Synthetic Monitoring Security

Synthetic Monitoring Security

This page is about the security of Datadog; if you're looking for the Security Monitoring product, see the Security Monitoring section.

This article is part of a series on data security.

The Synthetic Monitoring product allows you to proactively monitor how your systems and applications are performing using simulated requests and business transactions. Synthetic tests can be initiated from all around the globe, from either managed or private locations.

Information security

Encryption in managed locations

Test configurations and variables

  • Transport: Asymmetric encryption - RSA (4096-bit key). All requests are signed using Datadog Signature v1 (based on the same signing process as AWS Signature v4), ensuring both authentication and integrity.
  • Storage: Symmetric encryption - AES-GCM (256-bit key).

Test results

  • Transport: Asymmetric encryption - RSA (4096-bit key). All requests are signed using Datadog Signature v1 (based on the same signing process as AWS Signature v4), ensuring both authentication and integrity.
  • Storage: Sensitive parts (response headers and body) of test results are stored encrypted with an asymmetric encryption - RSA (4096-bit key) and decrypted on-the-fly when test results are fetched.

Artifacts

Artifacts are browser test screenshots, snapshots, errors, and resources.

Encryption in private locations

Private locations credentials

  • Storage: Private locations credentials used to sign test configuration, variables, and test results requests are stored encrypted (symmetric encryption - AES-GCM), with audit logging and access policies.

Test configurations and variables

  • Transport: Asymmetric encryption - RSA (4096-bit key). Communication between private locations and Datadog is secured using Datadog Signature v1 (based on the same signing process as AWS Signature v4), ensuring both authentication and integrity.
  • Storage: Symmetric encryption - AES-GCM (256-bit key).

Test results

  • Transport: Asymmetric encryption - RSA (4096-bit key). Communication between private locations and Datadog is secured using Datadog Signature v1 (based on the same signing process as AWS Signature v4), ensuring both authentication and integrity.

  • Storage: Sensitive parts (by default, response headers and body) of test results are stored encrypted with an asymmetric encryption - RSA (4096-bit key) and decrypted on-the-fly when test results are fetched.

Artifacts

Artifacts are browser test screenshots, snapshots, errors, and resources.

  • Storage: Encryption for AWS.
  • Transport: HTTPS transport between the private location and Datadog (authentication through API key), then from Datadog to storage: encryption in transit using AWS Signature Version 4 for S3.

Testing accounts

It is strongly recommended to leverage accounts dedicated to testing for your Synthetics tests.

Storing secrets

You can store secrets in global variables with the obfuscation feature to ensure global variable values do not leak into your test configurations and results. The access to global variables can then be restricted using the dedicated global variable RBAC permissions.

Privacy options

Use the API, Multistep API and Browser tests' privacy options to limit the amount of data stored in test results. However, be mindful of the usage of these options as enabling them can make failures troubleshooting more difficult.

Further Reading

Additional helpful documentation, links, and articles: