AWS Fargate Configuration Guide for Datadog Security

This guide walks you through configuring Cloud Security Management (CSM), Software Composition Analysis (SCA), Threat Detection and Protection (ASM), and Cloud SIEM on AWS Fargate.

Flow chart showing how CSM, ASM, and Cloud SIEM are configured on AWS Fargate

Full stack coverage for AWS Fargate

Datadog Security provides multiple layers of visibility for AWS Fargate. Use the products in combination with one another to gain full stack coverage, as shown in the following tables:

Fargate assets

AssetObservabilityVulnerabilities and Misconfiguration RemediationThreat Detection and Response
Fargate ApplicationApplication Performance MonitoringSoftware Composition Analysis (SCA) and Code SecurityASM - Threat Detection and Protection
Fargate InfrastructureInfrastructure MonitoringNot yet supportedCSM Threats
AssetObservabilityVulnerabilities and Misconfiguration RemediationThreat Detection and Response
AWS IAM roles and policiesLog ManagementCloud Security ManagementCloud SIEM
AWS databasesLog ManagementCloud Security ManagementCloud SIEM
AWS S3 bucketsLog ManagementCloud Security ManagementCloud SIEM

Cloud Security Management

Prerequisites

  • The Datadog AWS integration is installed and configured for your AWS accounts
  • Access to AWS Management Console
  • AWS Fargate ECS or EKS workloads
For additional performance and reliability insights, Datadog recommends enabling Infrastructure Monitoring with Cloud Security Management.

Images

  • cws-instrumentation-init: public.ecr.aws/datadog/cws-instrumentation:latest
  • datadog-agent: public.ecr.aws/datadog/agent:latest

Installation

AWS Console

  1. Sign in to AWS Management Console.
  2. Navigate to the ECS section.
  3. On the left menu, select Task Definitions, and then select Create new Task Definition with JSON. Alternatively, choose an existing Fargate task definition.
  4. To create a new task definition, use the JSON definition, or the AWS CLI method.
  5. Click Create to create the task definition.

AWS CLI

  1. Download datadog-agent-cws-ecs-fargate.json.

datadog-agent-cws-ecs-fargate.json

{
    "family": "<YOUR_TASK_NAME>",
    "cpu": "256",
    "memory": "512",
    "networkMode": "awsvpc",
    "pidMode": "task",
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "containerDefinitions": [
        {
            "name": "cws-instrumentation-init",
            "image": "public.ecr.aws/datadog/cws-instrumentation:latest",
            "essential": false,
            "user": "0",
            "command": [
                "/cws-instrumentation",
                "setup",
                "--cws-volume-mount",
                "/cws-instrumentation-volume"
            ],
            "mountPoints": [
                {
                    "sourceVolume": "cws-instrumentation-volume",
                    "containerPath": "/cws-instrumentation-volume",
                    "readOnly": false
                }
            ]
        },
        {
            "name": "datadog-agent",
            "image": "public.ecr.aws/datadog/agent:latest",
            "essential": true,
            "environment": [
                {
                    "name": "DD_API_KEY",
                    "value": "<DD_API_KEY>"
                },
                {
                    "name": "DD_SITE",
                    "value": "datadoghq.com"
                },
                {
                    "name": "ECS_FARGATE",
                    "value": "true"
                },
                {
                    "name": "DD_RUNTIME_SECURITY_CONFIG_ENABLED",
                    "value": "true"
                },
                {
                    "name": "DD_RUNTIME_SECURITY_CONFIG_EBPFLESS_ENABLED",
                    "value": "true"
                }
            ],
            "healthCheck": {
                "command": [
                    "CMD-SHELL",
                    "/probe.sh"
                ],
                "interval": 30,
                "timeout": 5,
                "retries": 2,
                "startPeriod": 60
            }
        },
        {
            "name": "<YOUR_APP_NAME>",
            "image": "<YOUR_APP_IMAGE>",
            "entryPoint": [
                "/cws-instrumentation-volume/cws-instrumentation",
                "trace",
                "--",
                "<ENTRYPOINT>"
            ],
            "mountPoints": [
                {
                    "sourceVolume": "cws-instrumentation-volume",
                    "containerPath": "/cws-instrumentation-volume",
                    "readOnly": true
                }
            ],
            "linuxParameters": {
                "capabilities": {
                    "add": [
                        "SYS_PTRACE"
                    ]
                }
            },
            "dependsOn": [
                {
                    "containerName": "datadog-agent",
                    "condition": "HEALTHY"
                },
                {
                    "containerName": "cws-instrumentation-init",
                    "condition": "SUCCESS"
                }
            ]
        }
    ],
    "volumes": [
        {
            "name": "cws-instrumentation-volume"
        }
    ]
}
  1. Update the following items in the JSON file:

    • TASK_NAME
    • DD_API_KEY
    • DD_SITE
    • YOUR_APP_NAME
    • YOUR_APP_IMAGE
    • ENTRYPOINT

    You can use the following command to find the entry point of your workload:

    docker inspect <YOUR_APP_IMAGE> -f '{{json .Config.Entrypoint}}'
    

    or

    docker inspect <YOUR_APP_IMAGE> -f '{{json .Config.Cmd}}'
    

    Note: The environment variable ECS_FARGATE is already set to “true”.

  2. Add your other application containers to the task definition. For details on collecting integration metrics, see Integration Setup for ECS Fargate.

  3. Run the following command to register the ECS task definition:

aws ecs register-task-definition --cli-input-json file://<PATH_TO_FILE>/datadog-agent-ecs-fargate.json

To collect data from your AWS Fargate pods, you must run the Agent as a sidecar of your application pod and set up Role-Based Access Control (RBAC) rules.

If the Agent is running as a sidecar, it can only communicate with containers on the same pod. Run an Agent for every pod you wish to monitor.

Set up RBAC rules

Use the following Agent RBAC deployment instruction before deploying the Agent as a sidecar.

Deploy the Agent as a sidecar

The following manifest represents the minimum configuration required to deploy your application with the Datadog Agent as a sidecar with CSM Threats enabled:

apiVersion: apps/v1
kind: Deployment
metadata:
 name: "<APPLICATION_NAME>"
 namespace: default
spec:
 replicas: 1
 selector:
   matchLabels:
     app: "<APPLICATION_NAME>"
 template:
   metadata:
     labels:
       app: "<APPLICATION_NAME>"
     name: "<POD_NAME>"
   spec:
     initContainers:
     - name: cws-instrumentation-init
       image: public.ecr.aws/datadog/cws-instrumentation:latest
       command:
         - "/cws-instrumentation"
         - "setup"
         - "--cws-volume-mount"
         - "/cws-instrumentation-volume"
       volumeMounts:
         - name: cws-instrumentation-volume
           mountPath: "/cws-instrumentation-volume"
       securityContext:
         runAsUser: 0
     containers:
     - name: "<YOUR_APP_NAME>"
       image: "<YOUR_APP_IMAGE>"
       command:
         - "/cws-instrumentation-volume/cws-instrumentation"
         - "trace"
         - "--"
         - "<ENTRYPOINT>"
       volumeMounts:
         - name: cws-instrumentation-volume
           mountPath: "/cws-instrumentation-volume"
           readOnly: true
     - name: datadog-agent
       image: public.ecr.aws/datadog/agent:latest
       env:
         - name: DD_API_KEY
           value: "<DD_API_KEY>"
         - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
           value: "true"
         - name: DD_RUNTIME_SECURITY_CONFIG_EBPFLESS_ENABLED
           value: "true"
         - name: DD_EKS_FARGATE
           value: "true"
         - name: DD_CLUSTER_NAME
           value: "<CLUSTER_NAME>"
         - name: DD_KUBERNETES_KUBELET_NODENAME
           valueFrom:
             fieldRef:
               apiVersion: v1
               fieldPath: spec.nodeName
     volumes:
       - name: cws-instrumentation-volume
     serviceAccountName: datadog-agent
     shareProcessNamespace: true

Verify that the Agent is sending events to CSM

When you enable CSM on AWS Fargate ECS or EKS, the Agent sends an agent event to Datadog to confirm that the default ruleset has been successfully deployed. To view the agent event, navigate to the Agent Events page in Datadog and search for @agent.rule_id:ruleset_loaded.

You can also verify the Agent is sending events to CSM by manually triggering an AWS Fargate security signal.

In the task definition, replace the “workload” container with the following:

            "name": "cws-signal-test",
            "image": "ubuntu:latest",
            "entryPoint": [
                "/cws-instrumentation-volume/cws-instrumentation",
                "trace",
                "--verbose",
                "--",
                "/usr/bin/bash",
                "-c",
                "apt update;apt install -y curl; while true; do curl https://google.com; sleep 5; done"
            ],

Application Security

Prerequisites

  • The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment
  • Datadog APM is configured for your application or service
For additional performance and reliability insights, Datadog recommends enabling Application Performance Monitoring with Application Security Management.

Installation

Software Composition Analysis (SCA)

Software Composition Analysis (SCA) works in Fargate. Follow the installation steps for applications that run in traditional hosts.

Threat Detection and Protection

For step-by-step instructions, see the following articles:

Code Security

For step-by-step instructions, see the following articles:

Cloud SIEM

Prerequisites

Installation

For step-by-step instructions, see AWS Configuration Guide for Cloud SIEM.

Enable AWS CloudTrail logging

Enable AWS CloudTrail logging so that logs are sent to a S3 bucket. If you already have this setup, skip to Send AWS CloudTrail logs to Datadog.

  1. Click Create trail on the CloudTrail dashboard.
  2. Enter a name for your trail.
  3. Create a new S3 bucket or use an existing S3 bucket to store the CloudTrail logs.
  4. Create a new AWS KMS key or use an existing AWS KMS key, then click Next.
  5. Leave the event type with the default management read and write events, or choose additional event types you want to send to Datadog, then click Next.
  6. Review and click Create trail.

Send AWS CloudTrail logs to Datadog

Set up a trigger on your Datadog Forwarder Lambda function to send CloudTrail logs stored in the S3 bucket to Datadog for monitoring.

  1. Go to the Datadog Forwarder Lambda that was created during the AWS integration set up.
  2. Click Add trigger.
  3. Select S3 for the trigger.
  4. Select the S3 bucket you are using to collect AWS CloudTrail logs.
  5. For Event type, select All object create events.
  6. Click Add.
  7. See CloudTrail logs in Datadog’s Log Explorer.

See Log Explorer for more information on how to search and filter, group, and visualize your logs.

Further Reading