---
title: Cloud Security Agentless Scanning
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Cloud Security > Setting up Cloud Security > Cloud
  Security Agentless Scanning
---

# Cloud Security Agentless Scanning

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Overview{% #overview %}

Agentless Scanning provides visibility into vulnerabilities that exist within your AWS, Azure, and GCP cloud infrastructure, without requiring you to install the Datadog Agent. Datadog recommends enabling Agentless Scanning as a first step to gain complete visibility into your cloud resources, and then installing the Datadog Agent on your core assets over time for deeper security and observability context.

{% alert level="info" %}
Agentless Scanning excludes resources that have the Datadog Agent installed.
{% /alert %}

## How it works{% #how-it-works %}

The following diagram illustrates how Agentless Scanning works:

{% image
   source="https://docs.dd-static.net/images/security/agentless_scanning/how_agentless_works.a42b95a0bfbd5a17886fb94d91545964.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/security/agentless_scanning/how_agentless_works.a42b95a0bfbd5a17886fb94d91545964.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Diagram showing how Agentless Scanning works" /%}

1. Datadog schedules automated scans in 12-hour intervals and sends the resources to scan through [Remote Configuration](https://docs.datadoghq.com/remote_configuration.md).
   - If you have [Cloud Security Evaluation Filters](https://docs.datadoghq.com/security/cloud_security_management/guide/resource_evaluation_filters.md) configured, Agentless Scanning respects these filters and only scans resources that match the configured criteria.
1. For serverless functions (such as AWS Lambda), the scanners fetch the function's code.
1. The scanner creates snapshots of volumes used in running VM instances. Using the snapshots or the function code, the scanner generates an SBOM (a list of packages and dependencies).
1. The SBOM and host metadata are transmitted to Datadog. All other data—including snapshots, disk contents, and container images—remains in your infrastructure. Snapshots are deleted.
1. Datadog uses the SBOM to identify known vulnerabilities in your resources.

This architecture provides:

- **Data privacy**: Your disk contents, container images, and sensitive data stay within your cloud account. Only package metadata (the SBOM) is transmitted to Datadog.
- **Data residency**: No data crosses an account boundary into Datadog's infrastructure, simplifying compliance with data sovereignty requirements.
- **Compliance**: Auditors can verify that scanning data remains within your perimeter.

For more information on data privacy, see What data is sent to Datadog.

{% alert level="info" %}

- The scanner operates as a separate virtual machine within your infrastructure, ensuring minimal impact on existing systems and resources.
- For AWS, scanner instances automatically scale based on workload. When there are no resources to scan, scanners scale to zero to minimize cloud provider costs.
- The scanner securely collects a list of packages from your hosts without transmitting any confidential or private personal information outside your infrastructure.
- The scanner limits its use of the cloud provider API to prevent reaching any rate limit, and uses exponential backoff if needed.
- Scanner instances are automatically rotated every 24 hours, ensuring they run the latest images.

{% /alert %}

## What data is sent to Datadog{% #what-data-is-sent-to-datadog %}

Rather than copying disk snapshots outside of your environment for analysis, to keep your data private, Datadog deploys lightweight scanning infrastructure **inside your cloud account**. Agentless Scanning creates snapshots of your resources and analyzes them locally, deleting the snapshots after the analyses are complete. It only sends to Datadog the resulting software bill of materials (SBOM), which contains a list of packages and dependencies. Your raw data, disk contents, and container images never leave your environment.

The Agentless scanner uses the OWASP [cycloneDX](https://cyclonedx.org/) format to transmit a list of packages to Datadog. No confidential or private personal information is ever transmitted outside of your infrastructure.

Datadog does **not** send:

- System and package configurations
- Encryption keys and certificates
- Logs and Audit Trails
- Sensitive business data

## Cloud service provider cost{% #cloud-service-provider-cost %}

Because Agentless Scanning runs inside your cloud account, the compute and networking costs appear on your cloud provider bill. While vendors that scan in their own infrastructure bundle compute costs into their SaaS fees, keeping data in your environment means that you see the infrastructure cost directly.

To reduce costs:

- Deploy a scanner in each region where you have more than 150 hosts. A regional scanner avoids cross-region data transfer, which is more cost-effective than scanning those hosts from a remote region.
- Use the [recommended configuration](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods.md#recommended-configuration) with Terraform to deploy one scanner per region.
- For large multi-region deployments, see [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods.md) for guidance on choosing a deployment topology.

## Restrict scanner access{% #restrict-scanner-access %}

Scanner instances require [permissions](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/enable.md#prerequisites) to create and copy snapshots and describe volumes. Datadog recommends following the following guidelines to keep your scanners secure:

- Restrict access to scanner instances to administrative users.
- Set scanner permissions to follow the principle of least privilege, limited to the minimum required for scanning.
- Encrypt all data transmission between the scanner and Datadog with HTTPS.
- Enable unattended security updates, and rotate instances automatically every 24 hours.
- Don't allow inbound access to scanner instances (security group restricted).

## Cloud Storage scanning{% #cloud-storage-scanning %}

You can enable [Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner.md) for your Agentless Scanning resources during deployment or after setup. Sensitive Data Scanner catalogs and classifies sensitive data in your cloud storage (such as Amazon S3 buckets). It only reads data stores and their files in your environment, without sending any sensitive data to Datadog.

## On-demand scanning{% #on-demand-scanning %}

By default, Agentless Scanning automatically scans your resources every 12 hours. For AWS, you can also trigger an immediate scan of a specific resource (host, container, Lambda function, or S3 bucket) using the On-Demand Scanning API. For more information, see the [On-Demand Scanning API](https://docs.datadoghq.com/api/latest/agentless-scanning.md#create-aws-on-demand-task) documentation.

## Further reading{% #further-reading %}

- [Read more about Cloud Security Vulnerabilities](https://docs.datadoghq.com/security/vulnerabilities.md)
- [Set up Sensitive Data Scanner for Cloud Storage](https://docs.datadoghq.com/security/sensitive_data_scanner/setup/cloud_storage.md)
- [Updating Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/update.md)
- [Troubleshooting Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/agentless_scanning.md)