---
title: AWS Lambda FIPS Compliance
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Serverless > Serverless Monitoring for AWS Lambda > AWS Lambda FIPS
  Compliance
---

# AWS Lambda FIPS Compliance

{% callout %}
# Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu, ap1.datadoghq.com, ap2.datadoghq.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

{% callout %}
# Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu, ap1.datadoghq.com, ap2.datadoghq.com



{% alert level="danger" %}
The FIPS-compliant Datadog Lambda extension is available in all AWS regions. While you can use these FIPS-compliant Lambda components with any Datadog site, end-to-end FIPS compliance requires sending data to the US1-FED site (ddog-gov.com).
{% /alert %}


{% /callout %}

Datadog provides FIPS-compliant monitoring for AWS Lambda functions through the use of FIPS-certified cryptographic modules and specially designed Lambda extension layers.

## FIPS-Compliant Components{% #fips-compliant-components %}

Datadog's FIPS compliance for AWS Lambda is implemented through two main components:

1. **FIPS-Compliant Lambda Extension**:

   - The compatibility version of the extension is a Go binary built using the [BoringCrypto FIPS-certified module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407).
   - The Next Generation Lambda Extension is a Rust binary built with the [AWS-LC FIPS-certified cryptographic module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816).

1. **Runtime Libraries Support**:

   - The Python and JavaScript Datadog Lambda Layers, and the Go Datadog Lambda Library offer FIPS-compliant operation controlled by the `DD_LAMBDA_FIPS_MODE` environment variable.
     - `DD_LAMBDA_FIPS_MODE` defaults to `true` in GovCloud and `false` otherwise.
   - When FIPS mode is enabled:
     - The runtime libraries use AWS FIPS endpoints for Datadog API key retrieval
     - The Lambda metric helper functions require the FIPS-compliant extension for metric submission:
       - Python: `lambda_metric` from `datadog_lambda.metric`
       - Node.js: `sendDistributionMetric` from `datadog-lambda-js`
       - Go: `Metric()` from `ddlambda`

## FIPS Extension Layers{% #fips-extension-layers %}

Datadog provides separate Lambda extension layers for FIPS compliance in both x86 and ARM architectures:

{% tab title="AWS GovCloud Regions" %}

```
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:94
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:94
```

Replace `<AWS_REGION>` with a valid AWS GovCloud region such as `us-gov-west-1`.
{% /tab %}

{% tab title="AWS Commercial Regions" %}

```
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:94
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:94
```

Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`.
{% /tab %}

## Runtime Support{% #runtime-support %}

### Python, JavaScript, and Go{% #python-javascript-and-go %}

For Python, JavaScript, and Go Lambda functions, FIPS compliance is controlled using the `DD_LAMBDA_FIPS_MODE` environment variable:

- In GovCloud environments, `DD_LAMBDA_FIPS_MODE` defaults to `true`.
- In commercial regions, `DD_LAMBDA_FIPS_MODE` defaults to `false`.

When FIPS mode is enabled:

- AWS FIPS endpoints are used for Datadog API key lookups in AWS secure datastores.
- Direct metric submission to the Datadog API is disabled, requiring the FIPS-compliant extension for metric submission.

### Ruby, .NET, and Java{% #ruby-net-and-java %}

Ruby, .NET, and Java runtime libraries do not require the `DD_LAMBDA_FIPS_MODE` environment variable as these runtimes do not:

- Contact AWS APIs directly
- Send metrics directly to Datadog

## Installation and Configuration{% #installation-and-configuration %}

To use FIPS-compliant monitoring for your AWS Lambda functions:

1. **Select the FIPS-compliant extension layer**:

   - Use the appropriate FIPS extension layer ARN for your architecture (x86 or ARM) and region (commercial or GovCloud).

1. **Configure environment variables**:

   - For GovCloud environments, `DD_LAMBDA_FIPS_MODE` is enabled by default.
   - For commercial regions, set `DD_LAMBDA_FIPS_MODE=true` to enable FIPS mode.
   - For complete end-to-end FIPS compliance, set `DD_SITE` to `ddog-gov.com` to send data to the US1-FED site.

1. **Follow the standard installation instructions**:

   - Refer to the [installation guides](https://docs.datadoghq.com/serverless/aws_lambda/installation/) for language-specific configurations.
   - Use the FIPS extension layer ARNs instead of the standard extension layers.

For detailed installation instructions specific to your language runtime and deployment method, see the [installation documentation](https://docs.datadoghq.com/serverless/aws_lambda/installation/).

## Limitations and Considerations{% #limitations-and-considerations %}

- **End-to-end FIPS Compliance**: For complete FIPS compliance, the FIPS-compliant Lambda components must be used to send telemetry to the US1-FED region (`ddog-gov.com`). While the Lambda components themselves implement FIPS-compliant cryptography regardless of the destination, only the US1-FED site has FIPS-compliant intake endpoints.

- **Customer Responsibility**: You, the Datadog customer, are responsible for:

  - The security posture of your own Lambda function code
  - Ensuring all other code you may be running in your Lambda execution environment maintains FIPS compliance as required

- **FIPS Compliance Scope**: FIPS compliance only applies to communication between the Datadog Lambda components and Datadog's intake API endpoints. Other forms of communication originating from or terminating at your Lambda functions are not made FIPS-compliant by this solution.

- **Version Requirements**: Use the latest versions of the Datadog Lambda extension and libraries to ensure full functionality and up-to-date security.

## Further Reading{% #further-reading %}

- [Agent FIPS Compliance](https://docs.datadoghq.com/agent/configuration/fips-compliance/) - Note: these guidelines apply to Agent deployments only and not to serverless environments.
- [AWS Lambda Security Overview](https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/lambda-and-compliance.html) - AWS's documentation on Lambda security and compliance.