Setting up CSM Agentless Scanning

Agentless Scanning for Cloud Security Management is not supported for your selected Datadog site ().

Agentless Scanning for Cloud Security Management is in public beta for AWS cloud environments.

Agentless Scanning provides visibility into vulnerabilities that exist within your AWS hosts, running containers, Lambda functions, and Amazon Machine Images (AMIs), without requiring you to install the Datadog Agent.

Prerequisites

To deploy Agentless scanning in your AWS environment, in addition to having Cloud Security Management enabled, you must enable Remote Configuration.

Enable Remote Configuration

Remote Configuration (enabled by default as of April 8th, 2024) is required to allow Datadog to send information to Agentless scanners, such as which cloud resources should be scanned. If Remote Configuration has not been enabled for your organization, navigate to your Organization Settings in Datadog and follow steps 1-4 in the Remote Configuration docs.

Note: CSM-enabled AWS accounts that have scanners deployed require Remote-config enabled API keys.

Permissions

Note: The following are permissions required for Agentless scanning, and are applied automatically as a part of the installation process.

IAM permissions (host and container permissions)

The Agentless Scanning instance requires the following IAM permissions to scan for hosts and containers:

ec2:DescribeVolumes
ec2:CreateTags
ec2:CreateSnapshot
ec2:DeleteSnapshot
ec2:DescribeSnapshots
ec2:DescribeSnapshotAttribute
ebs:ListSnapshotBlocks
ebs:ListChangedBlocks
ebs:GetSnapshotBlock

Lambda permissions

The Agentless Scanning instance requires the following IAM permissions to scan for Lambdas:

lambda:GetFunction

Deployment methods

There are two recommended ways to deploy Agentless scanners in your environment, either using cross-account scanning, or same account scanning.

Note: When using Agentless Scanning, there are additional costs for running scanners in your cloud environments. To optimize on costs while being able to reliably scan every 12 hours, Datadog recommends setting up Agentless Scanning with Terraform as the default template, as this also avoids cross-region networking.

To establish estimates on scanner costs, reach out to your Datadog Customer Success Manager.

    With cross-account scanning, Agentless scanners are deployed across multiple regions in a single cloud account. The deployed Agentless scanners are granted visibility across multiple accounts without needing to perform cross-region scans, which are expensive in practice.

    For larger accounts with 250 or more hosts, this is the most cost-effective option as it avoids cross-region scans, and reduces friction for managing your Agentless scanners. You can either create a dedicated account for your Agentless scanners or choose an existing one. The account where the Agentless scanners are located can also be scanned.

    The following diagram illustrates how Agentless scanning works when deployed in a central cloud account:

    Diagram of Agentless scanning showing the Agentless scanner is deployed in a central Cloud account

    With same account scanning, a single Agentless scanner is deployed per account. Although this can incur more costs, as it requires each Agentless scanner to perform cross-region scans per account, Datadog recommends this option if you do not want to grant cross-account permissions.

    The following diagram illustrates how Agentless scanning works when deployed within each Cloud account:

    Diagram of Agentless scanning showing the Agentless scanner is deployed in each Cloud account

    Note: The actual data that is scanned remains within your infrastructure, and only the collected list of packages, as well as information related to collected hosts (hostnames/EC2 Instances) are reported back to Datadog.

    Installation

    There are two ways to install and configure Agentless scanning for your cloud environments, manually using Terraform, or by using the CloudFormation template with the AWS Integration.

    Terraform

      1. Follow the setup instructions for adding AWS cloud accounts to Cloud Security Management.
      2. On the Cloud Security Management Setup page, click Cloud accounts > AWS.
      3. Click the Edit scanning button for the AWS account where you intend to deploy the Agentless scanner.
      4. Enable Resource Scanning should already be enabled. Enable scanning for the cloud resources you want to monitor in the Agentless scanning section.
      5. Follow instructions for Terraform setup.
      6. Make sure the template runs successfully, then click Done to begin scanning.
      Setup page for Agentless scanning showing toggle options for Resource Scanning
      1. On the Cloud Security Management Setup page, click Cloud accounts > AWS.
      2. Click the Edit scanning button for the AWS account where you intend to deploy the Agentless scanner.
      3. Enable Resource Scanning should already be enabled. Enable scanning for the cloud resources you want to monitor in the Agentless Scanning section.
      4. Follow instructions for Terraform setup.
      5. Make sure the template runs successfully, then click Done to begin scanning.
      Setup page for Agentless scanning showing toggle options for Resource Scanning

      AWS integration

        1. Set up the Amazon Web Services integration. You must also add the required permissions for resource collection.

          When you add a new AWS account, the following screen appears:

        Setup page for Agentless scanning for adding a new AWS account with adding a single AWS account selected

        1. Click Yes under Enable Cloud Security Management, and enable scanning for the cloud resources you want to monitor in the Agentless scanning section.
        2. Select an API key that is already configured for Remote Configuration. If you enter an API key that does not have Remote Configuration enabled, it will automatically be activated upon selection.
        3. Click Launch CloudFormation Template. The template includes all the necessary permissions to deploy and manage Agentless scanners. The template must run successfully to receive scans.
        1. On the Cloud Security Management Setup page, click Cloud accounts > AWS.
        2. Click the Edit scanning button for the AWS account where you intend to deploy the Agentless scanner.
        3. Enable Resource Scanning should already be enabled. Enable scanning for the cloud resources you want to monitor in the Agentless scanning section.
        4. Go to your AWS console, create a new CloudFormation Stack using this template, and then run it.
        5. Make sure the template runs successfully, then click Done to begin scanning.
        Setup page for Agentless scanning showing toggle options for Resource Scanning

        Resource exclusion

        Set the tag DatadogAgentlessScanner:false on AWS hosts, containers, and Lambda functions (if applicable), to be excluded from scans. To add this tag to your resources, follow the AWS documentation.

        Disabling Agentless Scanning

        To disable Agentless Scanning in an AWS account, disable scanning for each cloud resource:

        1. On the Cloud Security Management Setup page, click Cloud accounts > AWS.
        2. Click the Edit scanning button for the AWS account where you deployed the Agentless scanner.
        3. In the Agentless Scanning section, disable scanning for the cloud resources you want to stop monitoring.
        4. Click Done.

        Uninstalling with CloudFormation

        Go to your AWS console, and remove the CloudFormation stack that was created for Agentless Scanning.

        Uninstalling with Terraform

        Follow the instructions for Terraform uninstallation.