|
| 1 | +--- |
| 2 | +title: AWS Lambda FIPS Compliance |
| 3 | +further_reading: |
| 4 | +- link: '/serverless/aws_lambda/installation/' |
| 5 | + tag: 'Documentation' |
| 6 | + text: 'Install Serverless Monitoring for AWS Lambda' |
| 7 | +- link: '/serverless/aws_lambda/configuration/' |
| 8 | + tag: 'Documentation' |
| 9 | + text: 'Configure Serverless Monitoring for AWS Lambda' |
| 10 | +algolia: |
| 11 | + rank: 80 |
| 12 | + tags: ["fips", "compliance", "fedramp", "govcloud", "aws lambda"] |
| 13 | +--- |
| 14 | + |
| 15 | +{{< site-region region="us,us3,us5,eu,ap1" >}} |
| 16 | +<div class="alert alert-warning">The FIPS-compliant Datadog Lambda extension is available all AWS regions but should only be used for sending data to the US1-FED region.</div> |
| 17 | +{{< /site-region >}} |
| 18 | + |
| 19 | +Datadog provides FIPS-compliant monitoring for AWS Lambda functions through the use of FIPS-certified cryptographic modules and specially designed Lambda extension layers. |
| 20 | + |
| 21 | +## FIPS-Compliant Components |
| 22 | + |
| 23 | +Datadog's FIPS compliance for AWS Lambda is implemented through two main components: |
| 24 | + |
| 25 | +1. **FIPS-Compliant Lambda Extension**: |
| 26 | + - The "compatibility" version of the extension is a Go binary built using the [BoringCrypto FIPS-certified module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407). |
| 27 | + - The "optimized" version of the extension is a Rust binary built with the [AWS-LC FIPS-certified cryptographic module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816). |
| 28 | + |
| 29 | +2. **Runtime Libraries Support**: |
| 30 | + - The Python and JavaScript Datadog Lambda Layers, and the Go Datadog Lambda Library offer FIPS-compliant operation controlled by the `DD_LAMBDA_FIPS_MODE` environment variable. |
| 31 | + - When FIPS mode is enabled, the runtime libraries use AWS FIPS endpoints for Datadog API key retrieval and disable direct metric submission to Datadog. |
| 32 | + |
| 33 | +## FIPS Extension Layers |
| 34 | + |
| 35 | +Datadog provides separate Lambda extension layers for FIPS compliance in both x86 and ARM architectures: |
| 36 | + |
| 37 | +{{< tabs >}} |
| 38 | +{{% tab "AWS GovCloud Regions" %}} |
| 39 | + |
| 40 | +``` |
| 41 | +# For x86-based Lambda deployed in AWS GovCloud regions |
| 42 | +arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}} |
| 43 | +
|
| 44 | +# For arm64-based Lambda deployed in AWS GovCloud regions |
| 45 | +arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}} |
| 46 | +``` |
| 47 | + |
| 48 | +Replace `<AWS_REGION>` with a valid AWS GovCloud region such as `us-gov-west-1`. |
| 49 | + |
| 50 | +{{% /tab %}} |
| 51 | +{{% tab "AWS Commercial Regions" %}} |
| 52 | + |
| 53 | +``` |
| 54 | +# For x86-based Lambda deployed in AWS commercial regions |
| 55 | +arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}} |
| 56 | +
|
| 57 | +# For arm64-based Lambda deployed in AWS commercial regions |
| 58 | +arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}} |
| 59 | +``` |
| 60 | + |
| 61 | +Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`. |
| 62 | + |
| 63 | +{{% /tab %}} |
| 64 | +{{< /tabs >}} |
| 65 | + |
| 66 | +## Runtime Support |
| 67 | + |
| 68 | +### Python, JavaScript, and Go |
| 69 | + |
| 70 | +For Python, JavaScript, and Go Lambda functions, FIPS compliance is controlled using the `DD_LAMBDA_FIPS_MODE` environment variable: |
| 71 | + |
| 72 | +- In GovCloud environments, `DD_LAMBDA_FIPS_MODE` defaults to `true`. |
| 73 | +- In commercial regions, `DD_LAMBDA_FIPS_MODE` defaults to `false`. |
| 74 | + |
| 75 | +When FIPS mode is enabled: |
| 76 | + |
| 77 | +- AWS FIPS endpoints are used for Datadog API key lookups in AWS secure datastores. |
| 78 | +- Direct metric submission to the Datadog API is disabled, requiring the FIPS-compliant extension or forwarder for metric submission. |
| 79 | + |
| 80 | +### Ruby, .NET, and Java |
| 81 | + |
| 82 | +Ruby, .NET, and Java runtime libraries do not require the `DD_LAMBDA_FIPS_MODE` environment variable as these runtimes do not: |
| 83 | + |
| 84 | +- Contact AWS APIs directly |
| 85 | +- Send metrics directly to Datadog |
| 86 | + |
| 87 | +## Installation and Configuration |
| 88 | + |
| 89 | +To use FIPS-compliant monitoring for your AWS Lambda functions: |
| 90 | + |
| 91 | +1. **Select the FIPS-compliant extension layer**: |
| 92 | + - Use the appropriate FIPS extension layer ARN for your architecture (x86 or ARM) and region (commercial or GovCloud) |
| 93 | + |
| 94 | +2. **Configure environment variables**: |
| 95 | + - For GovCloud environments, `DD_LAMBDA_FIPS_MODE` is enabled by default |
| 96 | + - For commercial regions, set `DD_LAMBDA_FIPS_MODE=true` to enable FIPS mode |
| 97 | + - Set `DD_SITE` to `ddog-gov.com` to send data to the US1-FED site |
| 98 | + |
| 99 | +3. **Follow the standard installation instructions**: |
| 100 | + - Refer to the [installation guides][1] for language-specific configurations |
| 101 | + - Use the FIPS extension layer ARNs instead of the standard extension layers |
| 102 | + |
| 103 | +For detailed installation instructions specific to your language runtime and deployment method, see the [installation documentation][1]. |
| 104 | + |
| 105 | +## Limitations and Considerations |
| 106 | + |
| 107 | +- **US1-FED Region**: The FIPS-compliant Lambda components should only be used for sending telemetry to the US1-FED region (`ddog-gov.com`). |
| 108 | + |
| 109 | +- **Customer Responsibility**: You, the Datadog customer, are responsible for: |
| 110 | + - The security posture of your own Lambda function code |
| 111 | + - Ensuring all other code you may be running in your Lambda execution environment maintains FIPS compliance as required |
| 112 | + |
| 113 | +- **FIPS Compliance Scope**: FIPS compliance only applies to communication between the Datadog Lambda components and Datadog's intake API endpoints. Other forms of communication originating from or terminating at your Lambda functions are not made FIPS-compliant by this solution. |
| 114 | + |
| 115 | +- **Version Requirements**: Use the latest versions of the Datadog Lambda extension and libraries to ensure full functionality and up-to-date security. |
| 116 | + |
| 117 | +## Further Reading |
| 118 | + |
| 119 | +- [Agent FIPS Compliance][2] - Note: these guidelines apply to Agent deployments only and not to serverless environments. |
| 120 | +- [AWS Lambda Security Overview][3] - AWS's documentation on Lambda security and compliance. |
| 121 | + |
| 122 | + |
| 123 | +[1]: /serverless/aws_lambda/installation/ |
| 124 | +[2]: /agent/configuration/fips-compliance/ |
| 125 | +[3]: https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/lambda-and-compliance.html |
0 commit comments