Enabling Agentless Scanning

Agentless Scanning for Cloud Security Management is not supported for your selected Datadog site ().

Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without requiring you to install the Datadog Agent. To learn more about Agentless Scanning’s capabilities and how it works, see the Agentless Scanning docs.

Prerequisites

Before setting up Agentless Scanning, ensure the following prerequisites are met:

  • Remote Configuration: Remote Configuration is required to enable Datadog to send information to Agentless scanners, such as which cloud resources to scan.

  • Cloud permissions: The Agentless Scanning instance requires specific permissions to scan hosts, containers, and functions. These permissions are automatically applied as part of the installation process.

    • ec2:DescribeVolumes
    • ec2:CreateTags
    • ec2:CreateSnapshot
    • ec2:DeleteSnapshot
    • ec2:DescribeSnapshots
    • ec2:DescribeSnapshotAttribute
    • ebs:ListSnapshotBlocks
    • ebs:ListChangedBlocks
    • ebs:GetSnapshotBlock

    • lambda:GetFunction
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/beginGetAccess/action
    • Microsoft.Compute/disks/endGetAccess/action

Setup

Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.

To enable Agentless Scanning, use one of the following workflows:

Quick start

Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security Management, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration.

Terraform

The Terraform Datadog Agentless Scanner module provides a simple and reusable configuration for installing the Datadog Agentless scanner. For more information, see Setting up Agentless Scanning using Terraform.

AWS CloudFormation

Use the AWS CloudFormation template to create a CloudFormation stack. The template includes the IAM permissions required to deploy and manage Agentless scanners. For more information, see Setting up Agentless Scanning using AWS CloudFormation.

Azure Resource Manager

Use the Azure Resource Manager template to deploy the Agentless Scanner. The template includes the role definitions required to deploy and manage Agentless scanners. For more information, see Setting up Agentless Scanning using Azure Resource Manager.

Further Reading

Additional helpful documentation, links, and articles:

Setting up Cloud Security ManagementDOCUMENTATION more more Cloud Security Management Agentless ScanningDOCUMENTATION more more