Datadog Security provides multiple layers of visibility for AWS Fargate. Use the products in combination with one another to gain full stack coverage, as shown in the following tables:
Fargate assets
Asset
Observability
Vulnerabilities and Misconfiguration Remediation
Threat Detection and Response
Fargate Application
Application Performance Monitoring
Software Composition Analysis (SCA) and Code Security
ASM - Threat Detection and Protection
Fargate Infrastructure
Infrastructure Monitoring
Not yet supported
CSM Threats
Fargate-related resources
Asset
Observability
Vulnerabilities and Misconfiguration Remediation
Threat Detection and Response
AWS IAM roles and policies
Log Management
Cloud Security Management
Cloud SIEM
AWS databases
Log Management
Cloud Security Management
Cloud SIEM
AWS S3 buckets
Log Management
Cloud Security Management
Cloud SIEM
Cloud Security Management
Prerequisites
The Datadog AWS integration is installed and configured for your AWS accounts
Access to AWS Management Console
AWS Fargate ECS or EKS workloads
For additional performance and reliability insights, Datadog recommends enabling Infrastructure Monitoring with Cloud Security Management.
On the left menu, select Task Definitions, and then select Create new Task Definition with JSON. Alternatively, choose an existing Fargate task definition.
To create a new task definition, use the JSON definition, or the AWS CLI method.
To collect data from your AWS Fargate pods, you must run the Agent as a sidecar of your application pod and set up Role-Based Access Control (RBAC) rules.
If the Agent is running as a sidecar, it can only communicate with containers on the same pod. Run an Agent for every pod you wish to monitor.
The following manifest represents the minimum configuration required to deploy your application with the Datadog Agent as a sidecar with CSM Threats enabled:
When you enable CSM on AWS Fargate ECS or EKS, the Agent sends a log to Datadog to confirm that the default ruleset has been successfully deployed. To view the log, navigate to the Logs page in Datadog and search for @agent.rule_id:ruleset_loaded.
You can also verify the Agent is sending events to CSM by manually triggering an AWS Fargate security signal.
In the task definition, replace the “workload” container with the following:
"name": "cws-signal-test","image": "ubuntu:latest","entryPoint": ["/cws-instrumentation-volume/cws-instrumentation","trace","--verbose","--","/usr/bin/bash","-c","apt update;apt install -y curl; while true; do curl https://google.com; sleep 5; done"],
Application Security
Prerequisites
The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment
Datadog APM is configured for your application or service
For additional performance and reliability insights, Datadog recommends enabling Application Performance Monitoring with Application Security Management.