---
title: Setting up Cloud Security
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > Cloud Security > Setting up Cloud Security
---

# Setting up Cloud Security

## Overview{% #overview %}

To get started with Cloud Security, review the following:

- Enable Agentless Scanning
- Deploy the Agent for additional coverage
- Enable additional features
  - Container Image Scanning in CI/CD
  - AWS CloudTrail Logs
  - Deploy using cloud integrations
- Disable Cloud Security
- Further reading

## Enable Agentless Scanning{% #enable-agentless-scanning %}

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com



{% alert level="danger" %}
Agentless Scanning is not available in the selected site ().
{% /alert %}


{% /callout %}

The simplest way to get started with Cloud Security is by [enabling Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/enable). Agentless Scanning provides the broadest coverage across your AWS, Azure, and GCP cloud infrastructure: it scans all hosts, running containers, and other supported workloads without requiring you to install anything on individual resources.

To learn more about Agentless Scanning, see [Cloud Security Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/agentless_scanning).

## Deploy the Agent for deeper context{% #deploy-the-agent-for-deeper-context %}

Agentless Scanning covers your entire cloud infrastructure, but deploying the Datadog Agent on critical hosts adds deeper security context such as runtime vulnerability prioritization, real-time updates, and host benchmarks. The following table outlines the improvements offered by Agent-based deployments. For more information, see [Setting up Cloud Security on the Agent](https://docs.datadoghq.com/security/cloud_security_management/setup/agent).

| Feature                                                                                                                 | Agentless | Agentless + Agent-based deployment | Agent-based deployment         |
| ----------------------------------------------------------------------------------------------------------------------- | --------- | ---------------------------------- | ------------------------------ |
| **[Cloud Security Identity Risks](https://docs.datadoghq.com/security/cloud_security_management/identity_risks)**       | yes       | yes                                |
| **[Cloud Security Misconfigurations](https://docs.datadoghq.com/security/cloud_security_management/misconfigurations)** | yes       | yes                                | yes                            |
| [Host benchmarks](https://docs.datadoghq.com/security/default_rules/?search=host+benchmarks)                            | yes       | yes                                |
| **[Cloud Security Vulnerabilities](https://docs.datadoghq.com/security/cloud_security_management/vulnerabilities)**     | yes       | yes                                | yes                            |
| Vulnerability prioritization                                                                                            | yes       | yesWith runtime context            | yesWith runtime context        |
| Vulnerability update frequency                                                                                          | 12 hours  | Real time                          | Real time                      |
| **[Security Inbox](https://docs.datadoghq.com/security/security_inbox)**                                                | yes       | yesWith more accurate insights     | yesWith more accurate insights |

## Enable additional features{% #enable-additional-features %}

### Container Image Scanning in CI/CD{% #container-image-scanning-in-cicd %}

Scan container images for vulnerabilities during your CI/CD pipelines, before deploying images to production. The Datadog Security CLI runs directly in your CI jobs, giving you control over when and how scans are executed. For more information, see [Container Image Scanning in CI/CD](https://docs.datadoghq.com/security/cloud_security_management/setup/ci_cd).

### AWS CloudTrail Logs{% #aws-cloudtrail-logs %}

Maximize the benefits of [Cloud Security Identity Risks](https://docs.datadoghq.com/security/cloud_security_management/identity_risks) with AWS CloudTrail Logs. Gain deeper insights into cloud resource usage, identifying users and roles with significant gaps between provisioned and utilized permissions. For more information, check out [Setting up AWS CloudTrail Logs for Cloud Security](https://docs.datadoghq.com/security/cloud_security_management/setup/cloudtrail_logs).

### Deploy using cloud integrations{% #deploy-using-cloud-integrations %}

Monitor your compliance security coverage and secure your cloud infrastructure against IAM-based attacks by enabling resource scanning for AWS, Azure, GCP, and OCI resources. For more information, see [Deploying Cloud Security using Cloud Integrations](https://docs.datadoghq.com/security/cloud_security_management/setup/cloud_accounts).

## Disable Cloud Security{% #disable-cloud-security %}

For information on disabling Cloud Security, see the following:

- [Disable Cloud Security Vulnerabilities](https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/vulnerabilities/#disable-cloud-security-vulnerabilities)

## Further reading{% #further-reading %}

- [Supported Deployment Types](https://docs.datadoghq.com/security/cloud_security_management/setup/supported_deployment_types)
- [AWS Fargate Configuration Guide for Datadog Security](https://docs.datadoghq.com/security/guide/aws_fargate_config_guide)
- [Cloud Security Agent Variables](https://docs.datadoghq.com/security/cloud_security_management/guide/agent_variables/)