Add AWS Lambda/ECS/EKS methods to FIPS Compliance documentation #29539
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
….riaud/update_fips_documentation
📝 Documentation Team Review RequiredThis pull request requires approval from the @DataDog/documentation team before it can be merged. Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes. |
misteriaud
force-pushed
the
maxime.riaud/update_fips_documentation
branch
from
13c5575 to
4d03d24
Compare
misteriaud
changed the title
|
Created DOCS-11045 for the docs review. |
sgnn7
reviewed
May 28, 2025
| @@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following: | |||
|
|
|||
| [1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation | |||
| {{% /tab %}} | |||
|
|
|||
| {{% tab "AWS Lambda" %}} | |||
| Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: | |||
There was a problem hiding this comment.
The preface This includes, but is not limited to, the following requirements: should be probably be listed for all tabs and may need a bit of nuance. Maybe something like this (in bold):
The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance.
There was a problem hiding this comment.
Should this section be removed since the alert note is listed up above?
| @@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation. | |||
|
|
|||
| {{< site-region region="gov" >}} | |||
|
|
|||
| Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
| Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
There was a problem hiding this comment.
@misteriaud Can you link where this is the case? I don't remember us explicitly working on this but I could be wrong.
iadjivon
requested changes
Jun 5, 2025
There was a problem hiding this comment.
I see that there are changes made to spanish, french, japanese, and korean versions of the document as well. This is not needed as there is a process that translates the English changes. Would you revert these changes? Thanks in advance and let me know if you have any questions!
iadjivon
reviewed
Jun 27, 2025
|
|
||
| ## Prerequisites | ||
| <div class="alert alert-warning"> | ||
| The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance. |
There was a problem hiding this comment.
Suggested change
| The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance. | |
| The following prerequisites are a rough guideline of the additional controls required for the compliance of the deployed system. The compliance needs are likely to be unique in most circumstances. It is therefore the customer's responsibility to evaluate their needs and ensure overall system compliance. |
| @@ -65,6 +68,26 @@ The Datadog FIPS Agent does **not** support the following: | |||
|
|
|||
| [1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation | |||
| {{% /tab %}} | |||
|
|
|||
| {{% tab "AWS Lambda" %}} | |||
| Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: | |||
There was a problem hiding this comment.
Should this section be removed since the alert note is listed up above?
|
|
||
| ## Prerequisites | ||
| <div class="alert alert-warning"> | ||
| The following prerequisites are only a rough guideline of the additional controls required for the compliance of the deployed system. Based on the nature of data being processed, the compliance level being targeted, the deployment environments, as well as many other factors, the compliance needs are likely to be unique in most circumstances. Because of this, it is the customer's responsibility to evaluate their needs and ensure overall system compliance. | ||
| </div> | ||
|
|
There was a problem hiding this comment.
It might be worth it to add a line here, not in the alert div, that reads something like:
The following are generally requirement for each OS, your system may require additional controls:
In case the reader gloss over the alert box, seeing that their system may require additional controls may help.
| {{% /tab %}} | ||
|
|
||
| {{% tab "AWS EKS" %}} | ||
| Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Suggested change
| Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
Should this section be removed since the alert note is listed up above?
| {{% /tab %}} | ||
|
|
||
| {{% tab "AWS ECS" %}} | ||
| Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
There was a problem hiding this comment.
Suggested change
| Ensure your AWS setup is FIPS compliant. This includes, but is not limited to, the following requirements: |
Should this section be removed since the alert note is listed up above?
| ```yaml | ||
| datadog: | ||
| site: "ddog-gov.com" | ||
| useFIPSAgent: true |
There was a problem hiding this comment.
Suggested change
| useFIPSAgent: true | |
| useFIPSAgent: true |
Is the indentation here correct?
| @@ -188,10 +188,132 @@ The `use_https` option is set to `false` because the Agent uses HTTP to communic | |||
| {{% /tab %}} | |||
|
|
|||
| {{% tab "Amazon ECS" %}} | |||
| To install the FIPS proxy on Amazon ECS, follow the [Datadog Agent ECS Integrations guide](/containers/amazon_ecs/#fips-proxy-for-govcloud-environments). | |||
|
|
|||
| Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features][#supported-platforms-and-limitations]. | |||
There was a problem hiding this comment.
Suggested change
| Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features][#supported-platforms-and-limitations]. | |
| Ensure you add the `fips-proxy` sidecar container to your ECS task definition. Also, open the required container ports (9803–9818) to enable communication for all [supported features](#supported-platforms-and-limitations). |
| For instructions on installing the FIPS proxy on Amazon ECS, see [FIPS proxy for GOVCLOUD environments][1]. | ||
|
|
||
| [1]: /containers/amazon_ecs/#fips-proxy-for-govcloud-environments | ||
| You also need to update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy: |
There was a problem hiding this comment.
Suggested change
| You also need to update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy: | |
| You must also update the environment variables of the Datadog Agent's container to enable sending traffic through the FIPS proxy: |
| {{% site-region region="gov" %}} | ||
| ## FIPS Compliance | ||
|
|
||
| Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation. |
There was a problem hiding this comment.
Suggested change
| Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation. | |
| Some setup steps are different for FIPS compliance. Please take into account the specific setup instructions in the [FIPS Compliance][32] documentation. | |
| [32]: /agent/configuration/fips-compliance/ |
Just a quick note that links need to be enclosed within the section when it comes to tabs or region-specific content like this one. Otherwise, the link brinks in the UI.
| @@ -92,7 +92,7 @@ For more information, see the [Secrets Management][14] documentation. | |||
|
|
|||
| {{< site-region region="gov" >}} | |||
|
|
|||
| Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or the [Datadog Agent FIPS Proxy][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
| Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |||
There was a problem hiding this comment.
Suggested change
| Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. | |
| Agent on non-government sites collects environmental, performance, and feature usage information about the Datadog Agent. When the Agent detects a government site, or when a [FIPS compliant Agent installation][1] is used, the Agent automatically disables this telemetry collection. When such detection is impossible (for example, if a proxy is being used), Agent telemetry is emitted, but immediately dropped at Datadog's intake. | |
| To avoid this data from being emitted in the first place, Datadog recommends disabling Agent telemetry explicitly by updating the `agent_telemetry` setting in the Agent configuration file, as shown in the example below. |
Just a small suggestion here
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
This PR improves the FIPS Agent documentation and adds specific instructions for the supported installation methods.
Merge instructions
Merge readiness:
For Datadog employees:
Merge queue is enabled in this repo. Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass in CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
To have your PR automatically merged after it receives the required reviews, add the following PR comment:
Additional notes