Skip to content

Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation #29539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

misteriaud
Copy link

@misteriaud misteriaud commented May 26, 2025

What does this PR do? What is the motivation?

This PR improves the FIPS Agent documentation and adds specific instructions for the supported installation methods.

Merge instructions

Merge readiness:

  • Ready for merge

For Datadog employees:
Merge queue is enabled in this repo. Your branch name MUST follow the <name>/<description> convention and include the forward slash (/). Without this format, your pull request will not pass in CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.

If your branch doesn't follow this format, rename it or create a new branch and PR.

To have your PR automatically merged after it receives the required reviews, add the following PR comment:

/merge

Additional notes

Copy link
Contributor

github-actions bot commented May 28, 2025

📝 Documentation Team Review Required

This pull request requires approval from the @DataDog/documentation team before it can be merged.

Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes.

@misteriaud misteriaud force-pushed the maxime.riaud/update_fips_documentation branch from 13c5575 to 4d03d24 Compare May 28, 2025 12:48
@misteriaud misteriaud marked this pull request as ready for review May 28, 2025 12:49
@misteriaud misteriaud requested a review from a team as a code owner May 28, 2025 12:49
@misteriaud misteriaud changed the title update ECS documentation to refer to FIPS Compliance page Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation May 28, 2025
@drichards-87 drichards-87 added the editorial review Waiting on a more in-depth review label May 28, 2025
@drichards-87
Copy link
Contributor

Created DOCS-11045 for the docs review.

Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@misteriaud Just a couple of small comments

@@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following:

[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation
{{% /tab %}}

{{% tab "AWS Lambda" %}}
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The preface This includes, but is not limited to, the following requirements: should be probably be listed for all tabs and may need a bit of nuance. Maybe something like this (in bold):

The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.

@@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation.

{{< site-region region="gov" >}}

Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@misteriaud Can you link where this is the case? I don't remember us explicitly working on this but I could be wrong.

Copy link
Contributor

@iadjivon iadjivon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that there are changes made to spanish, french, japanese, and korean versions of the document as well. This is not needed as there is a process that translates the English changes. Would you revert these changes? Thanks in advance and let me know if you have any questions!

- Communication between Cluster Agent and Node Agents
- Outbound communication to anything other than GovCloud
- Datadog DDOT Collector[1]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Datadog DDOT Collector[1]
- Datadog [DDOT Collector][1]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
editorial review Waiting on a more in-depth review
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants