From 3fc82eddd2116c643f0e9c989a08dbfb827e2210 Mon Sep 17 00:00:00 2001 From: Janine Chan Date: Wed, 15 Jul 2026 13:16:35 -0600 Subject: [PATCH 1/2] Remove references to RDS scanning across Cloud Security docs --- .../guide/public-accessibility-logic.md | 28 ------------------- .../setup/agentless_scanning/compatibility.md | 2 +- .../agentless_scanning/deployment_methods.md | 2 +- .../setup/supported_deployment_types.md | 2 +- .../sensitive_data_scanner/setup/_index.md | 2 +- 5 files changed, 4 insertions(+), 32 deletions(-) diff --git a/content/en/security/cloud_security_management/guide/public-accessibility-logic.md b/content/en/security/cloud_security_management/guide/public-accessibility-logic.md index 63b93b5a838..eaf80eec61d 100644 --- a/content/en/security/cloud_security_management/guide/public-accessibility-logic.md +++ b/content/en/security/cloud_security_management/guide/public-accessibility-logic.md @@ -88,28 +88,6 @@ A [Redshift cluster][9] (`aws_redshift_cluster`) is considered publicly accessib See [Make a private Amazon Redshift Cluster publicly accessible][13] for more information about Redshift Clusters and public accessibility. -### Amazon RDS DB instance - -An [RDS DB instance][14] (`aws_rds_instance`) is considered publicly accessible if all of the following are true: - -| **Criteria** | **Explanation** | -|--------------|-----------------| -|It has `publicly_accessible` set to `true` in its connectivity configuration.|This setting makes the DB publicly accessible, meaning its DNS endpoint will resolve to the private IP address within its VPC, and a public IP address from outside the VPC. However, access to the cluster will still be controlled by a related security group. | -|It's in a public [subnet][4].|-| -|It's associated with a [security group][12] that has rules allowing access from a CIDR range of `"0.0.0.0/0"`, or an IPv6 CIDR range of `"::/0"`. |A security group controls inbound traffic to a VPC. With an open CIDR range, all IP addresses are able to gain access. | - -See [Fix connectivity to an RDS DB instance that uses a VPC's subnet][15] for more information about public access to an RDS DB Instance. - -### Amazon RDS DB snapshot - -An [RDS DB snapshot][16] (`aws_rds_db_snapshot`) is considered publicly accessible if: - -| **Criteria** | **Explanation** | -|--------------|-----------------| -|It has an attribute set to `"restore"` with an attribute value set to `"all"`.|If you set DB snapshot visibility to Public, all AWS accounts can restore a DB instance from your manual DB snapshot and have access to your data.| - -See [Sharing a DB snapshot][17] for more information. - ### Amazon Elastic Load Balancer An ELB (`aws_elbv2_load_balancer`) is considered publicly accessible if all of the following are true: @@ -377,10 +355,6 @@ A Kubernetes Engine cluster (`gcp_kubernetes_engine_cluster`) is considered publ [11]: https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html [12]: https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html [13]: https://repost.aws/knowledge-center/redshift-cluster-private-public -[14]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html -[15]: https://repost.aws/knowledge-center/rds-connectivity-instance-subnet-vpc -[16]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html -[17]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html [18]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses [19]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html [20]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html @@ -406,8 +380,6 @@ A Kubernetes Engine cluster (`gcp_kubernetes_engine_cluster`) is considered publ [40]: https://azure.microsoft.com/en-us/blog/network-security-groups/ [41]: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses [42]: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/associate-public-ip-address-vm?tabs=azure-portal -[43]: https://learn.microsoft.com/en-us/rest/api/compute/disks/create-or-update?view=rest-compute-2023-04-02&tabs=HTTP -[44]: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-private-links-for-import-export-portal [45]: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal [46]: https://azure.microsoft.com/en-us/updates/choose-to-allow-or-disallow-blob-public-access-on-azure-storage-accounts/ [47]: https://azure.microsoft.com/en-us/updates/choose-to-allow-or-disallow-blob-public-access-on-azure-storage-accounts/ diff --git a/content/en/security/cloud_security_management/setup/agentless_scanning/compatibility.md b/content/en/security/cloud_security_management/setup/agentless_scanning/compatibility.md index 6c0bb5b76f8..4a36be3d812 100644 --- a/content/en/security/cloud_security_management/setup/agentless_scanning/compatibility.md +++ b/content/en/security/cloud_security_management/setup/agentless_scanning/compatibility.md @@ -22,7 +22,7 @@ The following table provides a summary of Agentless Scanning technologies in rel | Application languages (in hosts and containers) | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | | Container Registries | Amazon ECR (public and private): scans running container images and the last 1,000 pushed images at rest | ACR: scans running container images only
**Note:** To request at-rest registry scanning or to increase the number of at-rest images to scan, contact [Datadog Support][16] | Google Artifact Registry: scans images from running workloads only
**Note:** To request at-rest registry scanning or to increase the numbers of at-rest images to scan, contact [Datadog Support][16] | | Host Images | AMI | Not supported | Not supported | -| Sensitive Data (SDS) | S3, RDS (private beta) | Not supported | Not supported | +| Sensitive Data (SDS) | S3 | Not supported | Not supported | **Note**: AMIs must be stored in an account that uses Datadog's AWS integration. Otherwise, Datadog can't read the AMI's underlying Amazon Elastic Block Store (EBS) snapshot, so it can't scan or report on the AMI. diff --git a/content/en/security/cloud_security_management/setup/agentless_scanning/deployment_methods.md b/content/en/security/cloud_security_management/setup/agentless_scanning/deployment_methods.md index 2a2feaeee46..ff1b19e213a 100644 --- a/content/en/security/cloud_security_management/setup/agentless_scanning/deployment_methods.md +++ b/content/en/security/cloud_security_management/setup/agentless_scanning/deployment_methods.md @@ -21,7 +21,7 @@ This guide helps you choose the right deployment topology for Agentless Scanning Datadog recommends the following guidelines: - Use a dedicated scanner account for multi-account environments. - Deploy a scanner in each region that contains more than 150 hosts. -- If you use [Cloud Storage Scanning][1], deploy a scanner in each region that contains a data store (for example, S3 buckets or RDS instances). +- If you use [Cloud Storage Scanning][1], deploy a scanner in each region that contains a data store (for example, S3 buckets).
Scanners only send the collected list of packages and host metadata (hostnames, EC2/VM/Compute Engine instance identifiers) to Datadog. All scanned data remains in your infrastructure.
diff --git a/content/en/security/cloud_security_management/setup/supported_deployment_types.md b/content/en/security/cloud_security_management/setup/supported_deployment_types.md index d70c61548a9..c50e150516d 100644 --- a/content/en/security/cloud_security_management/setup/supported_deployment_types.md +++ b/content/en/security/cloud_security_management/setup/supported_deployment_types.md @@ -34,7 +34,7 @@ The following table summarizes the scope of coverage available relative to each | Docker Container | | | | {{< X >}} | | Container Image | | {{< X >}} | | {{< X >}} | -**Note**: Cloud Security Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, RDS, S3, and ELB. +**Note**: Cloud Security Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, S3, and ELB. [1]: /security/cloud_security_management/setup/#cloud-security-threats [2]: /security/cloud_security_management/setup/#cloud-security-vulnerabilities diff --git a/content/en/security/sensitive_data_scanner/setup/_index.md b/content/en/security/sensitive_data_scanner/setup/_index.md index 41f16afeb25..bbcab874faa 100644 --- a/content/en/security/sensitive_data_scanner/setup/_index.md +++ b/content/en/security/sensitive_data_scanner/setup/_index.md @@ -25,7 +25,7 @@ Set up Sensitive Data Scanner for each data source you want to scan. Each source - **Telemetry data:** Scan your logs, APM spans, RUM events, and events from Event Management. See [Telemetry Data][1] for setup instructions. To scan logs before they leave your network, use the [Sensitive Data Scanner processor for Observability Pipelines][5]. - **Agent Observability data:** Scan LLM traces, prompts, and completions. Configure scanning from the [Agent Observability Settings page][3]. -- **Cloud storage data:** Scan your Amazon S3 buckets and RDS instances. See [Cloud Storage][2] for setup instructions. +- **Cloud storage data:** Scan your Amazon S3 buckets. See [Cloud Storage][2] for setup instructions. - **Code repositories:** Detect exposed secrets in your source code. See [Secret Scanning][4] for setup instructions. - **AI Guard evaluations:** Scan the conversations AI Guard evaluates for sensitive data such as credentials and PII. Configure scanning rules from the [AI Guard tab][6] of the Sensitive Data Scanner configuration page. From 63876062ac3bf925651faa9117523c002dd83b06 Mon Sep 17 00:00:00 2001 From: Janine Chan Date: Wed, 15 Jul 2026 16:25:26 -0600 Subject: [PATCH 2/2] Add unaffected content back --- .../guide/public-accessibility-logic.md | 26 +++++++++++++++++++ .../setup/supported_deployment_types.md | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/content/en/security/cloud_security_management/guide/public-accessibility-logic.md b/content/en/security/cloud_security_management/guide/public-accessibility-logic.md index eaf80eec61d..1ecfbe1a1d6 100644 --- a/content/en/security/cloud_security_management/guide/public-accessibility-logic.md +++ b/content/en/security/cloud_security_management/guide/public-accessibility-logic.md @@ -88,6 +88,28 @@ A [Redshift cluster][9] (`aws_redshift_cluster`) is considered publicly accessib See [Make a private Amazon Redshift Cluster publicly accessible][13] for more information about Redshift Clusters and public accessibility. +### Amazon RDS DB instance + +An [RDS DB instance][14] (`aws_rds_instance`) is considered publicly accessible if all of the following are true: + +| **Criteria** | **Explanation** | +|--------------|-----------------| +|It has `publicly_accessible` set to `true` in its connectivity configuration.|This setting makes the DB publicly accessible, meaning its DNS endpoint will resolve to the private IP address within its VPC, and a public IP address from outside the VPC. However, access to the cluster will still be controlled by a related security group. | +|It's in a public [subnet][4].|-| +|It's associated with a [security group][12] that has rules allowing access from a CIDR range of `"0.0.0.0/0"`, or an IPv6 CIDR range of `"::/0"`. |A security group controls inbound traffic to a VPC. With an open CIDR range, all IP addresses are able to gain access. | + +See [Fix connectivity to an RDS DB instance that uses a VPC's subnet][15] for more information about public access to an RDS DB Instance. + +### Amazon RDS DB snapshot + +An [RDS DB snapshot][16] (`aws_rds_db_snapshot`) is considered publicly accessible if: + +| **Criteria** | **Explanation** | +|--------------|-----------------| +|It has an attribute set to `"restore"` with an attribute value set to `"all"`.|If you set DB snapshot visibility to Public, all AWS accounts can restore a DB instance from your manual DB snapshot and have access to your data.| + +See [Sharing a DB snapshot][17] for more information. + ### Amazon Elastic Load Balancer An ELB (`aws_elbv2_load_balancer`) is considered publicly accessible if all of the following are true: @@ -355,6 +377,10 @@ A Kubernetes Engine cluster (`gcp_kubernetes_engine_cluster`) is considered publ [11]: https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html [12]: https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html [13]: https://repost.aws/knowledge-center/redshift-cluster-private-public +[14]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html +[15]: https://repost.aws/knowledge-center/rds-connectivity-instance-subnet-vpc +[16]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html +[17]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html [18]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses [19]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html [20]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html diff --git a/content/en/security/cloud_security_management/setup/supported_deployment_types.md b/content/en/security/cloud_security_management/setup/supported_deployment_types.md index c50e150516d..d70c61548a9 100644 --- a/content/en/security/cloud_security_management/setup/supported_deployment_types.md +++ b/content/en/security/cloud_security_management/setup/supported_deployment_types.md @@ -34,7 +34,7 @@ The following table summarizes the scope of coverage available relative to each | Docker Container | | | | {{< X >}} | | Container Image | | {{< X >}} | | {{< X >}} | -**Note**: Cloud Security Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, S3, and ELB. +**Note**: Cloud Security Misconfigurations additionally monitors common resources used in your cloud accounts that are running Windows and AWS Fargate, such as EC2 instances, RDS, S3, and ELB. [1]: /security/cloud_security_management/setup/#cloud-security-threats [2]: /security/cloud_security_management/setup/#cloud-security-vulnerabilities