Secure Datadog with cnspec
Scan Datadog against security and compliance best practices with cnspec.
Scan your Datadog organization to find security risks before they become incidents. cnspec evaluates users and service accounts, API and application key hygiene, IP allowlisting, AWS integration configuration, sensitive data scanner coverage, security monitoring rules, and other Datadog controls.
Prerequisites
To test your Datadog environment with cnspec, you must have:
- cnspec installed on your workstation
- A Datadog account with admin access
- A Datadog API key and an application key with read access to your organization
Give cnspec access using Datadog keys
To scan your Datadog environment, cnspec needs access through the Datadog API. You create an API key plus an application key and then provide both when running cnspec commands.
To create the keys:
- Sign in to Datadog as an admin.
- Open Organization Settings > API Keys and select + New Key. Give the key a name (for example,
cnspec-scan) and copy the value. - Open Organization Settings > Application Keys and select + New Key. Give the key a name and copy the value. The application key inherits the scopes of the user that creates it; create it from an account that can read users, roles, monitors, security rules, and integrations.
Configure DD_API_KEY, DD_APP_KEY, and DD_SITE environment variables
You can supply your keys to cnspec using environment variables. This avoids passing them on the command line with every command.
On Linux / macOS:
export DD_API_KEY=YOUR_API_KEY
export DD_APP_KEY=YOUR_APPLICATION_KEY
# Set DD_SITE if your account is not on the default US1 site
export DD_SITE=datadoghq.euOn Windows, using PowerShell:
$Env:DD_API_KEY = "YOUR_API_KEY"
$Env:DD_APP_KEY = "YOUR_APPLICATION_KEY"
$Env:DD_SITE = "datadoghq.eu"When DD_API_KEY, DD_APP_KEY, and (if needed) DD_SITE are set, you can omit the --api-key, --app-key, and --site flags from all the commands below.
Test your connection
Before running a full scan, verify that your keys work by opening a cnspec shell:
cnspec shell datadog --api-key YOUR_API_KEY --app-key YOUR_APPLICATION_KEYcnspec> datadog.users { email status } | first(3)
datadog.users: [
0: { email: "alice@example.com" status: "Active" }
1: { email: "bob@example.com" status: "Active" }
2: { email: "carol@example.com" status: "Disabled" }
]If you see your users listed, cnspec is connected and ready to scan.
Scan Datadog
To scan your Datadog organization:
cnspec scan datadog --api-key YOUR_API_KEY --app-key YOUR_APPLICATION_KEYFor a non-default Datadog site, also pass --site (for example, --site datadoghq.eu).
Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure no users have the Datadog Admin role assigned outside of break-glass accounts
✕ Fail: Ensure the IP allowlist is enabled
✓ Pass: Ensure all API keys belong to an active user or service accountAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
Run your own Datadog policy
Mondoo does not yet publish an out of the box Datadog policy. You can write your own policy against the Datadog resources cnspec exposes and run it with --policy-bundle PATH/TO/policy.mql.yaml. When the Mondoo Datadog Security policy is published, you will be able to enable it from Findings > Policies in the Mondoo App.
Explore your Datadog environment
Run cnspec shell datadog --api-key YOUR_API_KEY --app-key YOUR_APPLICATION_KEY to open the interactive shell.
List users
cnspec> datadog.users { email status disabled }List service accounts
cnspec> datadog.serviceAccounts { email name disabled }List API keys
cnspec> datadog.apiKeys { name createdAt modifiedAt }List application keys
cnspec> datadog.applicationKeys { name owner scopes }Inspect the IP allowlist
cnspec> datadog.ipAllowlistEnabled
cnspec> datadog.ipAllowlistEntriesList AWS integration accounts
cnspec> datadog.integrationAwsAccounts { accountId roleName filterTags }List security monitoring rules
cnspec> datadog.securityRules { name enabled type }List sensitive data scanner groups
cnspec> datadog.sensitiveDataScannerGroups { name isEnabled productList }Example security checks
From the cnspec interactive shell, you can make checks like the examples below.
Ensure the IP allowlist is enabled
The IP allowlist restricts which networks can reach the Datadog UI and API. This check confirms it is turned on:
cnspec> datadog.ipAllowlistEnabled == true
[ok] value: trueEnsure disabled users do not retain active application keys
Application keys created by a user remain valid even after the user is disabled unless they are deleted. This check confirms there are no application keys owned by disabled users:
cnspec> datadog.users.where(disabled == true).all(
datadog.applicationKeys.where(owner == _.email).length == 0
)
[ok] value: trueEnsure no Sensitive Data Scanner groups are disabled
Sensitive Data Scanner groups define which fields get redacted before they enter Datadog. A disabled group means PII can flow through unredacted:
cnspec> datadog.sensitiveDataScannerGroups.all(isEnabled == true)
[ok] value: trueEnsure all security monitoring rules are enabled
Disabled detection rules silently stop firing. This check ensures every configured rule is enabled:
cnspec> datadog.securityRules.all(enabled == true)
[ok] value: trueEnsure AWS integrations restrict by tag filter
Unscoped AWS integrations pull every resource in the account into Datadog. Scoping by tag filter limits ingestion to the intended subset:
cnspec> datadog.integrationAwsAccounts.all(filterTags.length > 0)
[ok] value: trueLearn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
To learn about all the Datadog resources and properties you can query, read the Mondoo Datadog Resource Pack Reference.