DataDog · rtrieu · Jul 3, 2025 · Jun 27, 2025 · Jun 27, 2025 · Jun 27, 2025
@@ -31,9 +31,11 @@ Cloudcraft's core functionality is its ability to generate detailed architecture
 
 - [Resource collection][2] must be enabled for your AWS accounts.
 - For the best experience, Datadog strongly recommends using the AWS-managed [`SecurityAudit`][5] policy, or the more permissive [`ReadOnlyAccess`][6] policy.
-- To view security misconfigurations on the [Security overlay][10], [Cloud Security][3] must be enabled.
+- Viewing content on the [Security overlay][10] requires additional products to be enabled:
+  - To view security misconfigurations and identity risks, [Cloud Security][3] must be enabled.
+  - To view sensitive data, [Sensitive Data Scanner][12] must be enabled. For a user to turn the layer on, they must have the [`data_scanner_read`][13] permission.
 
-**Note**: Cloudcraft adapts to restrictive permissions by excluding inaccessible resources. For example, if you opt to not grant permission to list S3 buckets, the diagram will simply exclude those buckets. If permissions block certain resources, an alert is displayed in the UI.
+**Note**: Cloudcraft adapts to restrictive permissions by excluding inaccessible resources. For example, if you opt to not grant permission to list S3 buckets, the diagram excludes those buckets. If permissions block certain resources, an alert displays in the UI.
 
 ## Getting started
 
@@ -108,3 +110,5 @@ Learn how to navigate between [built-in overlays][4] to view your architecture f
 [9]: /datadog_cloudcraft/overlays#observability
 [10]: /datadog_cloudcraft/overlays#security
 [11]: /datadog_cloudcraft/overlays#cloud-cost-management
+[12]: /security/sensitive_data_scanner
+[13]: /account_management/rbac/permissions/#compliance
@@ -71,19 +71,30 @@ The observability overlay tracks coverage for the following products:
 
 ### Security
 
-The security overlay highlights potential security exposures in your architecture, grouping resources by Region, VPC, and Security Group. It displays misconfigurations detected by Cloud Security, helping you:
+The security overlay highlights potential security exposures in your architecture, grouping resources by Region, VPC, and Security Group. It displays security findings detected by Cloud Security, helping you:
 
 - Identify security issues directly in infrastructure diagrams.
-- Analyze misconfigurations in context to prioritize remediation.
+- Analyze findings in context, so you can prioritize remediation:
+  - Misconfigurations
+  - Identity risks
+  - Sensitive data (S3 buckets only)
 - Assess your security posture before deploying applications.
 
-You can click on any any resource with findings to open a side panel with more details, allowing deeper investigation without leaving the diagram.
-
 This view is ideal for mapping attack surfaces during penetration tests or security audits. To keep the diagram focused, components like EBS volumes and NAT Gateways are excluded. 
 
-By default, the security overlay shows Critical, High, and Medium misconfigurations, which you can filter at the bottom of the screen.
+#### Investigate misconfigurations and identity risks
+
+By default, the security overlay shows Critical, High, and Medium severity misconfigurations or identity risks, which you can filter in the legend.
+
+You can click on any resource that has findings to open a side panel with more details, allowing deeper investigation without leaving the diagram. Click **Investigate** to get more context about the finding and learn how to remediate it.
+
+{{< img src="datadog_cloudcraft/overlays/cloudcraft_security_overlay_with_ccm_3.png" alt="Security overlay in Cloudcraft with the misconfigurations filter applied, highlighting the collapsible legend in the bottom left of the screen, and the Investigate button on the side panel." style="width:100%;" >}}
+
+#### Investigate sensitive data
+
+You can view sensitive data matches for your S3 buckets. Click a resource that has matches to learn more about the sensitive data matches for that bucket. Then, hover over a filename and click the **Inspect in AWS** button that appears to address it.
 
-{{< img src="datadog_cloudcraft/overlays/cloudcraft_security_overlay_with_ccm_2.png" alt="Security overlay in Cloudcraft, highlighting the collapsible legend and the bottom left hand side of the screen, and the Investigate button on the side panel." style="width:100%;" >}}
+{{< img src="datadog_cloudcraft/overlays/cloudcraft_security_overlay_sensitive_data.png" alt="Security overlay in Cloudcraft with the sensitive data filter applied, highlighting the collapsible legend in the bottom left of the screen, and the Inspect in AWS button on the side panel." style="width:100%;" >}}
 
 ### Cloud Cost Management