Setup App and API Protection for Java on AWS Fargate

This product is not supported for your selected Datadog site. ().
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

For faster setup with automatic instrumentation, consider using Single Step APM Instrumentation, which automatically installs the Datadog SDK with no additional configuration required. See Single Step APM Instrumentation for setup instructions.

Once SSI is set up, you can enable App and API Protection by going to your APM service in the Datadog app → Service Configuration section → Enable Application Security Monitoring.

Overview

Datadog Application Security Management (ASM) provides App and API Protection (AAP) capabilities including:

  • Application Security Monitoring: Real-time threat detection and protection against attacks like SQL injection, XSS, and more
  • Software Composition Analysis (SCA): Identification of vulnerable dependencies in your codebase
  • Interactive Application Security Testing (IAST): Runtime vulnerability detection during testing

ASM works by leveraging the Datadog Java tracing library to monitor HTTP requests, analyze patterns, and detect security threats in real-time. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported Java versions, frameworks, and deployment environments, see Single Step Instrumentation Compatibility.

This guide explains how to set up App and API Protection (AAP) for Java applications running on AWS Fargate. The setup involves:

  1. Installing the Datadog Agent
  2. Configuring your Java application
  3. Enabling AAP monitoring

Prerequisites

  • AWS Fargate environment
  • Java application containerized with Docker
  • AWS CLI configured with appropriate permissions
  • Datadog Agent installed

Setup

1. Install the Datadog Agent

Install the Datadog Agent in your Fargate task definition:

{
  "containerDefinitions": [
    {
      "name": "datadog-agent",
      "image": "public.ecr.aws/datadog/agent:latest",
      "environment": [
        {
          "name": "DD_API_KEY",
          "value": "<YOUR_API_KEY>"
        },
        {
          "name": "DD_APM_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_APM_NON_LOCAL_TRAFFIC",
          "value": "true"
        }
      ]
    }
  ]
}

Library setup

To enable AAP capabilities, you need the Datadog Java tracing library (version 0.94.0 or higher) installed in your application environment.

Download the library

Add the following to your application’s Dockerfile:

ADD 'https://dtdg.co/latest-java-tracer' /dd-java-agent.jar

Verify compatibility

To check that your service’s language and framework versions are supported for AAP capabilities, see Single Step Instrumentation Compatibility.

Service configuration

Standalone billing alternative

If you want to use Application Security Management without APM tracing functionality, you can deploy with Standalone App and API Protection. This configuration reduces the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

To enable standalone mode:

  1. Set DD_APM_TRACING_ENABLED=false environment variable
  2. Keep DD_APPSEC_ENABLED=true environment variable
  3. This configuration will minimize APM data while maintaining full security monitoring capabilities

Enabling AAP

Run your application with AAP enabled

Update your task definition to include the Java agent and AAP configuration:

{
  "containerDefinitions": [
    {
      "name": "your-java-app",
      "image": "your-java-app-image",
      "environment": [
        {
          "name": "DD_APPSEC_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_SERVICE",
          "value": "<YOUR_SERVICE_NAME>"
        },
        {
          "name": "DD_ENV",
          "value": "<YOUR_ENVIRONMENT>"
        }
      ],
      "command": [
        "java",
        "-javaagent:/dd-java-agent.jar",
        "-jar",
        "/app.jar"
      ]
    }
  ]
}

Important considerations:

  • File system requirements: Read-only file systems are not currently supported. The application must have access to a writable /tmp directory.
  • Service identification: Always specify DD_SERVICE (or -Ddd.service) and DD_ENV (or -Ddd.env) for proper service identification in Datadog.

Verify setup

To verify that AAP is working correctly:

  1. Send some traffic to your application
  2. Check the Application Signals Explorer in Datadog
  3. Look for security signals and vulnerabilities

Troubleshooting

If you encounter issues while setting up App and API Protection for your Java application, see the Java App and API Protection troubleshooting guide.

Further Reading

Más enlaces, artículos y documentación útiles:

How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
PREVIEWING: sezen.leblay/aap-setup-page-java