Datadog AWS integration

If you haven’t already, set up the Amazon Web Services integration. For CSPM, you must also add the necessary permissions for resource collection.

Enable CSPM for AWS

Use one of the following methods to enable CSPM for your AWS accounts:

Security Setup & Configuration

Navigate to Security > Setup & Configuration.
Follow the in-app instructions to activate CSPM for your account.
On the Setup & Configuration > Cloud Providers tab, click the AWS tile.
To enable CSPM for an AWS account, turn on the Collect Resources toggle.

AWS integration tile

On the AWS integration tile, select an AWS account and click Resource Collection.
Select Cloud Security Posture Management Collection to enable resource collection for CSPM.
Click Save.

Set up the Datadog Azure integration

If you haven’t already, set up the Microsoft Azure integration.

Enable CSPM for Azure

Use one of the following methods to enable CSPM for your Azure subscriptions:

Security Setup & Configuration

Navigate to Security > Setup & Configuration.
Follow the in-app instructions to activate CSPM for your account.
On the Setup & Configuration > Cloud Providers tab, click the Azure tile.
Enable CSPM for your Azure subscriptions by turning on the CSPM Enabled toggle.

Azure integration tile

On the Azure integration tile, select an Azure app.
Under Resource Collection, select the Enable resource collection for Cloud Security Posture Management checkbox.
Click Update Configuration.

Set up the Datadog GCP integration

If you haven’t already, set up the Google Cloud Platform integration and make sure that you have successfully completed the steps for enabling metric collection.

Enable CSPM for GCP

Use one of the following methods to enable CSPM for your GCP projects:

Security Setup & Configuration

Navigate to Security > Setup & Configuration.
Follow the in-app instructions to activate CSPM for your account.
On the Setup & Configuration > Cloud Providers tab, click the GCP tile.
Enable CSPM for your GCP projects by turning on the CSPM Enabled toggle.

Note: If you do not see any data on the CSPM overview page, you may not have set up your GCP integration correctly. See the GCP metric collection instructions for more information.

GCP integration tile

On the GCP integration tile, select a GCP project.
Under Enable resource collection for Cloud Security Posture Management, select the Resource collection checkbox.
Click Update Configuration.

Enable CSPM for Docker

Navigate to Security > Setup & Configuration.
Follow the in-app instructions to activate CSPM for your account.
On the Setup & Configuration > Host and containers tab, click the Docker tile.
Click Select API key to choose the API key you want to use with CSPM.
Copy the automatically generated command and run it in your Docker environment to enable CSPM.

Enable CSPM for Kubernetes

If you haven’t already, install the Datadog Agent (version 7.27+).
Navigate to Security > Setup & Configuration.
Follow the in-app instructions to activate CSPM for your account.

Add the following to the datadog section of the values.yaml file:

# values.yaml file
datadog:
[...]
  # Add this to enable Cloud Security Posture Management and Cloud Workload Security
  securityAgent:
    runtime:
      enabled: true
    compliance:
      enabled: true

Restart the Agent.

Visualize the first results

CSPM evaluates resources in increments between 15 minutes and four hours (depending on type). New findings from each scan are generated as soon as the scan completes.

To view the findings for your cloud resources, go to the CSPM homepage.

Cloud Security Posture Management summary page

Explore default detection rules

CSPM comes with a set of out-of-the-box detection rules that evaluate the configuration of your cloud resources and identifies potential misconfigurations so you can immediately take steps to remediate. When new configuration detection rules are added, they are automatically imported into your account.

To filter the default detection rules by cloud provider:

Navigate to Security > Detection Rules.
Choose one of the following values from the Tag facet.
- AWS: cloud_provider:aws
- Azure: cloud_provider:azure
- GCP: cloud_provider:gcp
- Docker: framework:cis-docker
- Kubernetes: framework:cis-kubernetes

After you explore the default detection rules, you can review and take action on your cloud misconfigurations in the Security Findings Explorer, customize how each rule scans your environment, and set up notification targets.

Disable CSPM

Once you’ve disabled CSPM, your previous findings and the homepage are still available in-app, and you do not incur additional billing costs.

To disable CSPM for your cloud providers:

AWS: On the Setup & Configuration > Cloud Providers tab, click the AWS tile, and turn off the Collect Resources toggle for your AWS accounts.
Azure: On the Setup & Configuration > Cloud Providers tab, click the Azure tile, and turn off the CSPM Enabled toggle for your Azure subscriptions.
GCP: On the Setup & Configuration > Cloud Providers tab, click the GCP tile, and turn off the CSPM Enabled toggle for your GCP projects.
Docker: Set DD_COMPLIANCE_CONFIG_ENABLED to false in your Docker configuration.
Kubernetes: In the datadog section of the values.yaml file, set compliance > enabled to false.