AWS Lambda FIPS Compliance

The FIPS-compliant Datadog Lambda extension is available in all AWS regions. While you can use these FIPS-compliant Lambda components with any Datadog site, end-to-end FIPS compliance requires sending data to the US1-FED site (ddog-gov.com).

Datadog provides FIPS-compliant monitoring for AWS Lambda functions through the use of FIPS-certified cryptographic modules and specially designed Lambda extension layers.

FIPS-Compliant Components

Datadog’s FIPS compliance for AWS Lambda is implemented through two main components:

  1. FIPS-Compliant Lambda Extension:

  2. Runtime Libraries Support:

    • The Python and JavaScript Datadog Lambda Layers, and the Go Datadog Lambda Library offer FIPS-compliant operation controlled by the DD_LAMBDA_FIPS_MODE environment variable.
      • DD_LAMBDA_FIPS_MODE defaults to true in GovCloud and false otherwise.
    • When FIPS mode is enabled:
      • The runtime libraries use AWS FIPS endpoints for Datadog API key retrieval
      • The Lambda metric helper functions require the FIPS-compliant extension for metric submission:
        • Python: lambda_metric from datadog_lambda.metric
        • Node.js: sendDistributionMetric from datadog-lambda-js
        • Go: Metric() from ddlambda

FIPS Extension Layers

Datadog provides separate Lambda extension layers for FIPS compliance in both x86 and ARM architectures:

    arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:78
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:78

    Replace <AWS_REGION> with a valid AWS GovCloud region such as us-gov-west-1.

    arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:78
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:78

    Replace <AWS_REGION> with a valid AWS region such as us-east-1.

    Runtime Support

    Python, JavaScript, and Go

    For Python, JavaScript, and Go Lambda functions, FIPS compliance is controlled using the DD_LAMBDA_FIPS_MODE environment variable:

    • In GovCloud environments, DD_LAMBDA_FIPS_MODE defaults to true.
    • In commercial regions, DD_LAMBDA_FIPS_MODE defaults to false.

    When FIPS mode is enabled:

    • AWS FIPS endpoints are used for Datadog API key lookups in AWS secure datastores.
    • Direct metric submission to the Datadog API is disabled, requiring the FIPS-compliant extension for metric submission.

    Ruby, .NET, and Java

    Ruby, .NET, and Java runtime libraries do not require the DD_LAMBDA_FIPS_MODE environment variable as these runtimes do not:

    • Contact AWS APIs directly
    • Send metrics directly to Datadog

    Installation and Configuration

    To use FIPS-compliant monitoring for your AWS Lambda functions:

    1. Select the FIPS-compliant extension layer:

      • Use the appropriate FIPS extension layer ARN for your architecture (x86 or ARM) and region (commercial or GovCloud).

    2. Configure environment variables:

      • For GovCloud environments, DD_LAMBDA_FIPS_MODE is enabled by default.
      • For commercial regions, set DD_LAMBDA_FIPS_MODE=true to enable FIPS mode.
      • For complete end-to-end FIPS compliance, set DD_SITE to ddog-gov.com to send data to the US1-FED site.

    3. Follow the standard installation instructions:

      • Refer to the installation guides for language-specific configurations.
      • Use the FIPS extension layer ARNs instead of the standard extension layers.

    For detailed installation instructions specific to your language runtime and deployment method, see the installation documentation.

    Limitations and Considerations

    • End-to-end FIPS Compliance: For complete FIPS compliance, the FIPS-compliant Lambda components must be used to send telemetry to the US1-FED region (ddog-gov.com). While the Lambda components themselves implement FIPS-compliant cryptography regardless of the destination, only the US1-FED site has FIPS-compliant intake endpoints.

    • Customer Responsibility: You, the Datadog customer, are responsible for:

      • The security posture of your own Lambda function code
      • Ensuring all other code you may be running in your Lambda execution environment maintains FIPS compliance as required

    • FIPS Compliance Scope: FIPS compliance only applies to communication between the Datadog Lambda components and Datadog’s intake API endpoints. Other forms of communication originating from or terminating at your Lambda functions are not made FIPS-compliant by this solution.

    • Version Requirements: Use the latest versions of the Datadog Lambda extension and libraries to ensure full functionality and up-to-date security.

    Further Reading

    PREVIEWING: aleksandr.pasechnik/svls-6807-lambda-fips