-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation #29539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
….riaud/update_fips_documentation
📝 Documentation Team Review RequiredThis pull request requires approval from the @DataDog/documentation team before it can be merged. Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes. |
13c5575
to
4d03d24
Compare
Created DOCS-11045 for the docs review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@misteriaud Just a couple of small comments
@@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following: | |||
|
|||
[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation | |||
{{% /tab %}} | |||
|
|||
{{% tab "AWS Lambda" %}} | |||
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The preface This includes, but is not limited to, the following requirements:
should be probably be listed for all tabs and may need a bit of nuance. Maybe something like this (in bold):
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this section be removed since the alert note is listed up above?
@@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation. | |||
|
|||
{{< site-region region="gov" >}} | |||
|
|||
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@misteriaud Can you link where this is the case? I don't remember us explicitly working on this but I could be wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that there are changes made to spanish, french, japanese, and korean versions of the document as well. This is not needed as there is a process that translates the English changes. Would you revert these changes? Thanks in advance and let me know if you have any questions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Maxime! 👋🏾
Made some quick notes to the content but overall great! Lmk if you have any questions!
|
||
## Prerequisites | ||
<div class="alert alert-warning"> | ||
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance. | |
The following prerequisites are a rough guideline of the additional controls required for the compliance of the deployed system. The compliance needs are likely to be unique in most circumstances. It is therefore the customer's responsibility to evaluate their needs and ensure overall system compliance. |
@@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following: | |||
|
|||
[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation | |||
{{% /tab %}} | |||
|
|||
{{% tab "AWS Lambda" %}} | |||
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this section be removed since the alert note is listed up above?
|
||
## Prerequisites | ||
<div class="alert alert-warning"> | ||
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance. | ||
</div> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be worth it to add a line here, not in the alert div, that reads something like:
The following are generally requirement for each OS, your system may require additional controls:
In case the reader gloss over the alert box, seeing that their system may require additional controls may help.
{{% /tab %}} | ||
|
||
{{% tab "AWS EKS" %}} | ||
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
Should this section be removed since the alert note is listed up above?
{{% /tab %}} | ||
|
||
{{% tab "AWS ECS" %}} | ||
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
Should this section be removed since the alert note is listed up above?
```yaml | ||
datadog: | ||
site: "ddog-gov.com" | ||
useFIPSAgent: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
useFIPSAgent: true | |
useFIPSAgent: true |
Is the indentation here correct?
@@ -188,10 +188,132 @@ The `use_https` option is set to `false` because the Agent uses HTTP to communic | |||
{{% /tab %}} | |||
|
|||
{{% tab "Amazon ECS" %}} | |||
To install the FIPS proxy on Amazon ECS, follow the [Datadog Agent ECS Integrations guide](/containers/amazon_ecs/#fips-proxy-for-govcloud-environments). | |||
|
|||
Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features][#supported-platforms-and-limitations]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features][#supported-platforms-and-limitations]. | |
Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features](#supported-platforms-and-limitations). |
For instructions on installing the FIPS proxy on Amazon ECS, see [FIPS proxy for GOVCLOUD environments][1]. | ||
|
||
[1]: /containers/amazon_ecs/#fips-proxy-for-govcloud-environments | ||
You also need to update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also need to update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy: | |
You must also update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy: |
{{% site-region region="gov" %}} | ||
## FIPS Compliance | ||
|
||
Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation. | |
Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation. | |
[32]: /agent/configuration/fips-compliance/ |
Just a quick note that links need to be enclosed within the section when it comes to tabs or region-specific content like this one. Otherwise, the link brinks in the UI.
@@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation. | |||
|
|||
{{< site-region region="gov" >}} | |||
|
|||
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |
Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or when a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. | |
To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. |
Just a small suggestion here
What does this PR do? What is the motivation?
This PR improves the FIPS Agent documentation and adds specific instructions for the supported installation methods.
Merge instructions
Merge readiness:
For Datadog employees:
Merge queue is enabled in this repo. Your branch name MUST follow the
<name>/<description>
convention and include the forward slash (/
). Without this format, your pull request will not pass in CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
To have your PR automatically merged after it receives the required reviews, add the following PR comment:
Additional notes