Deploying Agentless Scanning

There are two recommended ways to deploy Agentless scanners in your environment, either using cross-account scanning, or same account scanning.

To establish estimates on scanner costs, reach out to your Datadog Customer Success Manager.

The scanner cost is under $1 per scanned host per year for accounts following the recommended configuration.

    With cross-account scanning, Agentless scanners are deployed across multiple regions in a single cloud account. The deployed Agentless scanners are granted visibility across multiple accounts without needing to perform cross-region scans, which are expensive in practice.

    For larger accounts with 250 or more hosts, this is the most cost-effective option as it avoids cross-region scans, and reduces friction for managing your Agentless scanners. You can either create a dedicated account for your Agentless scanners or choose an existing one. The account where the Agentless scanners are located can also be scanned.

    The following diagram illustrates how Agentless scanning works when deployed in a central cloud account:

    Diagram of Agentless scanning showing the Agentless scanner is deployed in a central Cloud account

    With same account scanning, a single Agentless scanner is deployed per account. Although this can incur more costs, as it requires each Agentless scanner to perform cross-region scans per account, Datadog recommends this option if you do not want to grant cross-account permissions.

    The following diagram illustrates how Agentless scanning works when deployed within each Cloud account:

    Diagram of Agentless scanning showing the Agentless scanner is deployed in each Cloud account

    Agentless Scanning incurs additional costs for running scanners in your cloud environments. To manage costs while ensuring reliable scans every 12 hours, Datadog recommends setting up Agentless Scanning with Terraform as the default template, which also prevents cross-region networking. To improve the scanner’s efficacy, ensure your setup follows those guidelines:

    • Deploy scanners within a single AWS account
    • Deploy a scanner in each region that has more than 250 hosts
    • Deploy a scanner in any region containing a data store if using Cloud Storage Scanning

    Datadog automatically schedules scans to the right region to minimize the cross region costs.

    Note: The actual scanned data remains in your infrastructure, and only the collected list of packages, as well as information related to collected hosts (hostnames/EC2 Instances), are reported back to Datadog.

    Further reading

    Additional helpful documentation, links, and articles:

    Cloud Security Management Agentless ScanningDOCUMENTATION more more Agentless Scanning Quick Start for Cloud Security ManagementDOCUMENTATION more more Setting up Agentless Scanning using TerraformDOCUMENTATION more more Setting up Agentless Scanning with the AWS IntegrationDOCUMENTATION more more