Agentless Scanning for Cloud Security Management is not supported for your selected Datadog site ().

Prerequisites

Before setting up Agentless Scanning, ensure the following prerequisites are met:

  • AWS integration: The AWS integration must be installed and configured for your AWS accounts.

  • Remote Configuration: Remote Configuration is required to enable Datadog to send information to Agentless scanners, such as which cloud resources to scan.

  • IAM permissions: The Agentless Scanning instance requires specific IAM permissions to scan hosts, containers, and Lambda functions. These permissions are automatically applied as part of the installation process.

    • ec2:DescribeVolumes
    • ec2:CreateTags
    • ec2:CreateSnapshot
    • ec2:DeleteSnapshot
    • ec2:DescribeSnapshots
    • ec2:DescribeSnapshotAttribute
    • ebs:ListSnapshotBlocks
    • ebs:ListChangedBlocks
    • ebs:GetSnapshotBlock

    • lambda:GetFunction

Setup

Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.

To enable Agentless Scanning, use one of the following workflows:

Quick start

Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security Management, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration.

Terraform

The Terraform Datadog Agentless Scanner module provides a simple and reusable configuration for installing the Datadog Agentless scanner. For more information, see Setting up Agentless Scanning using Terraform.

AWS CloudFormation

Use the AWS CloudFormation template to create a CloudFormation stack. The template includes the IAM permissions required to deploy and manage Agentless scanners. For more information, see Setting up Agentless Scanning using AWS CloudFormation.

Further Reading