DataDog · apiarian-datadog · May 13, 2025 · May 13, 2025 · May 14, 2025 · May 14, 2025
@@ -3162,6 +3162,11 @@ menu:
       parent: serverless_aws_lambda
       identifier: libraries_integrations
       weight: 111
+    - name: FIPS Compliance
+      url: serverless/aws_lambda/fips-compliance
+      parent: serverless_aws_lambda
+      identifier: serverless_aws_lambda_fips_compliance
+      weight: 112
     - name: AWS Step Functions
       url: serverless/step_functions
       parent: serverless

@@ -33,6 +33,7 @@ First, [install][1] Datadog Serverless Monitoring to begin collecting metrics, t
 - [Collect Profiling data](#collect-profiling-data)
 - [Send telemetry over PrivateLink or proxy](#send-telemetry-over-privatelink-or-proxy)
 - [Send telemetry to multiple Datadog organizations](#send-telemetry-to-multiple-datadog-organizations)
+- [Enable FIPS compliance](#enable-fips-compliance)
 - [Propagate trace context over AWS resources](#propagate-trace-context-over-aws-resources)
 - [Merge X-Ray and Datadog traces](#merge-x-ray-and-datadog-traces)
 - [Enable AWS Lambda code signing](#enable-aws-lambda-code-signing)
@@ -350,9 +351,9 @@ To see what libraries and frameworks are automatically instrumented by the Datad
 
 To manage the [APM traced invocation sampling rate][17] for serverless functions, set the `DD_TRACE_SAMPLING_RULES` environment variable on the function to a value between 0.000 (no tracing of Lambda function invocations) and 1.000 (trace all Lambda function invocations).
 
-**Notes**: 
+**Notes**:
    - The use of `DD_TRACE_SAMPLE_RATE` is deprecated. Use `DD_TRACE_SAMPLING_RULES` instead. For instance, if you already set `DD_TRACE_SAMPLE_RATE` to `0.1`, set `DD_TRACE_SAMPLING_RULES` to `[{"sample_rate":0.1}]` instead.
-   - Overall traffic metrics such as `trace.<OPERATION_NAME>.hits` are calculated based on sampled invocations *only* in Lambda.   
+   - Overall traffic metrics such as `trace.<OPERATION_NAME>.hits` are calculated based on sampled invocations *only* in Lambda.
 
 For high throughput services, there's usually no need for you to collect every single request as trace data is very repetitive—an important enough problem should always show symptoms in multiple traces. [Ingestion controls][18] help you to have the visibility that you need to troubleshoot problems while remaining within budget.
 
@@ -576,6 +577,35 @@ The Datadog Extension supports decrypting [AWS KMS][41] values automatically for
 
 For more advanced usage, see the [Dual Shipping guide][32].
 
+## Enable FIPS compliance
+
+<div class="alert alert-info">For a complete overview of FIPS compliance for AWS Lambda functions, refer to the dedicated <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> page.</div>
+
+To enable FIPS compliance for AWS Lambda functions, follow these steps:
+
+1. Use a FIPS-compliant extension layer by referencing the appropriate ARN:
+
+ ```sh
+ # AWS GovCloud
+ arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+ arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+
+ # AWS Commercial
+ arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+ arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+ ```
+
+2. For Lambda functions using Python, JavaScript, or Go, set the environment variable `DD_LAMBDA_FIPS_MODE` to `true`. This environment variable:
+   - In FIPS mode, the Lambda metric helper functions require the FIPS-compliant extension for metric submission
+   - Uses AWS FIPS endpoints for API key lookups
+   - Is enabled by default in GovCloud environments
+
+3. For Lambda functions using Ruby, .NET, or Java, no additional environment variable configuration is needed.
+
+4. For complete end-to-end FIPS compliance, configure your Lambda function to use the US1-FED Datadog site:
+   - Set the `DD_SITE` to `ddog-gov.com` (required for end-to-end FIPS compliance)
+   **Note**: While the FIPS-compliant Lambda components work with any Datadog site, only the US1-FED site has FIPS-compliant intake endpoints.
+
 ## Propagate trace context over AWS resources
 
 Datadog automatically injects the trace context into outgoing AWS SDK requests and extracts the trace context from the Lambda event. This enables Datadog to trace a request or transaction over distributed services. See [Serverless Trace Propagation][33].

@@ -0,0 +1,125 @@
+---
+title: AWS Lambda FIPS Compliance
+further_reading:
+    - link: '/serverless/aws_lambda/installation/'
+      tag: 'Documentation'
+      text: 'Install Serverless Monitoring for AWS Lambda'
+    - link: '/serverless/aws_lambda/configuration/'
+      tag: 'Documentation'
+      text: 'Configure Serverless Monitoring for AWS Lambda'
+algolia:
+  rank: 80
+  tags: ["fips", "compliance", "fedramp", "govcloud", "aws lambda"]
+---
+
+{{< site-region region="us,us3,us5,eu,ap1" >}}
+<div class="alert alert-warning">The FIPS-compliant Datadog Lambda extension is available in all AWS regions. While you can use these FIPS-compliant Lambda components with any Datadog site, end-to-end FIPS compliance requires sending data to the US1-FED site (ddog-gov.com).</div>
+{{< /site-region >}}
+
+Datadog provides FIPS-compliant monitoring for AWS Lambda functions through the use of FIPS-certified cryptographic modules and specially designed Lambda extension layers.
+
+## FIPS-Compliant Components
+
+Datadog's FIPS compliance for AWS Lambda is implemented through two main components:
+
+1. **FIPS-Compliant Lambda Extension**:
+   - The compatibility version of the extension is a Go binary built using the [BoringCrypto FIPS-certified module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407).
+   - The Next Generation Lambda Extension is a Rust binary built with the [AWS-LC FIPS-certified cryptographic module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816).
+
+2. **Runtime Libraries Support**:
+   - The Python and JavaScript Datadog Lambda Layers, and the Go Datadog Lambda Library offer FIPS-compliant operation controlled by the `DD_LAMBDA_FIPS_MODE` environment variable.
+     - `DD_LAMBDA_FIPS_MODE` defaults to `true` in GovCloud and `false` otherwise.
+   - When FIPS mode is enabled:
+     - The runtime libraries use AWS FIPS endpoints for Datadog API key retrieval
+     - The Lambda metric helper functions require the FIPS-compliant extension for metric submission:
+       - Python: `lambda_metric` from `datadog_lambda.metric`
+       - Node.js: `sendDistributionMetric` from `datadog-lambda-js`
+       - Go: `Metric()` from `ddlambda`
+
+## FIPS Extension Layers
+
+Datadog provides separate Lambda extension layers for FIPS compliance in both x86 and ARM architectures:
+
+{{< tabs >}}
+{{% tab "AWS GovCloud Regions" %}}
+
+```
+arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+```
+
+Replace `<AWS_REGION>` with a valid AWS GovCloud region such as `us-gov-west-1`.
+
+{{% /tab %}}
+{{% tab "AWS Commercial Regions" %}}
+
+```
+arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}}
+```
+
+Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`.
+
+{{% /tab %}}
+{{< /tabs >}}
+
+## Runtime Support
+
+### Python, JavaScript, and Go
+
+For Python, JavaScript, and Go Lambda functions, FIPS compliance is controlled using the `DD_LAMBDA_FIPS_MODE` environment variable:
+
+- In GovCloud environments, `DD_LAMBDA_FIPS_MODE` defaults to `true`.
+- In commercial regions, `DD_LAMBDA_FIPS_MODE` defaults to `false`.
+
+When FIPS mode is enabled:
+
+- AWS FIPS endpoints are used for Datadog API key lookups in AWS secure datastores.
+- Direct metric submission to the Datadog API is disabled, requiring the FIPS-compliant extension for metric submission.
+
+### Ruby, .NET, and Java
+
+Ruby, .NET, and Java runtime libraries do not require the `DD_LAMBDA_FIPS_MODE` environment variable as these runtimes do not:
+
+- Contact AWS APIs directly
+- Send metrics directly to Datadog
+
+## Installation and Configuration
+
+To use FIPS-compliant monitoring for your AWS Lambda functions:
+
+1. **Select the FIPS-compliant extension layer**:
+   - Use the appropriate FIPS extension layer ARN for your architecture (x86 or ARM) and region (commercial or GovCloud).
+
+2. **Configure environment variables**:
+   - For GovCloud environments, `DD_LAMBDA_FIPS_MODE` is enabled by default.
+   - For commercial regions, set `DD_LAMBDA_FIPS_MODE=true` to enable FIPS mode.
+   - For complete end-to-end FIPS compliance, set `DD_SITE` to `ddog-gov.com` to send data to the US1-FED site.
+
+3. **Follow the standard installation instructions**:
+   - Refer to the [installation guides][1] for language-specific configurations.
+   - Use the FIPS extension layer ARNs instead of the standard extension layers.
+
+For detailed installation instructions specific to your language runtime and deployment method, see the [installation documentation][1].
+
+## Limitations and Considerations
+
+- **End-to-end FIPS Compliance**: For complete FIPS compliance, the FIPS-compliant Lambda components must be used to send telemetry to the US1-FED region (`ddog-gov.com`). While the Lambda components themselves implement FIPS-compliant cryptography regardless of the destination, only the US1-FED site has FIPS-compliant intake endpoints.
+
+- **Customer Responsibility**: You, the Datadog customer, are responsible for:
+  - The security posture of your own Lambda function code
+  - Ensuring all other code you may be running in your Lambda execution environment maintains FIPS compliance as required
+
+- **FIPS Compliance Scope**: FIPS compliance only applies to communication between the Datadog Lambda components and Datadog's intake API endpoints. Other forms of communication originating from or terminating at your Lambda functions are not made FIPS-compliant by this solution.
+
+- **Version Requirements**: Use the latest versions of the Datadog Lambda extension and libraries to ensure full functionality and up-to-date security.
+
+## Further Reading
+
+- [Agent FIPS Compliance][2] - Note: these guidelines apply to Agent deployments only and not to serverless environments.
+- [AWS Lambda Security Overview][3] - AWS's documentation on Lambda security and compliance.
+
+
+[1]: /serverless/aws_lambda/installation/
+[2]: /agent/configuration/fips-compliance/
+[3]: https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/lambda-and-compliance.html
@@ -30,6 +30,10 @@ For the detailed installation instructions, select the Lambda runtime below:
 
 {{< partial name="serverless/getting-started-languages.html" >}}
 
+## FIPS Compliance Support
+
+Datadog provides FIPS-compliant monitoring for AWS Lambda functions through dedicated FIPS-compliant Lambda extension layers and runtime-specific configurations. The FIPS-compliant components implement FIPS-certified cryptography and work with any Datadog site, but end-to-end FIPS compliance requires using the US1-FED site. If you need to maintain FIPS compliance while monitoring your Lambda functions, see the [AWS Lambda FIPS Compliance][4] documentation page for details.
+
 ## Advanced Configurations
 
 After you're done with installation and you've set up telemetry collection, you can use [advanced configurations][3] to:
@@ -47,3 +51,4 @@ After you're done with installation and you've set up telemetry collection, you
 [1]: https://app.datadoghq.com/signup/
 [2]: https://app.datadoghq.com/signup/agent#lambda
 [3]: /serverless/configuration/
+[4]: /serverless/aws_lambda/fips-compliance/
@@ -18,6 +18,8 @@ further_reading:
 
 <div class="alert alert-info">Version 67+ of the Datadog Lambda Extension uses an optimized version of the extension. <a href="#minimize-cold-start-duration">Read more</a>.</div>
 
+<div class="alert alert-info">For FIPS compliance, use the Datadog FIPS-compliant extension layer, but note that the .NET runtime layer does not require additional configuration. While the FIPS-compliant Lambda components work with any Datadog site, end-to-end FIPS compliance requires using the US1-FED site. See <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> for more details.</div>
+
 ## Installation
 
 <div class="alert alert-info">A sample application is <a href="https://github.com/DataDog/serverless-sample-app/tree/main/src/order-service">available on GitHub</a> with instructions on how to deploy with multiple runtimes and infrastructure as code tools.</div>

@@ -21,6 +21,8 @@ aliases:
 
 <div class="alert alert-info">Version 67+ of the Datadog Lambda Extension uses an optimized version of the extension. <a href="#minimize-cold-start-duration">Read more</a>.</div>
 
+<div class="alert alert-info">Datadog provides FIPS-compliant monitoring for AWS Lambda functions. For GovCloud environments, the <code>DD_LAMBDA_FIPS_MODE</code> environment variable is enabled by default. When FIPS mode is enabled, AWS FIPS endpoints are used for Datadog API key lookups, and the Lambda metric helper function <code>Metric()</code> requires the FIPS-compliant extension for metric submission. While the FIPS-compliant Lambda components work with any Datadog site, end-to-end FIPS compliance requires using the US1-FED site. See <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> for more details.</div>
+
 ## Installation
 
 <div class="alert alert-info">A sample application is <a href="https://github.com/DataDog/serverless-sample-app/tree/main/src/product-management-service">available on GitHub</a> with instructions on how to deploy with multiple runtimes and infrastructure as code tools.</div>

@@ -17,6 +17,8 @@ aliases:
 
 <div class="alert alert-info">Version 67+ of the Datadog Lambda Extension uses an optimized version of the extension. <a href="#minimize-cold-start-duration">Read more</a>.</div>
 
+<div class="alert alert-info">For FIPS compliance, use the Datadog FIPS-compliant extension layer, but note that the Java runtime layer does not require additional configuration. While the FIPS-compliant Lambda components work with any Datadog site, end-to-end FIPS compliance requires using the US1-FED site. See <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> for more details.</div>
+
 To fully instrument your serverless application with distributed tracing, your Java Lambda functions must be using the Java 8 Corretto (`java8.al2`), Java 11 (`java11`), Java 17 (`java17`), or Java 21 (`java21`) runtimes with at least 1024 MB of memory.
 
 If your Lambda functions are deployed in a VPC without access to the public internet, you can send data either [using AWS PrivateLink][6] for the `datadoghq.com` [Datadog site][7], or [using a proxy][8] for all other sites.

@@ -27,6 +27,8 @@ aliases:
 
 <div class="alert alert-info">Version 67+ of the Datadog Lambda Extension uses an optimized version of the extension. <a href="#minimize-cold-start-duration">Read more</a>.</div>
 
+<div class="alert alert-info">Datadog provides FIPS-compliant monitoring for AWS Lambda functions. For GovCloud environments, the <code>DD_LAMBDA_FIPS_MODE</code> environment variable is enabled by default. When FIPS mode is enabled, AWS FIPS endpoints are used for Datadog API key lookups, and the Lambda metric helper function <code>sendDistributionMetric</code> requires the FIPS-compliant extension for metric submission. While the FIPS-compliant Lambda components work with any Datadog site, end-to-end FIPS compliance requires using the US1-FED site. See <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> for more details.</div>
+
 ## Installation
 
 <div class="alert alert-info">A sample application is <a href="https://github.com/DataDog/serverless-sample-app/tree/main/src/loyalty-point-service">available on GitHub</a> with instructions on how to deploy with multiple runtimes and infrastructure as code tools.</div>

@@ -24,6 +24,8 @@ algolia:
 
 <div class="alert alert-info">Version 67+ of the Datadog Lambda Extension uses an optimized version of the extension. <a href="#minimize-cold-start-duration">Read more</a>.</div>
 
+<div class="alert alert-info">Datadog provides FIPS-compliant monitoring for AWS Lambda functions. For GovCloud environments, the <code>DD_LAMBDA_FIPS_MODE</code> environment variable is enabled by default. When FIPS mode is enabled, AWS FIPS endpoints are used for Datadog API key lookups, and the Lambda metric helper function <code>lambda_metric</code> requires the FIPS-compliant extension for metric submission. While the FIPS-compliant Lambda components work with any Datadog site, end-to-end FIPS compliance requires using the US1-FED site. See <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> for more details.</div>
+
 ## Installation
 
 Datadog offers many different ways to enable instrumentation for your serverless applications. Choose a method below that best suits your needs. Datadog generally recommends using the Datadog CLI. You *must* follow the instructions for "Container Image" if your application is deployed as a container image.

@@ -24,6 +24,8 @@ aliases:
 
 <div class="alert alert-info">Version 67+ of the Datadog Lambda Extension uses an optimized version of the extension. <a href="#minimize-cold-start-duration">Read more</a>.</div>
 
+<div class="alert alert-info">For FIPS compliance, use the Datadog FIPS-compliant extension layer, but note that the Ruby runtime layer does not require additional configuration. While the FIPS-compliant Lambda components work with any Datadog site, end-to-end FIPS compliance requires using the US1-FED site. See <a href="/serverless/aws_lambda/fips-compliance">AWS Lambda FIPS Compliance</a> for more details.</div>
+
 ## Installation
 
 Datadog offers many different ways to enable instrumentation for your serverless applications. Choose a method below that best suits your needs. Datadog generally recommends using the Datadog CLI. You *must* follow the instructions for "Container Image" if your application is deployed as a container image.