CSM Misconfigurations is not available in the selected site.

Cloud Security Management Misconfigurations (CSM Misconfigurations) comes with more than 400 out-of-the-box compliance rules that evaluate the configuration of your cloud resources and identify potential misconfigurations. Each compliance rule maps to one or more controls within the following compliance standards and industry benchmarks:

*To pass the Monitoring Section of the CIS AWS Foundations benchmark, you must enable Cloud SIEM and forward CloudTrail logs to Datadog.

**Some CIS Kubernetes Benchmark compliance rules only apply to self-hosted Kubernetes clusters.

Datadog also provides Essential Cloud Security Controls, a set of recommendations developed by Datadog internal security experts. Based on common cloud security risks we have observed at Datadog, this ruleset aims to help users new to cloud security easily remediate high-impact misconfigurations across their cloud environments.


  • CSM Misconfigurations provides visibility into whether your resources are configured in accordance with certain compliance rules. These rules address various regulatory frameworks, benchmarks, and standards (Security Posture Frameworks). CSM Misconfigurations does not provide an assessment of your actual compliance with any Security Posture Framework, and the compliance rules may not address all configuration settings that are relevant to a given framework. Datadog recommends that you use CSM Misconfigurations in consultation with your legal counsel or compliance experts.
  • The compliance rules for the CIS benchmarks follow the CIS automated recommendations. If you’re obtaining CIS certification, Datadog recommends also reviewing the manual recommendations as part of your overall security assessment.

View your compliance posture

View a high-level overview of your compliance posture for each framework on the CSM Misconfigurations Compliance page.

  • Framework Overview: A detailed report that gives you insight into how you score against a framework’s requirements and rules.
  • Explore Resources: A filtered view of the Misconfigurations page that shows resources with misconfigurations for the selected framework.
  • Configure Rules: Customize how your environment is scanned and set notification targets by modifying the compliance rules for each framework.
The compliance reports section of the CSM Misconfigurations Compliance page provides a high-level overview of your compliance posture

Explore compliance framework reports

Compliance framework reports show which rules are failing in your environment, along with details about the misconfigured resources.

The summary at the top of the report shows the number of rules with pass/fail misconfigurations, the top three high-severity rule failures, and a detailed breakdown of the rules based on severity. You can also explore your past posture with the time selector, download a PDF copy of the report, and filter the page by account, team, service, and environment tags.

Below the summary is a complete listing of all rules associated with the framework, organized by requirements and controls, along with the number of resources checked by the rule, and the percentage of failures.

The CIS AWS compliance framework report provides details on critical rule failures

Select a rule to view details about the misconfigured resources, the rule description, its framework or industry benchmark mapping, and suggested remediation steps.

The compliance rule side panel includes information about the rule and resources with failed misconfigurations

Create custom compliance frameworks

Create your own compliance framework by adding a custom tag to the compliance rules you wish to track. This enables you to filter the misconfigurations on the Misconfigurations issue explorer by the custom tag. You can also clone the Cloud Security Management - Misconfigurations Overview dashboard and configure a template variable for the custom tag to dynamically filter the widgets on the dashboard.

  1. On the Compliance Rules page, select the rule you wish to add the custom tag to.
  2. Under Say what’s happening, navigate to the Tag resulting misconfigurations with section and add the key:value for the custom tag.
  3. Click Update Rule.


Further reading