Agentless Scanning Quick Start for Cloud Security Management
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security Management, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration, and includes the Cloud Security Management features: Misconfigurations, Identity Risks (CIEM), and Vulnerability Management.
This article provides instructions for the new user quick start workflow that uses AWS CloudFormation to set up Agentless Scanning. For existing users who want to add a new AWS account or enable Agentless Scanning on an existing integrated AWS account, see the instructions for
Terraform or
AWS CloudFormation.
Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up
Agentless Scanning with Terraform as the default template.
Installation
- On the Intro to Cloud Security Management page, click Get Started with Cloud Security Management.
- Click Quick Start. The Features page is displayed, showing the features included with Agentless Scanning Quick Start.
- Click Start Using Cloud Security Management to continue.
- Select the AWS region where you want to create the CloudFormation stack.
- Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection.
- Send AWS Logs to Datadog and Enable Cloud Security Management are automatically selected by default. Leave the selections as is.
- In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
- Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.
Exclude resources from scans
To exclude AWS hosts, containers, and Lambda functions from scans, apply the tag DatadogAgentlessScanner:false
to each resource. For detailed instructions on adding this tag, refer to the AWS documentation.
Datadog recommends updating the CloudFormation stack regularly, so you can get access to new features and bug fixes as they get released. To do so, follow these steps:
- Log in to your AWS console and go to the CloudFormation Stacks page.
- Select the DatadogIntegration-DatadogAgentlessScanning-… CloudFormation sub-stack, click Update, then click Update nested stack.
- Click Replace existing template.
- In the following S3 URL:
https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/<VERSION>/datadog_agentless_scanning.yaml
, replace <VERSION>
with the version found in aws_quickstart/version.txt. Paste that URL into the Amazon S3 URL field. - Click Next to advance through the next several pages without modifying them, then submit the form.
Disable Agentless Scanning
- On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
- To disable Agentless Scanning for an account, click the Edit button and toggle the Agentless Scanning section to the off position.
- Click Done.
Uninstall Agentless Scanning
To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.
Further Reading
Más enlaces, artículos y documentación útiles: