Setup App and API Protection for Java on AWS Fargate

This product is not supported for your selected Datadog site. ().
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Overview

App and API Protection works by leveraging the Datadog Java library to monitor and secure your Java service. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported Java versions, frameworks, and deployment environments, see Java Compatibility Requirements.

This guide explains how to set up App and API Protection (AAP) for Java applications. The setup involves:

  1. Installing the Datadog Agent
  2. Enabling App and API Protection monitoring
  3. Running your Java application with the Datadog Agent
  4. Verifying the setup

Prerequisites

  • AWS Fargate environment
  • Java application containerized with Docker
  • AWS CLI configured with appropriate permissions
  • Your Datadog API key
  • Datadog Java tracing library (see version requirements here)

1. Installing the Datadog Agent

Install the Datadog Agent in your Fargate task definition:

{
  "containerDefinitions": [
    {
      "name": "datadog-agent",
      "image": "public.ecr.aws/datadog/agent:latest",
      "environment": [
        {
          "name": "DD_API_KEY",
          "value": "<YOUR_API_KEY>"
        },
        {
          "name": "DD_APM_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_APM_NON_LOCAL_TRAFFIC",
          "value": "true"
        }
      ]
    }
  ]
}

2. Enabling App and API Protection monitoring

Automatically enabling App and API Protection through Remote Configuration

APM Tracing cannot be disabled for the time being with remote config.

You can enable remote configuration on your services dashboard. Simply check the box for the service you want to enable App and API Protection for under "Activate on your APM services".

Manually enabling App and API Protection monitoring

Download the latest version of the Datadog Java library:

ADD 'https://dtdg.co/latest-java-tracer' /dd-java-agent.jar

    Update your task definition to include the Java agent and App and API Protection configuration:

    {
  "containerDefinitions": [
    {
      "name": "your-java-app",
      "image": "your-java-app-image",
      "command": [
        "java",
        "-javaagent:/dd-java-agent.jar",
        "-Ddd.appsec.enabled=true",
        "-Ddd.service=<MY_SERVICE>",
        "-Ddd.env=<MY_ENV>",
        "-jar",
        "/app.jar"
      ]
    }
  ]
}

    Update your task definition to include the Java agent and App and API Protection configuration:

    {
  "containerDefinitions": [
    {
      "name": "your-java-app",
      "image": "your-java-app-image",
      "environment": [
        {
          "name": "DD_APPSEC_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_SERVICE",
          "value": "<YOUR_SERVICE_NAME>"
        },
        {
          "name": "DD_ENV",
          "value": "<YOUR_ENVIRONMENT>"
        }
      ],
      "command": [
        "java",
        "-javaagent:/dd-java-agent.jar",
        "-jar",
        "/app.jar"
      ]
    }
  ]
}

    To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false.

      Update your task definition to include the Java agent and App and API Protection configuration with APM tracing disabled:

      {
  "containerDefinitions": [
    {
      "name": "your-java-app",
      "image": "your-java-app-image",
      "command": [
        "java",
        "-javaagent:/dd-java-agent.jar",
        "-Ddd.appsec.enabled=true",
        "-Ddd.apm.tracing.enabled=false",
        "-Ddd.service=<MY_SERVICE>",
        "-Ddd.env=<MY_ENV>",
        "-jar",
        "/app.jar"
      ]
    }
  ]
}

      Update your task definition to include the Java agent and App and API Protection configuration with APM tracing disabled:

      {
  "containerDefinitions": [
    {
      "name": "your-java-app",
      "image": "your-java-app-image",
      "environment": [
        {
          "name": "DD_APPSEC_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_APM_TRACING_ENABLED",
          "value": "false"
        },
        {
          "name": "DD_SERVICE",
          "value": "<YOUR_SERVICE_NAME>"
        },
        {
          "name": "DD_ENV",
          "value": "<YOUR_ENVIRONMENT>"
        }
      ],
      "command": [
        "java",
        "-javaagent:/dd-java-agent.jar",
        "-jar",
        "/app.jar"
      ]
    }
  ]
}

      3. Run your application

      Deploy your Fargate task with the updated configuration:

      aws ecs register-task-definition --cli-input-json file://task-definition.json
aws ecs run-task --cluster your-cluster --task-definition your-task-definition

      4. Verify setup

      To verify that App and API Protection is working correctly:

      1. Send some traffic to your application
      2. Check the Application Signals Explorer in Datadog
      3. Look for security signals and vulnerabilities

      Troubleshooting

      If you encounter issues while setting up App and API Protection for your Java application, see the Java App and API Protection troubleshooting guide.

      Further Reading

      Más enlaces, artículos y documentación útiles:

      How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
      PREVIEWING: eliottness/exhaustive-doc