Integrate Datadog Compliance Monitoring With Your AWS Well-Architected Workloads | Datadog

Integrate Datadog Compliance Monitoring with your AWS Well-Architected workloads

Author Michael Yamnitsky

Published: December 16, 2020

Many of our customers rely on the Amazon Web Services (AWS) Well-Architected Framework as a guide to build safe, secure, and performant applications in the cloud. AWS offers the Well-Architected Review (WAR) Tool as a centralized way to track and trend adherence to Well-Architected best practices. It allows users to define workloads and answer a set of questions to ensure that they are developing secure, reliable, efficient, and cost-optimized cloud architectures.

Earlier today, AWS announced a new set of APIs for partners to enhance the WAR Tool experience for customers. We are proud to partner with AWS for this launch, allowing you to easily integrate the AWS WAR Tool with Datadog Compliance Monitoring and streamline your architectural reviews.

Implement Well-Architected best practices with Compliance Monitoring

Datadog Compliance Monitoring is a new offering in beta within the Datadog security platform. It ships with 200+ out-of-the-box rules that help you check for misconfigurations in your services that could leave your organization vulnerable to attacks.

Compliance Monitoring collects data from across your cloud environment to give you deep visibility into the posturing of your cloud assets.

Our integration allows users to query Datadog for compliance findings (i.e., rule violations on specific workloads) using a scripting tool that we give to customers enrolled in the Compliance Monitoring beta. The script takes all workloads defined in the WAR Tool and queries Datadog for misconfigurations in the underlying infrastructure. It then maps these findings back to Well-Architected best practices and populates the query results in the “Notes” section of the WAR Tool.

This allows you to immediately validate adherence to many best practices within the Well-Architected security pillar—including recommendations for managing identities and permissions for people and machines, detecting and investigating security events, and protecting networks, compute resources, and data at rest.

As shown in the example below, if you select the “Audit and rotate keys periodically” recommendation within the “Identity & Access Management” section of the Well-Architected security pillar, Datadog will return the compliance findings for the default rule, “Ensure access keys are rotated every 90 days or less.” This rule is defined by the Center for Internet Security as part of the CIS AWS Foundations Benchmark. Ninety days is widely considered to be a healthy credential rotation period.

Datadog's integration returns the compliance findings within the Well-Architected security pillar UI.

In this example, no findings were found. If you have any findings to address, you can use the link to quickly investigate them in Datadog and trigger a remediation workflow.

Datadog's integration allows you to adhere to best practices within the Well-Architected security pillar by mapping Compliance Monitoring findings to your workloads.

How to set up the integration

Below is a step-by-step walkthrough of how to set up this integration. If you are a Datadog customer who does not already have access to the Compliance Monitoring beta, you can request access here. Once you have access to the beta, email your customer success manager or sales engineer for access to the scripting tool.

Prerequisites

Quick-start guide

Execute these commands in your virtual environment:

$ pip install -r requirements.txt
$ DD_CLIENT_API_KEY="YOUR API KEY"
$ DD_CLIENT_APP_KEY="YOUR APPLICATION KEY"
$ python3 dd-wellarchitected.py

Get started

In this post, we have shown how to use this integration to improve your compliance posture and speed up the Well-Architected review process using Datadog and the AWS WAR Tool.

Datadog Compliance Monitoring expands the scope of your security operations and makes it easy to keep up with a rapidly evolving compliance landscape. If you already use Datadog, you can request to join the Compliance Monitoring beta now. If you already have access to the beta, email your customer success manager or sales engineer for access to the scripting tool.

Otherwise, get started with a 14-day .