-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation #29539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
….riaud/update_fips_documentation
📝 Documentation Team Review RequiredThis pull request requires approval from the @DataDog/documentation team before it can be merged. Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes. |
13c5575
to
4d03d24
Compare
Preview links (active after the
|
Created DOCS-11045 for the docs review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@misteriaud Just a couple of small comments
@@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following: | |||
|
|||
[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation | |||
{{% /tab %}} | |||
|
|||
{{% tab "AWS Lambda" %}} | |||
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The preface This includes, but is not limited to, the following requirements:
should be probably be listed for all tabs and may need a bit of nuance. Maybe something like this (in bold):
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.
@@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation. | |||
|
|||
{{< site-region region="gov" >}} | |||
|
|||
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@misteriaud Can you link where this is the case? I don't remember us explicitly working on this but I could be wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that there are changes made to spanish, french, japanese, and korean versions of the document as well. This is not needed as there is a process that translates the English changes. Would you revert these changes? Thanks in advance and let me know if you have any questions!
- Communication between Cluster Agent and Node Agents | ||
- Outbound communication to anything other than GovCloud | ||
- Datadog DDOT Collector[1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Datadog DDOT Collector[1] | |
- Datadog [DDOT Collector][1] |
What does this PR do? What is the motivation?
This PR improves the FIPS Agent documentation and adds specific instructions for the supported installation methods.
Merge instructions
Merge readiness:
For Datadog employees:
Merge queue is enabled in this repo. Your branch name MUST follow the
<name>/<description>
convention and include the forward slash (/
). Without this format, your pull request will not pass in CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
To have your PR automatically merged after it receives the required reviews, add the following PR comment:
Additional notes