Enabling Agentless Scanning

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Agentless Scanning for Cloud Security Management is not supported for your selected Datadog site ().

Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without requiring you to install the Datadog Agent. To learn more about Agentless Scanning’s capabilities and how it works, see the Agentless Scanning docs.

Prerequisites

Before setting up Agentless Scanning, ensure the following prerequisites are met:

  • Remote Configuration: Remote Configuration is required to enable Datadog to send information to Agentless scanners, such as which cloud resources to scan.

  • Cloud permissions: The Agentless Scanning instance requires specific permissions to scan hosts, host images, container registries, and functions. These permissions are automatically applied as part of the installation process.

    • ec2:DescribeVolumes
    • ec2:CreateTags
    • ec2:CreateSnapshot
    • ec2:DeleteSnapshot
    • ec2:DescribeSnapshots
    • ec2:DescribeSnapshotAttribute
    • ebs:ListSnapshotBlocks
    • ebs:ListChangedBlocks
    • ebs:GetSnapshotBlock
    • ecr:GetAuthorizationToken
    • ecr:GetDownloadUrlForLayer
    • ecr:BatchGetImage

    • lambda:GetFunction
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/beginGetAccess/action
    • Microsoft.Compute/disks/endGetAccess/action

Setup

Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.

To enable Agentless Scanning, use one of the following workflows:

Quick start

Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security Management, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration.

Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security Management, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration, and includes the Cloud Security Management features: Misconfigurations, Identity Risks (CIEM), and Vulnerability Management.

This article provides instructions for the new user quick start workflow that uses AWS CloudFormation to set up Agentless Scanning. For existing users who want to add a new AWS account or enable Agentless Scanning on an existing integrated AWS account, see the instructions for Terraform or AWS CloudFormation.
Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.
Installation
  1. On the Intro to Cloud Security Management page, click Get Started with Cloud Security Management.
  2. Click Quick Start. The Features page is displayed, showing the features included with Agentless Scanning Quick Start.
  3. Click Start Using Cloud Security Management to continue.
  4. Select the AWS region where you want to create the CloudFormation stack.
  5. Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection.
  6. Send AWS Logs to Datadog and Detect security issues are automatically selected by default. Leave the selections as-is.
  7. The Enable Vulnerability Management (Host, Container and Lambda) switch is also enabled by default. Leave this selection as-is.
  8. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.
Exclude resources from scans

To exclude hosts, containers, and functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions, refer to the Resource Filters documentation.

Update the CloudFormation stack

Datadog recommends updating the CloudFormation stack regularly, so you can get access to new features and bug fixes as they get released. To do so, follow these steps:

  1. Log in to your AWS console and go to the CloudFormation Stacks page.
  2. Select the DatadogIntegration-DatadogAgentlessScanning-… CloudFormation sub-stack, click Update, then click Update nested stack.
  3. Click Replace existing template.
  4. In the following S3 URL: https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/<VERSION>/datadog_agentless_scanning.yaml, replace <VERSION> with the version found in aws_quickstart/version.txt. Paste that URL into the Amazon S3 URL field.
  5. Click Next to advance through the next several pages without modifying them, then submit the form.
Disable Agentless Scanning
  1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
  2. To disable Agentless Scanning for an account, click the Edit button () and toggle the Agentless Scanning section to the off position.
  3. Click Done.
Uninstall Agentless Scanning

To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.


Terraform

The Terraform Datadog Agentless Scanner module provides a simple and reusable configuration for installing the Datadog Agentless scanner.

If you’ve already set up Cloud Security Management and want to add a new cloud account or enable Agentless Scanning on an existing integrated cloud account, you can use either Terraform, AWS CloudFormation, or Azure Resource Manager. This article provides detailed instructions for the Terraform approach.

If you're setting up Cloud Security Management for the first time, you can follow the quick start workflow, which uses AWS CloudFormation to enable Agentless Scanning.
    1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
    2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
    3. Under Choose a method for adding your AWS account, select Manually.
    4. Follow the instructions for installing the Datadog Agentless Scanner module.
    5. Select the I confirm that the Datadog IAM Role has been added to the AWS Account checkbox.
    6. Enter the AWS Account ID and AWS Role Name.
    7. Click Save.
    1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
    2. Click the Edit scanning button () for the AWS account where you want to deploy the Agentless scanner.
    3. Enable Resource Scanning should already be toggled on. If it isn’t, toggle Enable Resource Scanning to the on position.
    4. In the How would you like to set up Agentless Scanning? section, select Terraform.
    5. Follow the instructions for installing the Datadog Agentless Scanner module.
    6. In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
    7. Click Done.
    1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
    2. Expand the Tenant containing the subscription where you want to deploy the Agentless scanner.
    3. Click the Enable button for the Azure subscription where you want to deploy the Agentless scanner.
    4. Toggle Vulnerability Scanning to the on position.
    5. In the How would you like to set up Agentless Scanning? section, select Terraform.
    6. Follow the instructions for installing the Datadog Agentless Scanner module.
    7. Click Done.
    Exclude resources from scans

    To exclude hosts, containers, and functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions, refer to the Resource Filters documentation.

    Disable Agentless Scanning
    1. On the Cloud Security Management Setup page, click Cloud Integrations, and then expand the AWS or Azure section.
    2. To disable Agentless Scanning for an account, click the Edit button () and toggle Vulnerability Scanning to the off position.
    3. Click Done.
    Uninstall with Terraform

    Follow the instructions for Terraform uninstallation.

    Update the Terraform modules version

    Update the source reference for the Agentless Scanner modules to the latest release. You can find the latest version on GitHub Releases.

    For usage examples, refer to our Github repository.


    AWS Cloudformation

    Use the AWS CloudFormation template to create a CloudFormation stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.

    If you’ve already set up Cloud Security Management and want to add a new cloud account or enable Agentless Scanning on an existing integrated AWS account, you can use either Terraform or AWS CloudFormation. This article provides detailed instructions for the AWS CloudFormation approach.

    If you're setting up Cloud Security Management for the first time, you can follow the quick start workflow, which also uses AWS CloudFormation to enable Agentless Scanning.
    Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.
    Set up AWS CloudFormation
      1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
      2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
      3. Select the AWS region where you want to create the CloudFormation stack.
      4. Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection.
      5. Send AWS Logs to Datadog and Detect security issues are automatically selected by default. Leave the selections as-is.
      6. The Enable Vulnerability Management (Host, Container and Lambda) switch is also enabled by default. Leave this selection as-is.
      7. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.
      1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
      2. Click the Edit button () for the AWS account where you want to deploy the Agentless scanner.
      3. Verify that Enable Resource Scanning is toggled on. If it isn’t, switch the Enable Resource Scanning toggle to the on position and complete Steps 3-7 in New AWS Account.
      4. In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
      5. Click Done.
      Exclude resources from scans

      To exclude hosts, containers, and functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions, refer to the Resource Filters documentation.

      Update the CloudFormation stack

      Datadog recommends updating the CloudFormation stack regularly, so you can get access to new features and bug fixes as they get released. To do so, follow these steps:

      1. Log in to your AWS console and go to the CloudFormation Stacks page.
      2. Select the DatadogIntegration-DatadogAgentlessScanning-… CloudFormation sub-stack, click Update, then click Update nested stack.
      3. Click Replace existing template.
      4. In the following S3 URL: https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/<VERSION>/datadog_agentless_scanning.yaml, replace <VERSION> with the version found in aws_quickstart/version.txt. Paste that URL into the Amazon S3 URL field.
      5. Click Next to advance through the next several pages without modifying them, then submit the form.
      Disable Agentless Scanning
      1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
      2. To disable Agentless Scanning for an account, click the Edit button () and toggle the Agentless Scanning section to the off position.
      3. Click Done.
      Uninstall with CloudFormation

      To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.


      Azure Resource Manager

      Use the Azure Resource Manager template to deploy the Agentless Scanner. The template includes the role definitions required to deploy and manage Agentless scanners.

      If you’ve already set up Cloud Security Management and want to add a new Azure subscription or enable Agentless Scanning on an existing integrated Azure subscription, you can use either Terraform or Azure Resource Manager. This article provides detailed instructions for the Azure Resource Manager approach.

      Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.
        Set up the Datadog Azure integration

        Follow the instructions for setting up the Datadog Azure integration.

        Enable Agentless Scanning for your Azure subscriptions

        Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

        Cloud Security Management Setup page

        1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
        2. Locate the tenant ID of your subscription.
        3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
        4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
        5. Click the Enable button under Vulnerability Scanning.
        6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
        7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
        8. Click Launch Azure Resource Manager to be redirected to the Azure portal.

        Azure portal

        1. Log in to the Azure portal. The template creation form is displayed.
        2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
        3. In Subscriptions to scan, select all the subscriptions you want to scan.
        4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
        5. Click on Review + create.

        Enable Agentless Scanning for your Azure subscriptions

        Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

        Cloud Security Management Setup page

        1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
        2. Locate the tenant ID of your subscription.
        3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
        4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
        5. Click the Enable button under Vulnerability Scanning.
        6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
        7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
        8. Click Launch Azure Resource Manager to be redirected to the Azure portal.

        Azure portal

        1. Log in to the Azure portal. The template creation form is displayed.
        2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
        3. In Subscriptions to scan, select all the subscriptions you want to scan.
        4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
        5. Click on Review + create.
        Exclude resources from scans

        To exclude hosts, containers, and functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions, refer to the Resource Filters documentation.

        Disable Agentless Scanning
        1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
        2. Locate your subscription’s tenant, expand the list of subscriptions, and identify the subscription for which you want to disable Agentless Scanning.
        3. Click the Edit button () and toggle Vulnerability Scanning to the off position.
        4. Click Done.
        Uninstall with Azure Resource Manager

        To uninstall Agentless Scanning, log in to your Azure subscription. If you created a dedicated resource group for the Agentless scanner, delete this resource group along with the following Azure role definitions:

        • Datadog Agentless Scanner Role
        • Datadog Agentless Scanner Delegate Role

        If you did not use a dedicated resource group, you must manually delete the scanner resources, which can be identified by the tags Datadog:true and DatadogAgentlessScanner:true.


        Further reading

        Documentation, liens et articles supplémentaires utiles:

        Setting up Cloud Security ManagementDOCUMENTATION more more Cloud Security Management Agentless ScanningDOCUMENTATION more more