Skip to content

Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation #29539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 16 commits into
base: master
Choose a base branch
from

Conversation

misteriaud
Copy link

@misteriaud misteriaud commented May 26, 2025

What does this PR do? What is the motivation?

This PR improves the FIPS Agent documentation and adds specific instructions for the supported installation methods.

Merge instructions

Merge readiness:

  • Ready for merge

For Datadog employees:
Merge queue is enabled in this repo. Your branch name MUST follow the <name>/<description> convention and include the forward slash (/). Without this format, your pull request will not pass in CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.

If your branch doesn't follow this format, rename it or create a new branch and PR.

To have your PR automatically merged after it receives the required reviews, add the following PR comment:

/merge

Additional notes

Copy link
Contributor

github-actions bot commented May 28, 2025

📝 Documentation Team Review Required

This pull request requires approval from the @DataDog/documentation team before it can be merged.

Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes.

@misteriaud misteriaud force-pushed the maxime.riaud/update_fips_documentation branch from 13c5575 to 4d03d24 Compare May 28, 2025 12:48
@misteriaud misteriaud marked this pull request as ready for review May 28, 2025 12:49
@misteriaud misteriaud requested a review from a team as a code owner May 28, 2025 12:49
@misteriaud misteriaud changed the title update ECS documentation to refer to FIPS Compliance page Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation May 28, 2025
@drichards-87 drichards-87 added the editorial review Waiting on a more in-depth review label May 28, 2025
@drichards-87
Copy link
Contributor

Created DOCS-11045 for the docs review.

Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@misteriaud Just a couple of small comments

@@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following:

[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation
{{% /tab %}}

{{% tab "AWS Lambda" %}}
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The preface This includes, but is not limited to, the following requirements: should be probably be listed for all tabs and may need a bit of nuance. Maybe something like this (in bold):

The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this section be removed since the alert note is listed up above?

@@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation.

{{< site-region region="gov" >}}

Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@misteriaud Can you link where this is the case? I don't remember us explicitly working on this but I could be wrong.

Copy link
Contributor

@iadjivon iadjivon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that there are changes made to spanish, french, japanese, and korean versions of the document as well. This is not needed as there is a process that translates the English changes. Would you revert these changes? Thanks in advance and let me know if you have any questions!

@github-actions github-actions bot added the FAQ Content impacting a FAQ label Jun 24, 2025
Copy link
Contributor

@iadjivon iadjivon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Maxime! 👋🏾
Made some quick notes to the content but overall great! Lmk if you have any questions!


## Prerequisites
<div class="alert alert-warning">
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.
The following prerequisites are a rough guideline of the additional controls required for the compliance of the deployed system. The compliance needs are likely to be unique in most circumstances. It is therefore the customer's responsibility to evaluate their needs and ensure overall system compliance.

@@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following:

[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation
{{% /tab %}}

{{% tab "AWS Lambda" %}}
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this section be removed since the alert note is listed up above?


## Prerequisites
<div class="alert alert-warning">
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.
</div>

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth it to add a line here, not in the alert div, that reads something like:
The following are generally requirement for each OS, your system may require additional controls:

In case the reader gloss over the alert box, seeing that their system may require additional controls may help.

{{% /tab %}}

{{% tab "AWS EKS" %}}
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:

Should this section be removed since the alert note is listed up above?

{{% /tab %}}

{{% tab "AWS ECS" %}}
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements:

Should this section be removed since the alert note is listed up above?

```yaml
datadog:
site: "ddog-gov.com"
useFIPSAgent: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
useFIPSAgent: true
useFIPSAgent: true

Is the indentation here correct?

@@ -188,10 +188,132 @@ The `use_https` option is set to `false` because the Agent uses HTTP to communic
{{% /tab %}}

{{% tab "Amazon ECS" %}}
To install the FIPS proxy on Amazon ECS, follow the [Datadog Agent ECS Integrations guide](/containers/amazon_ecs/#fips-proxy-for-govcloud-environments).

Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features][#supported-platforms-and-limitations].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features][#supported-platforms-and-limitations].
Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features](#supported-platforms-and-limitations).

For instructions on installing the FIPS proxy on Amazon ECS, see [FIPS proxy for GOVCLOUD environments][1].

[1]: /containers/amazon_ecs/#fips-proxy-for-govcloud-environments
You also need to update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
You also need to update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy:
You must also update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy:

{{% site-region region="gov" %}}
## FIPS Compliance

Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation.
Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation.
[32]: /agent/configuration/fips-compliance/

Just a quick note that links need to be enclosed within the section when it comes to tabs or region-specific content like this one. Otherwise, the link brinks in the UI.

@@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation.

{{< site-region region="gov" >}}

Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or when a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake.
To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below.

Just a small suggestion here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
editorial review Waiting on a more in-depth review FAQ Content impacting a FAQ
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants