--- title: "Integrate the AWS Well-Architected Tool with Datadog Cloud Security Misconfigurations" description: "Develop secure, reliable applications by integrating the Well-Architected Tool with Datadog." author: "Michael Yamnitsky" date: 2020-12-16 tags: ["security", "cloud security", "aws", "aws well-architected review tool", "compliance"] blog_type_id: the-monitor locale: en --- Many of our customers rely on the [Amazon Web Services (AWS) Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc) as a guide to build safe, secure, and performant applications in the cloud. AWS offers the [Well-Architected Tool](https://aws.amazon.com/well-architected-tool/) as a centralized way to track and trend adherence to Well-Architected best practices. It allows users to define workloads and answer a set of questions to ensure that they are developing secure, reliable, efficient, and cost-optimized cloud architectures. Earlier today, [AWS announced a new set of APIs](https://aws.amazon.com/blogs/apn/new-apis-enable-aws-partners-to-scale-well-architected-principles-across-teams-and-systems/) for partners to enhance the Well-Architected Tool experience for customers. We are proud to partner with AWS for this launch, allowing you to easily integrate the AWS Well-Architected Tool with [Datadog Cloud Security Misconfigurations](https://www.datadoghq.com/blog/cloud-security-posture-management.md) and streamline your architectural reviews. ## Implement Well-Architected best practices with Datadog Cloud Security Misconfigurations Datadog Cloud Security Misconfigurations ships with 200+ [out-of-the-box rules](https://docs.datadoghq.com/security_monitoring/default_rules.md#all) that help you check for misconfigurations in your services that could leave your organization vulnerable to attacks. ![Datadog Cloud Security Misconfigurations collects data from across your cloud environment to give you deep visibility into the posturing of your cloud assets.](https://web-assets.dd-static.net/42588/1776291851-aws-well-architected-compliance-monitoring-compliance-diagram-1.png) Our integration allows users to query Datadog for compliance findings (i.e., rule violations on specific workloads) using a scripting tool. The script takes all workloads defined in the Well-Architected Tool and queries Datadog for misconfigurations in the underlying infrastructure. It then maps these findings back to Well-Architected best practices and populates the query results in the "Notes" section of the Well-Architected Tool. This allows you to immediately validate adherence to many best practices within the Well-Architected security pillar—including recommendations for managing identities and permissions for people and machines, detecting and investigating security events, and protecting networks, compute resources, and data at rest. As shown in the example below, if you select the "Audit and rotate keys periodically" recommendation within the "Identity & Access Management" section of the Well-Architected security pillar, Datadog will return the compliance findings for the default rule, "[Ensure access keys are rotated every 90 days or less](https://docs.datadoghq.com/security/default_rules/cis-aws-1.5.0-1.14.md)." This rule is defined by the [Center for Internet Security](https://www.cisecurity.org/) as part of the [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services/). Ninety days is widely considered to be a healthy credential rotation period. ![Datadog's integration returns the compliance findings within the Well-Architected security pillar UI.](https://web-assets.dd-static.net/42588/1776291859-aws-well-architected-compliance-monitoring-aws-well-architected-tool-datadog-compliance-monitoring-war-v2.png) In this example, no findings were found. If you have any findings to address, you can use the link to quickly investigate them in Datadog and trigger a remediation workflow. ![Datadog's integration allows you to adhere to best practices within the Well-Architected security pillar by mapping Compliance Monitoring findings to your workloads.](https://web-assets.dd-static.net/42588/1776291863-aws-well-architected-compliance-monitoring-aws-well-architected-tool-compliance-monitoring-detection-rule.png) ## How to set up the integration Below is a step-by-step walkthrough of how to set up this integration. ### Prerequisites - Before using the tool, make sure you've [configured your AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html). - You'll also need your Datadog [API and application keys](https://docs.datadoghq.com/account_management/api-app-keys.md). - Python version 3.6+ is supported. ### Quick-start guide Execute these commands in your virtual environment: ```bash $ pip install -r requirements.txt $ DD_CLIENT_API_KEY="YOUR API KEY" $ DD_CLIENT_APP_KEY="YOUR APPLICATION KEY" $ python3 dd-wellarchitected.py ``` ## Get started In this post, we have shown how to use this integration to improve your compliance posture and speed up the Well-Architected review process using Datadog Cloud Security Misconfigurations and the AWS Well-Architected Tool. Datadog is also highlighted in the [AWS Well-Architected Management and Governance Lens](https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-lens/management-and-governance-lens.html), which provides prescriptive guidance on key concepts and best practices for optimizing management and governance across AWS environments. This includes recommended combinations of AWS services and integrations with AWS Partner solutions. Datadog Cloud Security Misconfigurations expands the scope of your security operations and makes it easy to keep up with a rapidly evolving compliance landscape. If you already use Datadog, you can [self-enroll](https://app.datadoghq.com/security/compliance/) in-app or request a trial from your CSM. Otherwise, get started with a 14-day .