Enabling App and API Protection for AWS Lambda

Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Enabling App and API Protection for AWS Lambda

Configuring AAP for AWS Lambda involves:

Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on the Security tab of your Software Catalog.
Setting up AAP instrumentation by using either the Datadog CLI, AWS CDK, Datadog Serverless Framework plugin, or manually by using the Datadog tracing layers.
Triggering security signals in your application and seeing how Datadog displays the resulting information.

Prerequisites

Serverless APM Tracing is setup on the Lambda function to send traces directly to Datadog. X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled.

Compatibility

Note: Threat Protection through Remote Configuration is not supported. Use Workflows to block IPs in your WAF.

Type	Threat Detection
Java
.NET
Node
Python
Ruby
PHP
Go

Supported trigger types

Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as:

Application Load Balancer (ALB)
API Gateway v1 (Rest API)
API Gateway v2 (HTTP API)
Function URL

If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.

Additional language specific compatibility information

Node.js: If you are bundling using webpack or esbuild, follow the specific bundler instructions.
Java: To fully instrument your serverless application with distributed tracing, your Java Lambda functions must use the Java 8 Corretto (java8.al2), Java 11 (java11) or Java 17 (java17) runtimes with at least 1024MB of memory.; If you use the Datadog Lambda layers dd-trace-java:4 (or older) and Datadog-Extension:24 (or older), follow the instructions in Upgrade Instrumentation for Java Lambda Functions.

Get started

The Datadog Serverless Framework plugin can be used to automatically configure and deploy your lambda with AAP.

To install and configure the Datadog Serverless Framework plugin:

Install the Datadog Serverless Framework plugin:

serverless plugin install --name serverless-plugin-datadog

Enable AAP by updating your serverless.yml with the enableASM configuration parameter:
```
custom:
  datadog:
    enableASM: true
```
Overall, your new serverless.yml file should contain at least:
```
custom:
  datadog:
    apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey
    enableDDTracing: true
    enableASM: true
```
See also the complete list of plugin parameters to further configure your lambda settings.
Redeploy the function and invoke it. After a few minutes, it appears in AAP views.

The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog’s serverless monitoring.

If you are configuring initial tracing for your functions, perform the following steps:

Install the Datadog CLI client:
```
npm install -g @datadog/datadog-ci
```
If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment.
```
datadog-ci lambda instrument -i --appsec
```
Configure the AWS credentials:
Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to resolve the credentials. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI.
Configure the Datadog site:
```
export DATADOG_SITE="<DATADOG_SITE>"
```
Replace <DATADOG_SITE> with (ensure the correct Datadog site is selected on the right-hand side of this page).
Configure the Datadog API key:
Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required secretsmanager:GetSecretValue IAM permission.
```
export DATADOG_API_KEY_SECRET_ARN="<DATADOG_API_KEY_SECRET_ARN>"
```
For testing purposes, you can also set the Datadog API key in plaintext:
```
export DATADOG_API_KEY="<DATADOG_API_KEY>"
```
Instrument your Lambda functions:
To instrument your Lambda functions, run the following command.
```
datadog-ci lambda instrument --appsec -f <functionname> -f <another_functionname> -r <aws_region> -v 109 -e 78
```
To fill in the placeholders:
- Replace <functionname> and <another_functionname> with your Lambda function names.
- Alternatively, you can use --functions-regex to automatically instrument multiple functions whose names match the given regular expression.
- Replace <aws_region> with the AWS region name.
Note: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run uninstrument with the same arguments to revert the changes.
Additional parameters can be found in the CLI documentation.

The Datadog CDK Construct automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.

Install the Datadog CDK constructs library:

# For AWS CDK v1
pip install datadog-cdk-constructs

# For AWS CDK v2
pip install datadog-cdk-constructs-v2

Instrument your Lambda functions
```
# For AWS CDK v1
from datadog_cdk_constructs import Datadog
# NOT SUPPORTED IN V1

# For AWS CDK v2
from datadog_cdk_constructs_v2 import Datadog

datadog = Datadog(self, "Datadog",
    python_layer_version=109,
    extension_layer_version=78,
    site="<DATADOG_SITE>",
    api_key_secret_arn="<DATADOG_API_KEY_SECRET_ARN>", // or api_key
    enable_asm=True,
  )
datadog.add_lambda_functions([<LAMBDA_FUNCTIONS>])
```
To fill in the placeholders:
- Replace <DATADOG_SITE> with (ensure the correct SITE is selected on the right).
- Replace <DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use apiKey instead and set the Datadog API key in plaintext.
More information and additional parameters can be found on the Datadog CDK documentation.

Install the Datadog tracer:

Python

# Use this format for x86-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:109

   # Use this format for arm64-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>-ARM:109

   # Use this format for x86-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:109

   # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>-ARM:72
   ```
   Replace `<AWS_REGION>` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38` and `Python39`.

Node

# Use this format for AWS commercial regions
  arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:125

  # Use this format for AWS GovCloud regions
  arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:125
  ```
  Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`. The available RUNTIME options are `Node18-x`, `Node20-x`, `Node22-x`.

Java: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:
```
# In AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-java:21
# In AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:21
```
Go: The Go tracer doesn’t rely on a layer and is a regular Go module. You can upgrade to its latest version with:
```
go get -u github.com/DataDog/datadog-lambda-go
```

.NET: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

# x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-dotnet:20
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-dotnet-ARM:20
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet:20
# arm64-based Lambda  in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet-ARM:20

Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

# x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:78
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:78
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:78
# arm64-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:78