From eb5e11aa9966d724903a70835f18e0714f0180a5 Mon Sep 17 00:00:00 2001 From: Florentin Labelle Date: Mon, 22 Sep 2025 13:59:00 +0200 Subject: [PATCH 1/3] application_security: update serverless page --- .../setup/aws/lambda/_index.md | 435 +---------------- .../setup/aws/lambda/generic.md | 447 ++++++++++++++++++ .../setup/aws/lambda/python.md | 285 +++++++++++ .../latest-lambda-layer-version.html | 2 +- 4 files changed, 749 insertions(+), 420 deletions(-) create mode 100644 content/en/security/application_security/setup/aws/lambda/generic.md create mode 100644 content/en/security/application_security/setup/aws/lambda/python.md diff --git a/content/en/security/application_security/setup/aws/lambda/_index.md b/content/en/security/application_security/setup/aws/lambda/_index.md index 8c9b14d717884..85c1952df2c13 100644 --- a/content/en/security/application_security/setup/aws/lambda/_index.md +++ b/content/en/security/application_security/setup/aws/lambda/_index.md @@ -3,6 +3,7 @@ title: Enabling App and API Protection for AWS Lambda aliases: - /security/application_security/getting_started/serverless - /security/application_security/enabling/serverless +disable_sidebar: true further_reading: - link: "/security/application_security/how-it-works/" tag: "Documentation" @@ -21,427 +22,23 @@ further_reading: text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" --- -Configuring App and API Protection (AAP) for AWS Lambda involves: +Learn how to setup App and API Protection (AAP) on your AWS Lambda functions by selecting the programming language your function is written with. -1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. -3. Triggering security signals in your application and seeing how Datadog displays the resulting information. +
+

Are you missing your environment?

+ Send us a request for your missing environment here. +
-## Prerequisites +{{< appsec-integrations >}} + {{< appsec-integration name="Python" avatar="python" link="./python" >}} + {{< appsec-integration name="Node.js" avatar="node" link="./generic" >}} + {{< appsec-integration name="Java" avatar="java" link="./generic" >}} + {{< appsec-integration name="Go" avatar="go" link="./generic" >}} + {{< appsec-integration name="Ruby" avatar="ruby" link="./generic" >}} + {{< appsec-integration name=".NET" avatar="dotnet" link="./generic" >}} + {{< appsec-integration name="PHP" avatar="php" link="./generic" >}} +{{< /appsec-integrations >}} -- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. - X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. - -## Compatibility - -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. - -|Type | Threat Detection | -| --------------- | ----------------- | -| Java | {{< X >}} | -| .NET | {{< X >}} | -| Node | {{< X >}} | -| Python | {{< X >}} | -| Ruby | {{< X >}} | -| PHP | | -| Go | {{< X >}} | - -## Supported trigger types -Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: -- Application Load Balancer (ALB) -- API Gateway v1 (Rest API) -- API Gateway v2 (HTTP API) -- Function URL - -
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
- - -## Additional language specific compatibility information - -Node.js -: If you are bundling using webpack or esbuild, [follow the specific bundler instructions][4]. - -Java -: To fully instrument your serverless application with distributed tracing, your Java Lambda functions must use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`) or Java 17 (`java17`) runtimes with at least 1024MB of memory. -: If you use the Datadog Lambda layers `dd-trace-java:4` (or older) and `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][3]. - -## Get started - -{{< tabs >}} -{{% tab "Serverless Framework" %}} - -The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. - -To install and configure the Datadog Serverless Framework plugin: - -1. Install the Datadog Serverless Framework plugin: - ```sh - serverless plugin install --name serverless-plugin-datadog - ``` - -2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: - ```yaml - custom: - datadog: - enableASM: true - ``` - - Overall, your new `serverless.yml` file should contain at least: - ```yaml - custom: - datadog: - apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey - enableDDTracing: true - enableASM: true - ``` - See also the complete list of [plugin parameters][4] to further configure your lambda settings. - -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. - -[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters - -{{% /tab %}} -{{% tab "Datadog CLI" %}} - -The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. - -**If you are configuring initial tracing for your functions**, perform the following steps: - -1. Install the Datadog CLI client: - - ```sh - npm install -g @datadog/datadog-ci - ``` - -2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. - - ```sh - datadog-ci lambda instrument -i --appsec - ``` - -3. Configure the AWS credentials: - - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. - -4. Configure the Datadog site: - - ```sh - export DATADOG_SITE="" - ``` - - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). - -5. Configure the Datadog API key: - - Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. - - ```sh - export DATADOG_API_KEY_SECRET_ARN="" - ``` - - For testing purposes, you can also set the Datadog API key in plaintext: - - ```sh - export DATADOG_API_KEY="" - ``` - -6. Instrument your Lambda functions: - - To instrument your Lambda functions, run the following command. - - ```sh - datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="python" >}} -e {{< latest-lambda-layer-version layer="extension" >}} - ``` - - To fill in the placeholders: - - Replace `` and `` with your Lambda function names. - - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. - - Replace `` with the AWS region name. - - **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - - Additional parameters can be found in the [CLI documentation][2]. - - -[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli - -{{% /tab %}} -{{% tab "AWS CDK" %}} - -The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. - -1. Install the Datadog CDK constructs library: - - ```sh - # For AWS CDK v1 - pip install datadog-cdk-constructs - - # For AWS CDK v2 - pip install datadog-cdk-constructs-v2 - ``` - -2. Instrument your Lambda functions - - ```python - # For AWS CDK v1 - from datadog_cdk_constructs import Datadog - # NOT SUPPORTED IN V1 - - # For AWS CDK v2 - from datadog_cdk_constructs_v2 import Datadog - - datadog = Datadog(self, "Datadog", - python_layer_version={{< latest-lambda-layer-version layer="python" >}}, - extension_layer_version={{< latest-lambda-layer-version layer="extension" >}}, - site="", - api_key_secret_arn="", // or api_key - enable_asm=True, - ) - datadog.add_lambda_functions([]) - ``` - - To fill in the placeholders: - - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - - More information and additional parameters can be found on the [Datadog CDK documentation][1]. - -[1]: https://github.com/DataDog/datadog-cdk-constructs -[2]: https://app.datadoghq.com/organization-settings/api-keys - -{{% /tab %}} -{{% tab "Custom" %}} - -{{< site-region region="us,us3,us5,eu,gov" >}} -1. Install the Datadog tracer: - - **Python** - ```sh - # Use this format for x86-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for x86-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:72 - ``` - Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38` and `Python39`. - - - **Node** - ``` sh - # Use this format for AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - - # Use this format for AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - ``` - Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. - - - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # In AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - # In AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - ``` - - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: - ```sh - go get -u github.com/DataDog/datadog-lambda-go - ``` - - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` - [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -{{< /site-region >}} - -{{< site-region region="ap1" >}} -1. Install the Datadog tracer: - - **Python** - ```sh - # Use this format for x86-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for x86-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - ``` - Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are {{< latest-lambda-layer-version layer="python-versions" >}} -. - - - **Node** - ``` sh - # Use this format for AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - - # Use this format for AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - ``` - Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. - - - - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # In AWS commercial regions - arn:aws:lambda::417141415827:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - # In AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - ``` - - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: - ```sh - go get -u github.com/DataDog/datadog-lambda-go - ``` - - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` - - [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -{{< /site-region >}} - -{{< site-region region="ap2" >}} -1. Install the Datadog tracer: - - **Python** - ```sh - # Use this format for x86-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for x86-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - ``` - Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are {{< latest-lambda-layer-version layer="python-versions" >}} -. - - - **Node** - ``` sh - # Use this format for AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - - # Use this format for AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - ``` - Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. - - - - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # In AWS commercial regions - arn:aws:lambda::412381753143:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - # In AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - ``` - - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: - ```sh - go get -u github.com/DataDog/datadog-lambda-go - ``` - - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` - - [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -{{< /site-region >}} - -3. Enable AAP by adding the following environment variables on your function deployment: - ```yaml - environment: - AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper - DD_SERVERLESS_APPSEC_ENABLED: true - ``` - -4. For **Node** and **Python** functions only, double-check that the function's handler is set correctly: - - **Node**: Set your function's handler to `/opt/nodejs/node_modules/datadog-lambda-js/handler.handler`. - - Also, set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. - - **Python**: Set your function's handler to `datadog_lambda.handler.handler`. - - Also, set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. - -5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. - -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc - -{{% /tab %}} -{{< /tabs >}} - -## Further reading +## Further Reading {{< partial name="whats-next/whats-next.html" >}} - -[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec -[4]: /security/application_security/serverless/compatibility -[5]: /security/default_rules/security-scan-detected/ -[6]: /serverless/libraries_integrations/plugin/ -[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/generic.md b/content/en/security/application_security/setup/aws/lambda/generic.md new file mode 100644 index 0000000000000..8c9b14d717884 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/generic.md @@ -0,0 +1,447 @@ +--- +title: Enabling App and API Protection for AWS Lambda +aliases: + - /security/application_security/getting_started/serverless + - /security/application_security/enabling/serverless +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Compatibility + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +|Type | Threat Detection | +| --------------- | ----------------- | +| Java | {{< X >}} | +| .NET | {{< X >}} | +| Node | {{< X >}} | +| Python | {{< X >}} | +| Ruby | {{< X >}} | +| PHP | | +| Go | {{< X >}} | + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +## Additional language specific compatibility information + +Node.js +: If you are bundling using webpack or esbuild, [follow the specific bundler instructions][4]. + +Java +: To fully instrument your serverless application with distributed tracing, your Java Lambda functions must use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`) or Java 17 (`java17`) runtimes with at least 1024MB of memory. +: If you use the Datadog Lambda layers `dd-trace-java:4` (or older) and `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][3]. + +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][4] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="python" >}} -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. + + Additional parameters can be found in the [CLI documentation][2]. + + +[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + pip install datadog-cdk-constructs + + # For AWS CDK v2 + pip install datadog-cdk-constructs-v2 + ``` + +2. Instrument your Lambda functions + + ```python + # For AWS CDK v1 + from datadog_cdk_constructs import Datadog + # NOT SUPPORTED IN V1 + + # For AWS CDK v2 + from datadog_cdk_constructs_v2 import Datadog + + datadog = Datadog(self, "Datadog", + python_layer_version={{< latest-lambda-layer-version layer="python" >}}, + extension_layer_version={{< latest-lambda-layer-version layer="extension" >}}, + site="", + api_key_secret_arn="", // or api_key + enable_asm=True, + ) + datadog.add_lambda_functions([]) + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][1]. + +[1]: https://github.com/DataDog/datadog-cdk-constructs +[2]: https://app.datadoghq.com/organization-settings/api-keys + +{{% /tab %}} +{{% tab "Custom" %}} + +{{< site-region region="us,us3,us5,eu,gov" >}} +1. Install the Datadog tracer: + - **Python** + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:72 + ``` + Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38` and `Python39`. + + - **Node** + ``` sh + # Use this format for AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + + # Use this format for AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + ``` + Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. + + - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # In AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + # In AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + ``` + - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: + ```sh + go get -u github.com/DataDog/datadog-lambda-go + ``` + - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + ``` +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +{{< /site-region >}} + +{{< site-region region="ap1" >}} +1. Install the Datadog tracer: + - **Python** + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + ``` + Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are {{< latest-lambda-layer-version layer="python-versions" >}} +. + + - **Node** + ``` sh + # Use this format for AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + + # Use this format for AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + ``` + Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. + + + - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # In AWS commercial regions + arn:aws:lambda::417141415827:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + # In AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + ``` + - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: + ```sh + go get -u github.com/DataDog/datadog-lambda-go + ``` + - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::417141415827:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::417141415827:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + ``` +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::417141415827:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::417141415827:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + + [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +{{< /site-region >}} + +{{< site-region region="ap2" >}} +1. Install the Datadog tracer: + - **Python** + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + ``` + Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are {{< latest-lambda-layer-version layer="python-versions" >}} +. + + - **Node** + ``` sh + # Use this format for AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + + # Use this format for AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + ``` + Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. + + + - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # In AWS commercial regions + arn:aws:lambda::412381753143:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + # In AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + ``` + - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: + ```sh + go get -u github.com/DataDog/datadog-lambda-go + ``` + - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::412381753143:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::412381753143:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + ``` +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::412381753143:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::412381753143:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + + [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +{{< /site-region >}} + +3. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper + DD_SERVERLESS_APPSEC_ENABLED: true + ``` + +4. For **Node** and **Python** functions only, double-check that the function's handler is set correctly: + - **Node**: Set your function's handler to `/opt/nodejs/node_modules/datadog-lambda-js/handler.handler`. + - Also, set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. + - **Python**: Set your function's handler to `datadog_lambda.handler.handler`. + - Also, set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. + +5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec +[4]: /security/application_security/serverless/compatibility +[5]: /security/default_rules/security-scan-detected/ +[6]: /serverless/libraries_integrations/plugin/ +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/python.md b/content/en/security/application_security/setup/aws/lambda/python.md new file mode 100644 index 0000000000000..9c4034c177646 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/python.md @@ -0,0 +1,285 @@ +--- +title: Enabling App and API Protection for AWS Lambda +aliases: + - /security/application_security/getting_started/serverless + - /security/application_security/enabling/serverless +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][4] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="python" >}} -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. + + Additional parameters can be found in the [CLI documentation][2]. + + +[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + pip install datadog-cdk-constructs + + # For AWS CDK v2 + pip install datadog-cdk-constructs-v2 + ``` + +2. Instrument your Lambda functions + + ```python + # For AWS CDK v1 + from datadog_cdk_constructs import Datadog + # NOT SUPPORTED IN V1 + + # For AWS CDK v2 + from datadog_cdk_constructs_v2 import Datadog + + datadog = Datadog(self, "Datadog", + python_layer_version={{< latest-lambda-layer-version layer="python" >}}, + extension_layer_version={{< latest-lambda-layer-version layer="extension" >}}, + site="", + api_key_secret_arn="", // or api_key + enable_asm=True, + ) + datadog.add_lambda_functions([]) + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][1]. + +[1]: https://github.com/DataDog/datadog-cdk-constructs +[2]: https://app.datadoghq.com/organization-settings/api-keys + +{{% /tab %}} +{{% tab "Custom" %}} + +1. Install the Datadog Lambda library + + The Datadog Lambda Library can be imported either as a layer (recommended) _OR_ as a Python package. + + The minor version of the `datadog-lambda` package always matches the layer version. For example, datadog-lambda v0.5.0 matches the content of layer version 5. + + - Option A: [Configure the layers][1] for your Lambda function using the ARN in the following format: + + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} + ``` + + Replace `` with a valid AWS region, such as `us-east-1`. The available `` options are: {{< latest-lambda-layer-version layer="python-versions" >}}. + + - Option B: If you cannot use the prebuilt Datadog Lambda layer, alternatively install the `datadog-lambda` package and its dependencies locally to your function project folder using your favorite Python package manager, such as `pip`. + + ```sh + pip install datadog-lambda -t ./ + ``` + + **Note**: `datadog-lambda` depends on `ddtrace`, which uses native extensions; therefore it must be installed and compiled in a Linux environment on the right architecture (`x86_64` or `arm64`). For example, you can use [dockerizePip][2] for the Serverless Framework and [--use-container][3] for AWS SAM. For more details, see [how to add dependencies to your function deployment package][4]. + + See the [latest release][5]. + +2. Install the Datadog Lambda Extension + + [Configure the layers][1] for your Lambda function using the ARN in the following format: + + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + + Replace `` with a valid AWS region, such as `us-east-1`. + +3. Redirect the handler function + + - Set your function's handler to `datadog_lambda.handler.handler`. + - Set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. + + **Note**: If you are using a third-party security or monitoring tool that is incompatible with the Datadog handler redirection, you can [apply the Datadog wrapper in your function code][6] instead. + +4. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + DD_APPSEC_ENABLED: true + ``` + +5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. + +[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[2]: https://github.com/UnitedIncome/serverless-python-requirements#cross-compiling +[3]: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-build.html +[4]: https://docs.aws.amazon.com/lambda/latest/dg/python-package.html#python-package-dependencies +[5]: https://pypi.org/project/datadog-lambda/ +[6]: https://app.datadoghq.com/security/appsec?column=time&order=desc + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec +[4]: /security/application_security/serverless/compatibility +[5]: /security/default_rules/security-scan-detected/ +[6]: /serverless/libraries_integrations/plugin/ +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/layouts/shortcodes/latest-lambda-layer-version.html b/layouts/shortcodes/latest-lambda-layer-version.html index d0619c50389ce..6dd23b8f40a6b 100644 --- a/layouts/shortcodes/latest-lambda-layer-version.html +++ b/layouts/shortcodes/latest-lambda-layer-version.html @@ -6,7 +6,7 @@ {{- if eq (.Get "layer") "python" -}} - 113 + 114 {{- end -}} From b3c62e0fe2d2c3826588a08dde7bfa5b589f69f2 Mon Sep 17 00:00:00 2001 From: Florentin Labelle Date: Mon, 22 Sep 2025 16:55:17 +0200 Subject: [PATCH 2/3] application_security: one page per language --- .../setup/aws/lambda/_index.md | 11 +- .../setup/aws/lambda/dotnet.md | 240 ++++++++++ .../setup/aws/lambda/generic.md | 447 ------------------ .../setup/aws/lambda/go.md | 234 +++++++++ .../setup/aws/lambda/java.md | 239 ++++++++++ .../setup/aws/lambda/nodejs.md | 245 ++++++++++ .../setup/aws/lambda/python.md | 5 +- .../setup/aws/lambda/ruby.md | 321 +++++++++++++ 8 files changed, 1285 insertions(+), 457 deletions(-) create mode 100644 content/en/security/application_security/setup/aws/lambda/dotnet.md delete mode 100644 content/en/security/application_security/setup/aws/lambda/generic.md create mode 100644 content/en/security/application_security/setup/aws/lambda/go.md create mode 100644 content/en/security/application_security/setup/aws/lambda/java.md create mode 100644 content/en/security/application_security/setup/aws/lambda/nodejs.md create mode 100644 content/en/security/application_security/setup/aws/lambda/ruby.md diff --git a/content/en/security/application_security/setup/aws/lambda/_index.md b/content/en/security/application_security/setup/aws/lambda/_index.md index 85c1952df2c13..59c487e6b148d 100644 --- a/content/en/security/application_security/setup/aws/lambda/_index.md +++ b/content/en/security/application_security/setup/aws/lambda/_index.md @@ -31,12 +31,11 @@ Learn how to setup App and API Protection (AAP) on your AWS Lambda functions by {{< appsec-integrations >}} {{< appsec-integration name="Python" avatar="python" link="./python" >}} - {{< appsec-integration name="Node.js" avatar="node" link="./generic" >}} - {{< appsec-integration name="Java" avatar="java" link="./generic" >}} - {{< appsec-integration name="Go" avatar="go" link="./generic" >}} - {{< appsec-integration name="Ruby" avatar="ruby" link="./generic" >}} - {{< appsec-integration name=".NET" avatar="dotnet" link="./generic" >}} - {{< appsec-integration name="PHP" avatar="php" link="./generic" >}} + {{< appsec-integration name="Node.js" avatar="node" link="./nodejs" >}} + {{< appsec-integration name="Java" avatar="java" link="./java" >}} + {{< appsec-integration name="Go" avatar="go" link="./go" >}} + {{< appsec-integration name="Ruby" avatar="ruby" link="./ruby" >}} + {{< appsec-integration name=".NET" avatar="dotnet" link="./dotnet" >}} {{< /appsec-integrations >}} ## Further Reading diff --git a/content/en/security/application_security/setup/aws/lambda/dotnet.md b/content/en/security/application_security/setup/aws/lambda/dotnet.md new file mode 100644 index 0000000000000..0da9656078557 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/dotnet.md @@ -0,0 +1,240 @@ +--- +title: Enabling App and API Protection for AWS Lambda functions in .NET +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Compatibility + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][9] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. + + Additional parameters can be found in the [CLI documentation][11]. + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + npm install datadog-cdk-constructs --save-dev + + # For AWS CDK v2 + npm install datadog-cdk-constructs-v2 --save-dev + ``` + +2. Instrument your Lambda functions + + ```typescript + // For AWS CDK v1 + import { Datadog } from "datadog-cdk-constructs"; + // NOT SUPPORTED IN V1 + + // For AWS CDK v2 + import { Datadog } from "datadog-cdk-constructs-v2"; + + const datadog = new Datadog(this, "Datadog", { + dotnet_layer_version: {{< latest-lambda-layer-version layer="dd-trace-dotnet" >}}, + extension_layer_version: {{< latest-lambda-layer-version layer="extension" >}}, + site: "", + api_key_secret_arn: "", // or api_key + enable_asm: true, + }); + datadog.add_lambda_functions([]); + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][12]. + +{{% /tab %}} +{{% tab "Custom" %}} + +1. Install the Datadog tracer by configuring the layer ARN that matches your deployment. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + ``` + +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + +3. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper + DD_SERVERLESS_APPSEC_ENABLED: true + ``` + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[5]: /actions/workflows/ +[6]: /security/application_security/waf-integration/ +[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[12]: https://github.com/DataDog/datadog-cdk-constructs +[13]: https://app.datadoghq.com/organization-settings/api-keys +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/generic.md b/content/en/security/application_security/setup/aws/lambda/generic.md deleted file mode 100644 index 8c9b14d717884..0000000000000 --- a/content/en/security/application_security/setup/aws/lambda/generic.md +++ /dev/null @@ -1,447 +0,0 @@ ---- -title: Enabling App and API Protection for AWS Lambda -aliases: - - /security/application_security/getting_started/serverless - - /security/application_security/enabling/serverless -further_reading: - - link: "/security/application_security/how-it-works/" - tag: "Documentation" - text: "How App and API Protection Works" - - link: "/security/default_rules/?category=cat-application-security" - tag: "Documentation" - text: "OOTB App and API Protection Rules" - - link: "/security/application_security/troubleshooting" - tag: "Documentation" - text: "Troubleshooting App and API Protection" - - link: "/security/application_security/threats/" - tag: "Documentation" - text: "App and API Protection" - - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" - tag: "Blog" - text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" ---- - -Configuring App and API Protection (AAP) for AWS Lambda involves: - -1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. -3. Triggering security signals in your application and seeing how Datadog displays the resulting information. - -## Prerequisites - -- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. - X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. - -## Compatibility - -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. - -|Type | Threat Detection | -| --------------- | ----------------- | -| Java | {{< X >}} | -| .NET | {{< X >}} | -| Node | {{< X >}} | -| Python | {{< X >}} | -| Ruby | {{< X >}} | -| PHP | | -| Go | {{< X >}} | - -## Supported trigger types -Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: -- Application Load Balancer (ALB) -- API Gateway v1 (Rest API) -- API Gateway v2 (HTTP API) -- Function URL - -
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
- - -## Additional language specific compatibility information - -Node.js -: If you are bundling using webpack or esbuild, [follow the specific bundler instructions][4]. - -Java -: To fully instrument your serverless application with distributed tracing, your Java Lambda functions must use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`) or Java 17 (`java17`) runtimes with at least 1024MB of memory. -: If you use the Datadog Lambda layers `dd-trace-java:4` (or older) and `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][3]. - -## Get started - -{{< tabs >}} -{{% tab "Serverless Framework" %}} - -The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. - -To install and configure the Datadog Serverless Framework plugin: - -1. Install the Datadog Serverless Framework plugin: - ```sh - serverless plugin install --name serverless-plugin-datadog - ``` - -2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: - ```yaml - custom: - datadog: - enableASM: true - ``` - - Overall, your new `serverless.yml` file should contain at least: - ```yaml - custom: - datadog: - apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey - enableDDTracing: true - enableASM: true - ``` - See also the complete list of [plugin parameters][4] to further configure your lambda settings. - -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. - -[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters - -{{% /tab %}} -{{% tab "Datadog CLI" %}} - -The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. - -**If you are configuring initial tracing for your functions**, perform the following steps: - -1. Install the Datadog CLI client: - - ```sh - npm install -g @datadog/datadog-ci - ``` - -2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. - - ```sh - datadog-ci lambda instrument -i --appsec - ``` - -3. Configure the AWS credentials: - - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. - -4. Configure the Datadog site: - - ```sh - export DATADOG_SITE="" - ``` - - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). - -5. Configure the Datadog API key: - - Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. - - ```sh - export DATADOG_API_KEY_SECRET_ARN="" - ``` - - For testing purposes, you can also set the Datadog API key in plaintext: - - ```sh - export DATADOG_API_KEY="" - ``` - -6. Instrument your Lambda functions: - - To instrument your Lambda functions, run the following command. - - ```sh - datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="python" >}} -e {{< latest-lambda-layer-version layer="extension" >}} - ``` - - To fill in the placeholders: - - Replace `` and `` with your Lambda function names. - - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. - - Replace `` with the AWS region name. - - **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - - Additional parameters can be found in the [CLI documentation][2]. - - -[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli - -{{% /tab %}} -{{% tab "AWS CDK" %}} - -The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. - -1. Install the Datadog CDK constructs library: - - ```sh - # For AWS CDK v1 - pip install datadog-cdk-constructs - - # For AWS CDK v2 - pip install datadog-cdk-constructs-v2 - ``` - -2. Instrument your Lambda functions - - ```python - # For AWS CDK v1 - from datadog_cdk_constructs import Datadog - # NOT SUPPORTED IN V1 - - # For AWS CDK v2 - from datadog_cdk_constructs_v2 import Datadog - - datadog = Datadog(self, "Datadog", - python_layer_version={{< latest-lambda-layer-version layer="python" >}}, - extension_layer_version={{< latest-lambda-layer-version layer="extension" >}}, - site="", - api_key_secret_arn="", // or api_key - enable_asm=True, - ) - datadog.add_lambda_functions([]) - ``` - - To fill in the placeholders: - - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - - More information and additional parameters can be found on the [Datadog CDK documentation][1]. - -[1]: https://github.com/DataDog/datadog-cdk-constructs -[2]: https://app.datadoghq.com/organization-settings/api-keys - -{{% /tab %}} -{{% tab "Custom" %}} - -{{< site-region region="us,us3,us5,eu,gov" >}} -1. Install the Datadog tracer: - - **Python** - ```sh - # Use this format for x86-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for x86-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:72 - ``` - Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38` and `Python39`. - - - **Node** - ``` sh - # Use this format for AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - - # Use this format for AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - ``` - Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. - - - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # In AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - # In AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - ``` - - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: - ```sh - go get -u github.com/DataDog/datadog-lambda-go - ``` - - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` - [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -{{< /site-region >}} - -{{< site-region region="ap1" >}} -1. Install the Datadog tracer: - - **Python** - ```sh - # Use this format for x86-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for x86-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - ``` - Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are {{< latest-lambda-layer-version layer="python-versions" >}} -. - - - **Node** - ``` sh - # Use this format for AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - - # Use this format for AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - ``` - Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. - - - - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # In AWS commercial regions - arn:aws:lambda::417141415827:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - # In AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - ``` - - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: - ```sh - go get -u github.com/DataDog/datadog-lambda-go - ``` - - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::417141415827:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` - - [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -{{< /site-region >}} - -{{< site-region region="ap2" >}} -1. Install the Datadog tracer: - - **Python** - ```sh - # Use this format for x86-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for x86-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="python" >}} - - # Use this format for arm64-based Lambda deployed in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="python" >}} - ``` - Replace `` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are {{< latest-lambda-layer-version layer="python-versions" >}} -. - - - **Node** - ``` sh - # Use this format for AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - - # Use this format for AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} - ``` - Replace `` with a valid AWS region such as `us-east-1`. The available RUNTIME options are {{< latest-lambda-layer-version layer="node-versions" >}}. - - - - **Java**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # In AWS commercial regions - arn:aws:lambda::412381753143:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - # In AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} - ``` - - **Go**: The Go tracer doesn't rely on a layer and is a regular Go module. You can upgrade to its latest version with: - ```sh - go get -u github.com/DataDog/datadog-lambda-go - ``` - - **.NET**: [Configure the layers][1] for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::412381753143:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` - - [1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -{{< /site-region >}} - -3. Enable AAP by adding the following environment variables on your function deployment: - ```yaml - environment: - AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper - DD_SERVERLESS_APPSEC_ENABLED: true - ``` - -4. For **Node** and **Python** functions only, double-check that the function's handler is set correctly: - - **Node**: Set your function's handler to `/opt/nodejs/node_modules/datadog-lambda-js/handler.handler`. - - Also, set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. - - **Python**: Set your function's handler to `datadog_lambda.handler.handler`. - - Also, set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. - -5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. - -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc - -{{% /tab %}} -{{< /tabs >}} - -## Further reading - -{{< partial name="whats-next/whats-next.html" >}} - -[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec -[4]: /security/application_security/serverless/compatibility -[5]: /security/default_rules/security-scan-detected/ -[6]: /serverless/libraries_integrations/plugin/ -[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/go.md b/content/en/security/application_security/setup/aws/lambda/go.md new file mode 100644 index 0000000000000..76ee03f8b9ec1 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/go.md @@ -0,0 +1,234 @@ +--- +title: Enabling App and API Protection for AWS Lambda functions in Go +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Compatibility + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +The Datadog Go tracer is distributed as a Go module rather than a Lambda layer. Ensure your functions vendor the latest `github.com/DataDog/datadog-lambda-go` release when enabling AAP. + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][9] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. After the CLI completes, update your source code to depend on the latest `datadog-lambda-go` module release to enable App and API Protection. + + Additional parameters can be found in the [CLI documentation][11]. + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + npm install datadog-cdk-constructs --save-dev + + # For AWS CDK v2 + npm install datadog-cdk-constructs-v2 --save-dev + ``` + +2. Instrument your Lambda functions + + ```typescript + // For AWS CDK v1 + import { Datadog } from "datadog-cdk-constructs"; + // NOT SUPPORTED IN V1 + + // For AWS CDK v2 + import { Datadog } from "datadog-cdk-constructs-v2"; + + const datadog = new Datadog(this, "Datadog", { + extension_layer_version: {{< latest-lambda-layer-version layer="extension" >}}, + site: "", + api_key_secret_arn: "", // or api_key + enable_asm: true, + }); + datadog.add_lambda_functions([]); + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][12]. + +{{% /tab %}} +{{% tab "Custom" %}} + +1. Update your function code to use the latest Go tracer: + ```sh + go get -u github.com/DataDog/datadog-lambda-go + ``` + +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + +3. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper + DD_SERVERLESS_APPSEC_ENABLED: true + ``` + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[5]: /actions/workflows/ +[6]: /security/application_security/waf-integration/ +[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[12]: https://github.com/DataDog/datadog-cdk-constructs +[13]: https://app.datadoghq.com/organization-settings/api-keys +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/java.md b/content/en/security/application_security/setup/aws/lambda/java.md new file mode 100644 index 0000000000000..8ee8ff9744568 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/java.md @@ -0,0 +1,239 @@ +--- +title: Enabling App and API Protection for AWS Lambda functions in Java +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Compatibility + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +To fully instrument your Java Lambda functions with distributed tracing, use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`), or Java 17 (`java17`) runtimes with at least 1024MB of memory. If you are using the Datadog Lambda layers `dd-trace-java:4` (or older) together with `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][14] before enabling AAP. + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][9] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="dd-trace-java" >}} -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. + + Additional parameters can be found in the [CLI documentation][11]. + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + npm install datadog-cdk-constructs --save-dev + + # For AWS CDK v2 + npm install datadog-cdk-constructs-v2 --save-dev + ``` + +2. Instrument your Lambda functions + + ```typescript + // For AWS CDK v1 + import { Datadog } from "datadog-cdk-constructs"; + // NOT SUPPORTED IN V1 + + // For AWS CDK v2 + import { Datadog } from "datadog-cdk-constructs-v2"; + + const datadog = new Datadog(this, "Datadog", { + java_layer_version: {{< latest-lambda-layer-version layer="dd-trace-java" >}}, + extension_layer_version: {{< latest-lambda-layer-version layer="extension" >}}, + site: "", + api_key_secret_arn: "", // or api_key + enable_asm: true, + }); + datadog.add_lambda_functions([]); + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][12]. + +{{% /tab %}} +{{% tab "Custom" %}} + +1. Install the Datadog tracer by configuring the layer ARN that matches your deployment. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # In AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + # In AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-java:{{< latest-lambda-layer-version layer="dd-trace-java" >}} + ``` + +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + +3. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper + DD_SERVERLESS_APPSEC_ENABLED: true + ``` + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[5]: /actions/workflows/ +[6]: /security/application_security/waf-integration/ +[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[12]: https://github.com/DataDog/datadog-cdk-constructs +[13]: https://app.datadoghq.com/organization-settings/api-keys +[14]: /serverless/guide/upgrade_java_instrumentation/ +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/nodejs.md b/content/en/security/application_security/setup/aws/lambda/nodejs.md new file mode 100644 index 0000000000000..4fd308fd6bcc2 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/nodejs.md @@ -0,0 +1,245 @@ +--- +title: Enabling App and API Protection for AWS Lambda functions in Node.js +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Compatibility + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +If you bundle your Node.js functions using webpack or esbuild, follow the [bundler guidance][4] to ensure compatibility with Datadog App and API Protection. + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][9] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="node" >}} -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. + + Additional parameters can be found in the [CLI documentation][11]. + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + npm install datadog-cdk-constructs --save-dev + + # For AWS CDK v2 + npm install datadog-cdk-constructs-v2 --save-dev + ``` + +2. Instrument your Lambda functions + + ```javascript + // For AWS CDK v1 + import { Datadog } from "datadog-cdk-constructs"; + // NOT SUPPORTED IN V1 + + // For AWS CDK v2 + import { Datadog } from "datadog-cdk-constructs-v2"; + + const datadog = new Datadog(this, "Datadog", { + node_layer_version: {{< latest-lambda-layer-version layer="node" >}}, + extension_layer_version: {{< latest-lambda-layer-version layer="extension" >}}, + site: "", + api_key_secret_arn: "", // or api_key + enable_asm: true, + }); + datadog.add_lambda_functions([]); + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][12]. + +{{% /tab %}} +{{% tab "Custom" %}} + +1. Install the Datadog tracer: + ```sh + # Use this format for AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + + # Use this format for AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="node" >}} + ``` + Replace `` with a valid AWS region such as `us-east-1`. The available `` options are {{< latest-lambda-layer-version layer="node-versions" >}}. + +2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: + ```sh + # x86-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + # x86-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + # arm64-based Lambda in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + +3. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper + DD_SERVERLESS_APPSEC_ENABLED: true + ``` + +4. Double-check that the function's handler is set correctly: + - Set your function's handler to `/opt/nodejs/node_modules/datadog-lambda-js/handler.handler`. + - Set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. + +5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[4]: https://docs.datadoghq.com/serverless/guide/serverless_tracing_and_bundlers/ +[5]: /actions/workflows/ +[6]: /security/application_security/waf-integration/ +[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[12]: https://github.com/DataDog/datadog-cdk-constructs +[13]: https://app.datadoghq.com/organization-settings/api-keys +[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/python.md b/content/en/security/application_security/setup/aws/lambda/python.md index 9c4034c177646..f4791b4daed23 100644 --- a/content/en/security/application_security/setup/aws/lambda/python.md +++ b/content/en/security/application_security/setup/aws/lambda/python.md @@ -1,8 +1,5 @@ --- -title: Enabling App and API Protection for AWS Lambda -aliases: - - /security/application_security/getting_started/serverless - - /security/application_security/enabling/serverless +title: Enabling App and API Protection for AWS Lambda functions in Python further_reading: - link: "/security/application_security/how-it-works/" tag: "Documentation" diff --git a/content/en/security/application_security/setup/aws/lambda/ruby.md b/content/en/security/application_security/setup/aws/lambda/ruby.md new file mode 100644 index 0000000000000..1b819453b7be1 --- /dev/null +++ b/content/en/security/application_security/setup/aws/lambda/ruby.md @@ -0,0 +1,321 @@ +--- +title: Enabling App and API Protection for AWS Lambda functions in Ruby +further_reading: + - link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + - link: "/security/application_security/threats/" + tag: "Documentation" + text: "App and API Protection" + - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" + tag: "Blog" + text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" +--- + +Configuring App and API Protection (AAP) for AWS Lambda involves: + +1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. +3. Triggering security signals in your application and seeing how Datadog displays the resulting information. + +## Prerequisites + +- [Serverless APM Tracing][apm-lambda-tracing-setup] is setup on the Lambda function to send traces directly to Datadog. + X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled. + +## Compatibility + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +## Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ +## Get started + +{{< tabs >}} +{{% tab "Serverless Framework" %}} + +The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. + +To install and configure the Datadog Serverless Framework plugin: + +1. Install the Datadog Serverless Framework plugin: + ```sh + serverless plugin install --name serverless-plugin-datadog + ``` + +2. Enable AAP by updating your `serverless.yml` with the `enableASM` configuration parameter: + ```yaml + custom: + datadog: + enableASM: true + ``` + + Overall, your new `serverless.yml` file should contain at least: + ```yaml + custom: + datadog: + apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey + enableDDTracing: true + enableASM: true + ``` + See also the complete list of [plugin parameters][4] to further configure your lambda settings. + +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. + +[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension +[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters + +{{% /tab %}} +{{% tab "Datadog CLI" %}} + +The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog's serverless monitoring. + +**If you are configuring initial tracing for your functions**, perform the following steps: + +1. Install the Datadog CLI client: + + ```sh + npm install -g @datadog/datadog-ci + ``` + +2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment. + + ```sh + datadog-ci lambda instrument -i --appsec + ``` + +3. Configure the AWS credentials: + + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + +4. Configure the Datadog site: + + ```sh + export DATADOG_SITE="" + ``` + + Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct **Datadog site** is selected on the right-hand side of this page). + +5. Configure the Datadog API key: + + Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required `secretsmanager:GetSecretValue` IAM permission. + + ```sh + export DATADOG_API_KEY_SECRET_ARN="" + ``` + + For testing purposes, you can also set the Datadog API key in plaintext: + + ```sh + export DATADOG_API_KEY="" + ``` + +6. Instrument your Lambda functions: + + To instrument your Lambda functions, run the following command. + + ```sh + datadog-ci lambda instrument --appsec -f -f -r -v {{< latest-lambda-layer-version layer="python" >}} -e {{< latest-lambda-layer-version layer="extension" >}} + ``` + + To fill in the placeholders: + - Replace `` and `` with your Lambda function names. + - Alternatively, you can use `--functions-regex` to automatically instrument multiple functions whose names match the given regular expression. + - Replace `` with the AWS region name. + + **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. + + Additional parameters can be found in the [CLI documentation][2]. + + +[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli + +{{% /tab %}} +{{% tab "AWS CDK" %}} + +The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. + +1. Install the Datadog CDK constructs library: + + ```sh + # For AWS CDK v1 + pip install datadog-cdk-constructs + + # For AWS CDK v2 + pip install datadog-cdk-constructs-v2 + ``` + +2. Instrument your Lambda functions + + ```python + # For AWS CDK v1 + from datadog_cdk_constructs import Datadog + # NOT SUPPORTED IN V1 + + # For AWS CDK v2 + from datadog_cdk_constructs_v2 import Datadog + + datadog = Datadog(self, "Datadog", + python_layer_version={{< latest-lambda-layer-version layer="python" >}}, + extension_layer_version={{< latest-lambda-layer-version layer="extension" >}}, + site="", + api_key_secret_arn="", // or api_key + enable_asm=True, + ) + datadog.add_lambda_functions([]) + ``` + + To fill in the placeholders: + - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + + More information and additional parameters can be found on the [Datadog CDK documentation][1]. + +[1]: https://github.com/DataDog/datadog-cdk-constructs +[2]: https://app.datadoghq.com/organization-settings/api-keys + +{{% /tab %}} +{{% tab "Custom" %}} + +1. Install the Datadog Lambda library + + The Datadog Lambda Library can be installed as a layer or a gem. For most functions, Datadog recommends installing the library as a layer. If your Lambda function is deployed as a container image, you must install the library as a gem. + + The minor version of the `datadog-lambda` gem always matches the layer version. For example, datadog-lambda v0.5.0 matches the content of layer version 5. + + - Option A: [Configure the layers][1] for your Lambda function using the ARN in the following format: + + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + + arn:aws:lambda::464622532012:layer:Datadog-:{{< latest-lambda-layer-version layer="ruby" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="ruby" >}} + + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-:{{< latest-lambda-layer-version layer="ruby" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog--ARM:{{< latest-lambda-layer-version layer="ruby" >}} + ``` + + Replace `` with a valid AWS region such as `us-east-1`. The available `RUNTIME` options are `Ruby2-7`, and `Ruby3-2`. + + - Option B: If you cannot use the prebuilt Datadog Lambda layer, alternatively you can install the gems `datadog-lambda` and `datadog` by adding them to your Gemfile as an alternative: + + ```Gemfile + gem 'datadog' + gem 'datadog-lambda' + ``` + + `datadog` contains native extensions that must be compiled for Amazon Linux to work with AWS Lambda. Datadog therefore recommends that you build and deploy your Lambda as a container image. If your function cannot be deployed as a container image and you would like to use Datadog APM, Datadog recommends installing the Lambda Library as a layer instead of as a gem. + + Install `gcc`, `gmp-devel`, and `make` prior to running `bundle install` in your function's Dockerfile to ensure that the native extensions can be successfully compiled. + + ```dockerfile + FROM + + # assemble your container image + + RUN yum -y install gcc gmp-devel make + RUN bundle config set path 'vendor/bundle' + RUN bundle install + ``` + +2. Install the Datadog Lambda Extension + + - Option A: [Configure the layers][1] for your Lambda function using the ARN in the following format: + + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + + Replace `` with a valid AWS region, such as `us-east-1`. + + - Option B: Add the Datadog Lambda Extension to your container image by adding the following to your Dockerfile: + + ```dockerfile + COPY --from=public.ecr.aws/datadog/lambda-extension: /opt/extensions/ /opt/extensions + ``` + + Replace `` with either a specific version number (for example, `{{< latest-lambda-layer-version layer="extension" >}}`) or with `latest`. You can see a complete list of possible tags in the [Amazon ECR repository][2]. + +3. Configure your Lambda functions + + Enable Datadog APM and wrap your Lambda handler function using the wrapper provided by the Datadog Lambda library. + + ```ruby + require 'datadog/lambda' + + Datadog::Lambda.configure_apm do |c| + # Enable the instrumentation + end + + def handler(event:, context:) + Datadog::Lambda.wrap(event, context) do + return { statusCode: 200, body: 'Hello World' } + end + end + ``` + +4. Configure Datadog site and API key + + - Set the environment variable `DD_SITE` to {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Set the environment variable `DD_API_KEY_SECRET_ARN` with the ARN of the AWS secret where your [Datadog API key][3] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `DD_API_KEY` instead and set the Datadog API key in plaintext. + +5. Enable AAP by adding the following environment variables on your function deployment: + ```yaml + environment: + AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper + DD_SERVERLESS_APPSEC_ENABLED: true + ``` + +6. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][4]. + +[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[2]: https://gallery.ecr.aws/datadog/lambda-extension +[3]: https://app.datadoghq.com/organization-settings/api-keys +[4]: https://app.datadoghq.com/security/appsec?column=time&order=desc + +{{% /tab %}} +{{< /tabs >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list +[2]: /serverless/distributed_tracing/ +[3]: https://app.datadoghq.com/security/appsec +[4]: /security/application_security/serverless/compatibility +[5]: /security/default_rules/security-scan-detected/ +[6]: /serverless/libraries_integrations/plugin/ +[apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ From 8f0c9168bb48233bee1a6a0010535fcbd805b57b Mon Sep 17 00:00:00 2001 From: Florentin Labelle Date: Tue, 23 Sep 2025 11:41:47 +0200 Subject: [PATCH 3/3] cleanup references --- .../setup/aws/lambda/dotnet.md | 114 ++++++++++-------- .../setup/aws/lambda/go.md | 44 +++---- .../setup/aws/lambda/java.md | 48 ++++---- .../setup/aws/lambda/nodejs.md | 48 ++++---- .../setup/aws/lambda/python.md | 62 +++++----- .../setup/aws/lambda/ruby.md | 58 ++++----- 6 files changed, 184 insertions(+), 190 deletions(-) diff --git a/content/en/security/application_security/setup/aws/lambda/dotnet.md b/content/en/security/application_security/setup/aws/lambda/dotnet.md index 0da9656078557..2a4d8252598b8 100644 --- a/content/en/security/application_security/setup/aws/lambda/dotnet.md +++ b/content/en/security/application_security/setup/aws/lambda/dotnet.md @@ -21,7 +21,7 @@ further_reading: Configuring App and API Protection (AAP) for AWS Lambda involves: 1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][2], or manually by using the Datadog tracing layers. 3. Triggering security signals in your application and seeing how Datadog displays the resulting information. ## Prerequisites @@ -31,7 +31,7 @@ Configuring App and API Protection (AAP) for AWS Lambda involves: ## Compatibility -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][3] to block IPs in your [WAF][4]. ## Supported trigger types Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: @@ -48,7 +48,7 @@ Threat Detection supports HTTP requests as function input only, as that channel {{< tabs >}} {{% tab "Serverless Framework" %}} -The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. +The [Datadog Serverless Framework plugin][2] can be used to automatically configure and deploy your lambda with AAP. To install and configure the Datadog Serverless Framework plugin: @@ -72,9 +72,9 @@ To install and configure the Datadog Serverless Framework plugin: enableDDTracing: true enableASM: true ``` - See also the complete list of [plugin parameters][9] to further configure your lambda settings. + See also the complete list of [plugin parameters][5] to further configure your lambda settings. -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. {{% /tab %}} {{% tab "Datadog CLI" %}} @@ -97,7 +97,7 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr 3. Configure the AWS credentials: - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][7]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. 4. Configure the Datadog site: @@ -136,12 +136,12 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - Additional parameters can be found in the [CLI documentation][11]. + Additional parameters can be found in the [CLI documentation][8]. {{% /tab %}} {{% tab "AWS CDK" %}} -The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. +The [Datadog CDK Construct][9] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. 1. Install the Datadog CDK constructs library: @@ -175,47 +175,67 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions To fill in the placeholders: - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + - Replace `` with the ARN of the AWS secret where your [Datadog API key][10] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - More information and additional parameters can be found on the [Datadog CDK documentation][12]. + More information and additional parameters can be found on the [Datadog CDK documentation][9]. {{% /tab %}} {{% tab "Custom" %}} -1. Install the Datadog tracer by configuring the layer ARN that matches your deployment. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} - ``` +1. Install the Datadog Tracer -2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace `` with a valid AWS region such as `us-east-1`: - ```sh - # x86-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS commercial regions - arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - # x86-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} - # arm64-based Lambda in AWS GovCloud regions - arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} - ``` + [Configure the layers][11] for your Lambda function using the ARN in the following format: + + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:dd-trace-dotnet-ARM:{{< latest-lambda-layer-version layer="dd-trace-dotnet" >}} + ``` + + Replace `` with a valid AWS region, such as `us-east-1`. + +2. Install the Datadog Lambda Extension -3. Enable AAP by adding the following environment variables on your function deployment: + [Configure the layers][11] for your Lambda function using the ARN in the following format: + + ```sh + # Use this format for x86-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for arm64-based Lambda deployed in AWS commercial regions + arn:aws:lambda::464622532012:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for x86-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension:{{< latest-lambda-layer-version layer="extension" >}} + + # Use this format for arm64-based Lambda deployed in AWS GovCloud regions + arn:aws-us-gov:lambda::002406178527:layer:Datadog-Extension-ARM:{{< latest-lambda-layer-version layer="extension" >}} + ``` + + Replace `` with a valid AWS region, such as `us-east-1`. + +3. Set the required environment variables + + - Set `AWS_LAMBDA_EXEC_WRAPPER` to `/opt/datadog_wrapper`. + - Set `DD_SITE` to {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). + - Set `DD_API_KEY_SECRET_ARN` to the ARN of the AWS secret where your [Datadog API key][10] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `DD_API_KEY` instead and set the Datadog API key in plaintext. + +4. Enable AAP by adding the following environment variables on your function deployment: ```yaml environment: AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper DD_SERVERLESS_APPSEC_ENABLED: true ``` -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. - -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. {{% /tab %}} {{< /tabs >}} @@ -225,16 +245,14 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[5]: /actions/workflows/ -[6]: /security/application_security/waf-integration/ -[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters -[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli -[12]: https://github.com/DataDog/datadog-cdk-constructs -[13]: https://app.datadoghq.com/organization-settings/api-keys -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[3]: /actions/workflows/ +[4]: /security/application_security/waf-integration/ +[5]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[6]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[7]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[8]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[9]: https://github.com/DataDog/datadog-cdk-constructs +[10]: https://app.datadoghq.com/organization-settings/api-keys +[11]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/go.md b/content/en/security/application_security/setup/aws/lambda/go.md index 76ee03f8b9ec1..74a1c7cbc57ef 100644 --- a/content/en/security/application_security/setup/aws/lambda/go.md +++ b/content/en/security/application_security/setup/aws/lambda/go.md @@ -21,7 +21,7 @@ further_reading: Configuring App and API Protection (AAP) for AWS Lambda involves: 1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][2], or manually by using the Datadog tracing layers. 3. Triggering security signals in your application and seeing how Datadog displays the resulting information. ## Prerequisites @@ -31,7 +31,7 @@ Configuring App and API Protection (AAP) for AWS Lambda involves: ## Compatibility -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][3] to block IPs in your [WAF][4]. The Datadog Go tracer is distributed as a Go module rather than a Lambda layer. Ensure your functions vendor the latest `github.com/DataDog/datadog-lambda-go` release when enabling AAP. @@ -50,7 +50,7 @@ Threat Detection supports HTTP requests as function input only, as that channel {{< tabs >}} {{% tab "Serverless Framework" %}} -The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. +The [Datadog Serverless Framework plugin][2] can be used to automatically configure and deploy your lambda with AAP. To install and configure the Datadog Serverless Framework plugin: @@ -74,9 +74,9 @@ To install and configure the Datadog Serverless Framework plugin: enableDDTracing: true enableASM: true ``` - See also the complete list of [plugin parameters][9] to further configure your lambda settings. + See also the complete list of [plugin parameters][5] to further configure your lambda settings. -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. {{% /tab %}} {{% tab "Datadog CLI" %}} @@ -99,7 +99,7 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr 3. Configure the AWS credentials: - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][7]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. 4. Configure the Datadog site: @@ -138,12 +138,12 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. After the CLI completes, update your source code to depend on the latest `datadog-lambda-go` module release to enable App and API Protection. - Additional parameters can be found in the [CLI documentation][11]. + Additional parameters can be found in the [CLI documentation][8]. {{% /tab %}} {{% tab "AWS CDK" %}} -The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. +The [Datadog CDK Construct][9] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. 1. Install the Datadog CDK constructs library: @@ -176,9 +176,9 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions To fill in the placeholders: - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + - Replace `` with the ARN of the AWS secret where your [Datadog API key][10] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - More information and additional parameters can be found on the [Datadog CDK documentation][12]. + More information and additional parameters can be found on the [Datadog CDK documentation][9]. {{% /tab %}} {{% tab "Custom" %}} @@ -207,9 +207,8 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions DD_SERVERLESS_APPSEC_ENABLED: true ``` -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html {{% /tab %}} {{< /tabs >}} @@ -219,16 +218,13 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[5]: /actions/workflows/ -[6]: /security/application_security/waf-integration/ -[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters -[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli -[12]: https://github.com/DataDog/datadog-cdk-constructs -[13]: https://app.datadoghq.com/organization-settings/api-keys -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[3]: /actions/workflows/ +[4]: /security/application_security/waf-integration/ +[5]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[6]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[7]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[8]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[9]: https://github.com/DataDog/datadog-cdk-constructs +[10]: https://app.datadoghq.com/organization-settings/api-keys [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/java.md b/content/en/security/application_security/setup/aws/lambda/java.md index 8ee8ff9744568..e5e4dd6bb4b92 100644 --- a/content/en/security/application_security/setup/aws/lambda/java.md +++ b/content/en/security/application_security/setup/aws/lambda/java.md @@ -21,7 +21,7 @@ further_reading: Configuring App and API Protection (AAP) for AWS Lambda involves: 1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][2], or manually by using the Datadog tracing layers. 3. Triggering security signals in your application and seeing how Datadog displays the resulting information. ## Prerequisites @@ -31,9 +31,9 @@ Configuring App and API Protection (AAP) for AWS Lambda involves: ## Compatibility -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][3] to block IPs in your [WAF][4]. -To fully instrument your Java Lambda functions with distributed tracing, use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`), or Java 17 (`java17`) runtimes with at least 1024MB of memory. If you are using the Datadog Lambda layers `dd-trace-java:4` (or older) together with `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][14] before enabling AAP. +To fully instrument your Java Lambda functions with distributed tracing, use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`), or Java 17 (`java17`) runtimes with at least 1024MB of memory. If you are using the Datadog Lambda layers `dd-trace-java:4` (or older) together with `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][5] before enabling AAP. ## Supported trigger types Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: @@ -50,7 +50,7 @@ Threat Detection supports HTTP requests as function input only, as that channel {{< tabs >}} {{% tab "Serverless Framework" %}} -The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. +The [Datadog Serverless Framework plugin][2] can be used to automatically configure and deploy your lambda with AAP. To install and configure the Datadog Serverless Framework plugin: @@ -74,9 +74,9 @@ To install and configure the Datadog Serverless Framework plugin: enableDDTracing: true enableASM: true ``` - See also the complete list of [plugin parameters][9] to further configure your lambda settings. + See also the complete list of [plugin parameters][6] to further configure your lambda settings. -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][7]. {{% /tab %}} {{% tab "Datadog CLI" %}} @@ -99,7 +99,7 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr 3. Configure the AWS credentials: - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][8]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. 4. Configure the Datadog site: @@ -138,12 +138,12 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - Additional parameters can be found in the [CLI documentation][11]. + Additional parameters can be found in the [CLI documentation][9]. {{% /tab %}} {{% tab "AWS CDK" %}} -The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. +The [Datadog CDK Construct][10] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. 1. Install the Datadog CDK constructs library: @@ -177,9 +177,9 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions To fill in the placeholders: - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + - Replace `` with the ARN of the AWS secret where your [Datadog API key][11] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - More information and additional parameters can be found on the [Datadog CDK documentation][12]. + More information and additional parameters can be found on the [Datadog CDK documentation][10]. {{% /tab %}} {{% tab "Custom" %}} @@ -211,9 +211,8 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions DD_SERVERLESS_APPSEC_ENABLED: true ``` -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][7]. -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html {{% /tab %}} {{< /tabs >}} @@ -223,17 +222,14 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[5]: /actions/workflows/ -[6]: /security/application_security/waf-integration/ -[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters -[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli -[12]: https://github.com/DataDog/datadog-cdk-constructs -[13]: https://app.datadoghq.com/organization-settings/api-keys -[14]: /serverless/guide/upgrade_java_instrumentation/ -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[3]: /actions/workflows/ +[4]: /security/application_security/waf-integration/ +[5]: /serverless/guide/upgrade_java_instrumentation/ +[6]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[7]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[8]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[9]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[10]: https://github.com/DataDog/datadog-cdk-constructs +[11]: https://app.datadoghq.com/organization-settings/api-keys [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/nodejs.md b/content/en/security/application_security/setup/aws/lambda/nodejs.md index 4fd308fd6bcc2..ec26649ac43aa 100644 --- a/content/en/security/application_security/setup/aws/lambda/nodejs.md +++ b/content/en/security/application_security/setup/aws/lambda/nodejs.md @@ -21,7 +21,7 @@ further_reading: Configuring App and API Protection (AAP) for AWS Lambda involves: 1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][7], or manually by using the Datadog tracing layers. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][2], or manually by using the Datadog tracing layers. 3. Triggering security signals in your application and seeing how Datadog displays the resulting information. ## Prerequisites @@ -31,9 +31,9 @@ Configuring App and API Protection (AAP) for AWS Lambda involves: ## Compatibility -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][3] to block IPs in your [WAF][4]. -If you bundle your Node.js functions using webpack or esbuild, follow the [bundler guidance][4] to ensure compatibility with Datadog App and API Protection. +If you bundle your Node.js functions using webpack or esbuild, follow the [bundler guidance][5] to ensure compatibility with Datadog App and API Protection. ## Supported trigger types Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: @@ -50,7 +50,7 @@ Threat Detection supports HTTP requests as function input only, as that channel {{< tabs >}} {{% tab "Serverless Framework" %}} -The [Datadog Serverless Framework plugin][7] can be used to automatically configure and deploy your lambda with AAP. +The [Datadog Serverless Framework plugin][2] can be used to automatically configure and deploy your lambda with AAP. To install and configure the Datadog Serverless Framework plugin: @@ -74,9 +74,9 @@ To install and configure the Datadog Serverless Framework plugin: enableDDTracing: true enableASM: true ``` - See also the complete list of [plugin parameters][9] to further configure your lambda settings. + See also the complete list of [plugin parameters][6] to further configure your lambda settings. -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][7]. {{% /tab %}} {{% tab "Datadog CLI" %}} @@ -99,7 +99,7 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr 3. Configure the AWS credentials: - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][10]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][8]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. 4. Configure the Datadog site: @@ -138,12 +138,12 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - Additional parameters can be found in the [CLI documentation][11]. + Additional parameters can be found in the [CLI documentation][9]. {{% /tab %}} {{% tab "AWS CDK" %}} -The [Datadog CDK Construct][12] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. +The [Datadog CDK Construct][10] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. 1. Install the Datadog CDK constructs library: @@ -177,9 +177,9 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions To fill in the placeholders: - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][13] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + - Replace `` with the ARN of the AWS secret where your [Datadog API key][11] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - More information and additional parameters can be found on the [Datadog CDK documentation][12]. + More information and additional parameters can be found on the [Datadog CDK documentation][10]. {{% /tab %}} {{% tab "Custom" %}} @@ -217,9 +217,8 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions - Set your function's handler to `/opt/nodejs/node_modules/datadog-lambda-js/handler.handler`. - Set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. -5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][7]. -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html {{% /tab %}} {{< /tabs >}} @@ -229,17 +228,14 @@ The [Datadog CDK Construct][12] automatically installs Datadog on your functions {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[4]: https://docs.datadoghq.com/serverless/guide/serverless_tracing_and_bundlers/ -[5]: /actions/workflows/ -[6]: /security/application_security/waf-integration/ -[7]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[8]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[9]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters -[10]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[11]: https://docs.datadoghq.com/serverless/serverless_integrations/cli -[12]: https://github.com/DataDog/datadog-cdk-constructs -[13]: https://app.datadoghq.com/organization-settings/api-keys -[15]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[3]: /actions/workflows/ +[4]: /security/application_security/waf-integration/ +[5]: https://docs.datadoghq.com/serverless/guide/serverless_tracing_and_bundlers/ +[6]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[7]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[8]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[9]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[10]: https://github.com/DataDog/datadog-cdk-constructs +[11]: https://app.datadoghq.com/organization-settings/api-keys [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/python.md b/content/en/security/application_security/setup/aws/lambda/python.md index f4791b4daed23..1be5d150d32b1 100644 --- a/content/en/security/application_security/setup/aws/lambda/python.md +++ b/content/en/security/application_security/setup/aws/lambda/python.md @@ -21,7 +21,7 @@ further_reading: Configuring App and API Protection (AAP) for AWS Lambda involves: 1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][2], or manually by using the Datadog tracing layers. 3. Triggering security signals in your application and seeing how Datadog displays the resulting information. ## Prerequisites @@ -44,7 +44,7 @@ Threat Detection supports HTTP requests as function input only, as that channel {{< tabs >}} {{% tab "Serverless Framework" %}} -The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. +The [Datadog Serverless Framework plugin][2] can be used to automatically configure and deploy your lambda with AAP. To install and configure the Datadog Serverless Framework plugin: @@ -68,14 +68,10 @@ To install and configure the Datadog Serverless Framework plugin: enableDDTracing: true enableASM: true ``` - See also the complete list of [plugin parameters][4] to further configure your lambda settings. + See also the complete list of [plugin parameters][3] to further configure your lambda settings. -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][4]. -[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters {{% /tab %}} {{% tab "Datadog CLI" %}} @@ -98,7 +94,7 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr 3. Configure the AWS credentials: - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][5]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. 4. Configure the Datadog site: @@ -137,16 +133,14 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - Additional parameters can be found in the [CLI documentation][2]. + Additional parameters can be found in the [CLI documentation][6]. -[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli {{% /tab %}} {{% tab "AWS CDK" %}} -The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. +The [Datadog CDK Construct][7] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. 1. Install the Datadog CDK constructs library: @@ -180,12 +174,10 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions To fill in the placeholders: - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + - Replace `` with the ARN of the AWS secret where your [Datadog API key][8] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - More information and additional parameters can be found on the [Datadog CDK documentation][1]. + More information and additional parameters can be found on the [Datadog CDK documentation][7]. -[1]: https://github.com/DataDog/datadog-cdk-constructs -[2]: https://app.datadoghq.com/organization-settings/api-keys {{% /tab %}} {{% tab "Custom" %}} @@ -196,7 +188,7 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions The minor version of the `datadog-lambda` package always matches the layer version. For example, datadog-lambda v0.5.0 matches the content of layer version 5. - - Option A: [Configure the layers][1] for your Lambda function using the ARN in the following format: + - Option A: [Configure the layers][9] for your Lambda function using the ARN in the following format: ```sh # Use this format for x86-based Lambda deployed in AWS commercial regions @@ -220,13 +212,13 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions pip install datadog-lambda -t ./ ``` - **Note**: `datadog-lambda` depends on `ddtrace`, which uses native extensions; therefore it must be installed and compiled in a Linux environment on the right architecture (`x86_64` or `arm64`). For example, you can use [dockerizePip][2] for the Serverless Framework and [--use-container][3] for AWS SAM. For more details, see [how to add dependencies to your function deployment package][4]. + **Note**: `datadog-lambda` depends on `ddtrace`, which uses native extensions; therefore it must be installed and compiled in a Linux environment on the right architecture (`x86_64` or `arm64`). For example, you can use [dockerizePip][10] for the Serverless Framework and [--use-container][11] for AWS SAM. For more details, see [how to add dependencies to your function deployment package][12]. - See the [latest release][5]. + See the [latest release][13]. 2. Install the Datadog Lambda Extension - [Configure the layers][1] for your Lambda function using the ARN in the following format: + [Configure the layers][9] for your Lambda function using the ARN in the following format: ```sh # Use this format for x86-based Lambda deployed in AWS commercial regions @@ -249,7 +241,7 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions - Set your function's handler to `datadog_lambda.handler.handler`. - Set the environment variable `DD_LAMBDA_HANDLER` to your original handler, for example, `myfunc.handler`. - **Note**: If you are using a third-party security or monitoring tool that is incompatible with the Datadog handler redirection, you can [apply the Datadog wrapper in your function code][6] instead. + **Note**: If you are using a third-party security or monitoring tool that is incompatible with the Datadog handler redirection, you can [apply the Datadog wrapper in your function code][14] instead. 4. Enable AAP by adding the following environment variables on your function deployment: ```yaml @@ -257,14 +249,8 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions DD_APPSEC_ENABLED: true ``` -5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. +5. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][4]. -[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -[2]: https://github.com/UnitedIncome/serverless-python-requirements#cross-compiling -[3]: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-build.html -[4]: https://docs.aws.amazon.com/lambda/latest/dg/python-package.html#python-package-dependencies -[5]: https://pypi.org/project/datadog-lambda/ -[6]: https://app.datadoghq.com/security/appsec?column=time&order=desc {{% /tab %}} {{< /tabs >}} @@ -274,9 +260,17 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec -[4]: /security/application_security/serverless/compatibility -[5]: /security/default_rules/security-scan-detected/ -[6]: /serverless/libraries_integrations/plugin/ +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[3]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[4]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[5]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[6]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[7]: https://github.com/DataDog/datadog-cdk-constructs +[8]: https://app.datadoghq.com/organization-settings/api-keys +[9]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[10]: https://github.com/UnitedIncome/serverless-python-requirements#cross-compiling +[11]: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-build.html +[12]: https://docs.aws.amazon.com/lambda/latest/dg/python-package.html#python-package-dependencies +[13]: https://pypi.org/project/datadog-lambda/ +[14]: https://docs.datadoghq.com/serverless/guide/handler_wrapper [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/ diff --git a/content/en/security/application_security/setup/aws/lambda/ruby.md b/content/en/security/application_security/setup/aws/lambda/ruby.md index 1b819453b7be1..5eb2c445ad35b 100644 --- a/content/en/security/application_security/setup/aws/lambda/ruby.md +++ b/content/en/security/application_security/setup/aws/lambda/ruby.md @@ -21,7 +21,7 @@ further_reading: Configuring App and API Protection (AAP) for AWS Lambda involves: 1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on [the Security tab of your Software Catalog][1]. -2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][6], or manually by using the Datadog tracing layers. +2. Setting up AAP instrumentation by using either the [Datadog CLI](https://docs.datadoghq.com/serverless/serverless_integrations/cli), [AWS CDK](https://github.com/DataDog/datadog-cdk-constructs), [Datadog Serverless Framework plugin][2], or manually by using the Datadog tracing layers. 3. Triggering security signals in your application and seeing how Datadog displays the resulting information. ## Prerequisites @@ -31,7 +31,7 @@ Configuring App and API Protection (AAP) for AWS Lambda involves: ## Compatibility -**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][3] to block IPs in your [WAF][4]. ## Supported trigger types Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: @@ -47,7 +47,7 @@ Threat Detection supports HTTP requests as function input only, as that channel {{< tabs >}} {{% tab "Serverless Framework" %}} -The [Datadog Serverless Framework plugin][1] can be used to automatically configure and deploy your lambda with AAP. +The [Datadog Serverless Framework plugin][2] can be used to automatically configure and deploy your lambda with AAP. To install and configure the Datadog Serverless Framework plugin: @@ -71,14 +71,10 @@ To install and configure the Datadog Serverless Framework plugin: enableDDTracing: true enableASM: true ``` - See also the complete list of [plugin parameters][4] to further configure your lambda settings. + See also the complete list of [plugin parameters][5] to further configure your lambda settings. -4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][3]. +4. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. -[1]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin -[2]: https://docs.datadoghq.com/serverless/libraries_integrations/extension -[3]: https://app.datadoghq.com/security/appsec?column=time&order=desc -[4]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters {{% /tab %}} {{% tab "Datadog CLI" %}} @@ -101,7 +97,7 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr 3. Configure the AWS credentials: - Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][1]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. + Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to [resolve the credentials][7]. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI. 4. Configure the Datadog site: @@ -140,16 +136,14 @@ The Datadog CLI modifies existing Lambda function configurations to enable instr **Note**: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run `uninstrument` with the same arguments to revert the changes. - Additional parameters can be found in the [CLI documentation][2]. + Additional parameters can be found in the [CLI documentation][8]. -[1]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html -[2]: https://docs.datadoghq.com/serverless/serverless_integrations/cli {{% /tab %}} {{% tab "AWS CDK" %}} -The [Datadog CDK Construct][1] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. +The [Datadog CDK Construct][9] automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension. 1. Install the Datadog CDK constructs library: @@ -183,12 +177,10 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions To fill in the placeholders: - Replace `` with {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Replace `` with the ARN of the AWS secret where your [Datadog API key][2] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. + - Replace `` with the ARN of the AWS secret where your [Datadog API key][10] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `apiKey` instead and set the Datadog API key in plaintext. - More information and additional parameters can be found on the [Datadog CDK documentation][1]. + More information and additional parameters can be found on the [Datadog CDK documentation][9]. -[1]: https://github.com/DataDog/datadog-cdk-constructs -[2]: https://app.datadoghq.com/organization-settings/api-keys {{% /tab %}} {{% tab "Custom" %}} @@ -199,7 +191,7 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions The minor version of the `datadog-lambda` gem always matches the layer version. For example, datadog-lambda v0.5.0 matches the content of layer version 5. - - Option A: [Configure the layers][1] for your Lambda function using the ARN in the following format: + - Option A: [Configure the layers][11] for your Lambda function using the ARN in the following format: ```sh # Use this format for x86-based Lambda deployed in AWS commercial regions @@ -242,7 +234,7 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions 2. Install the Datadog Lambda Extension - - Option A: [Configure the layers][1] for your Lambda function using the ARN in the following format: + - Option A: [Configure the layers][11] for your Lambda function using the ARN in the following format: ```sh # Use this format for x86-based Lambda deployed in AWS commercial regions @@ -266,7 +258,7 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions COPY --from=public.ecr.aws/datadog/lambda-extension: /opt/extensions/ /opt/extensions ``` - Replace `` with either a specific version number (for example, `{{< latest-lambda-layer-version layer="extension" >}}`) or with `latest`. You can see a complete list of possible tags in the [Amazon ECR repository][2]. + Replace `` with either a specific version number (for example, `{{< latest-lambda-layer-version layer="extension" >}}`) or with `latest`. You can see a complete list of possible tags in the [Amazon ECR repository][12]. 3. Configure your Lambda functions @@ -289,7 +281,7 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions 4. Configure Datadog site and API key - Set the environment variable `DD_SITE` to {{< region-param key="dd_site" code="true" >}} (ensure the correct SITE is selected on the right). - - Set the environment variable `DD_API_KEY_SECRET_ARN` with the ARN of the AWS secret where your [Datadog API key][3] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `DD_API_KEY` instead and set the Datadog API key in plaintext. + - Set the environment variable `DD_API_KEY_SECRET_ARN` with the ARN of the AWS secret where your [Datadog API key][10] is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The `secretsmanager:GetSecretValue` permission is required. For quick testing, you can use `DD_API_KEY` instead and set the Datadog API key in plaintext. 5. Enable AAP by adding the following environment variables on your function deployment: ```yaml @@ -298,12 +290,8 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions DD_SERVERLESS_APPSEC_ENABLED: true ``` -6. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][4]. +6. Redeploy the function and invoke it. After a few minutes, it appears in [AAP views][6]. -[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html -[2]: https://gallery.ecr.aws/datadog/lambda-extension -[3]: https://app.datadoghq.com/organization-settings/api-keys -[4]: https://app.datadoghq.com/security/appsec?column=time&order=desc {{% /tab %}} {{< /tabs >}} @@ -313,9 +301,15 @@ The [Datadog CDK Construct][1] automatically installs Datadog on your functions {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/services?query=type%3Afunction%20&env=prod&groupBy=&hostGroup=%2A&lens=Security&sort=-attackExposure&view=list -[2]: /serverless/distributed_tracing/ -[3]: https://app.datadoghq.com/security/appsec -[4]: /security/application_security/serverless/compatibility -[5]: /security/default_rules/security-scan-detected/ -[6]: /serverless/libraries_integrations/plugin/ +[2]: https://docs.datadoghq.com/serverless/serverless_integrations/plugin +[3]: /actions/workflows/ +[4]: /security/application_security/waf-integration/ +[5]: https://docs.datadoghq.com/serverless/libraries_integrations/plugin/#configuration-parameters +[6]: https://app.datadoghq.com/security/appsec?column=time&order=desc +[7]: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html +[8]: https://docs.datadoghq.com/serverless/serverless_integrations/cli +[9]: https://github.com/DataDog/datadog-cdk-constructs +[10]: https://app.datadoghq.com/organization-settings/api-keys +[11]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html +[12]: https://gallery.ecr.aws/datadog/lambda-extension [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/