- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Agentless Scanning provides visibility into vulnerabilities that exist within your AWS hosts, running containers, Lambda functions, and Amazon Machine Images (AMIs) without requiring you to install the Datadog Agent. Datadog recommends enabling Agentless Scanning as a first step to gain complete visibility into your cloud resources, and then installing the Datadog Agent on your core assets over time for deeper security and observability context.
The following table provides a summary of Agentless scanning technologies in relation to their corresponding components:
Component | Supported technology |
---|---|
Cloud Provider | AWS |
Operating System | Linux |
Host Filesystem | Btrfs, Ext2, Ext3, Ext4, xfs |
Package Manager | Deb (debian, ubuntu) RPM (amazon-linux, fedora, redhat, centos) APK (alpine) |
Encryption | AWSUnencryptedEncrypted - Platform Managed Key (PMK)Note: Encrypted - Customer Managed Key (CMK) is not supported |
Container runtime | Docker, containerdNote: CRI-O is not supported |
Serverless | AWS, AWS Lambda |
Serverless languages | .Net, Python, Java, Ruby, Node.js, Go |
After setting up Agentless scanning for your resources, Datadog schedules automated scans in 12-hour intervals through Remote Configuration. During a scan cycle, Agentless scanners gather Lambda code dependencies and create snapshots of your EC2 instances. With these snapshots, the Agentless scanners scan, generate, and transmit a list of packages to Datadog to check for vulnerabilities, along with Lambda code dependencies. When scans of a snapshot are completed, the snapshot is deleted. No confidential or private personal information is ever transmitted outside of your infrastructure.
The following diagram illustrates how Agentless Scanning works:
Datadog schedules a scan and sends which resources to scan through Remote Configuration.
Note: Scheduled scans ignore hosts that already have the Datadog Agent installed with Cloud Security Management enabled. Datadog schedules a continuous re-scanning of resources every 12 hours to provide up-to-date insights into potential vulnerabilities and weaknesses.
For Lambda functions, the scanners fetch the function’s code.
The scanner creates snapshots of EBS volumes used by EC2 instances. These snapshots serve as the basis for conducting scans. Using the snapshots, or the code, the scanner generates a list of packages.
After the scan is complete, the list of packages and information related to collected hosts (hostnames/EC2 instances) are transmitted to Datadog, with all other data remaining within your infrastructure. Snapshots created during the scan cycle are deleted.
Leveraging the collected package list along with Datadog’s access to the Trivy vulnerabilities database, Datadog finds matching affected vulnerabilities in your resources and code.
Notes:
The Agentless scanner uses the OWASP cycloneDX format to transmit a list of packages to Datadog. No confidential or private personal information is ever transmitted outside of your infrastructure.
Datadog does not send:
Because the scanner instances grant permissions to create and copy EBS snapshots, and describe volumes, Datadog advises restricting access to these instances solely to administrative users.
To further mitigate this risk, Datadog implements the following security measures:
When installed, the Datadog Agent offers real-time, deep visibility into risks and vulnerabilities that exist in your cloud workloads. It is recommended to fully install the Datadog Agent.
As a result, Agentless Scanning excludes resources from its scans that have the Datadog Agent installed and configured for Vulnerability Management. In this way, Cloud Security Management offers complete visibility of your risk landscape without overriding the benefits received from installing the Datadog Agent with Vulnerability Management.
The following diagram illustrates how Agentless scanning works with existing Agent installations:
Scanning support for Amazon S3 buckets and RDS instances is in Preview. To enroll, click Request Access.
Request AccessIf you have Sensitive Data Scanner enabled, you can catalog and classify sensitive data in your Amazon S3 buckets and RDS instances.
Sensitive Data Scanner scans for sensitive data by deploying Agentless scanners in your cloud environments. These scanning instances retrieve a list of all S3 buckets and RDS instances through Remote Configuration, and have set instructions to scan text files—such as CSVs and JSONs—and tables in every datastore over time. Sensitive Data Scanner leverages its entire rules library to find matches. When a match is found, the location of the match is sent to Datadog by the scanning instance. Data stores and their files are only read in your environment—no sensitive data is sent back to Datadog.
Along with displaying sensitive data matches, Sensitive Data Scanner surfaces any security issues detected by Cloud Security Management affecting the sensitive datastores. You can click any issue to continue triage and remediation within Cloud Security Management.
When using Agentless Scanning, there are additional costs for running scanners in your cloud environments. To optimize on costs while being able to reliably scan every 12 hours, Datadog recommends setting up Agentless Scanning with Terraform as the default template, as this also avoids cross-region networking.
To establish estimates on scanner costs, reach out to your Datadog Customer Success Manager.
추가 유용한 문서, 링크 및 기사: