Enabling Agentless Scanning

This product is not supported for your selected Datadog site. ().

Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without installing the Datadog Agent. Agentless Scanning runs entirely within your infrastructure, sending minimal data to Datadog, and leaving your sensitive data in your environment. Because the scanner runs in your cloud account, standard cloud provider costs apply. To learn more, see the Agentless Scanning overview.

Setup takes approximately 30 minutes per cloud account:

  1. Verify prerequisites below.
  2. Choose your cloud provider and deployment method.
  3. Launch a template in your cloud account.
  4. Verify scan results in Datadog.

Prerequisites

Before setting up Agentless Scanning, verify that the following prerequisites are met:

  • Remote Configuration: Remote Configuration must be enabled on your Datadog organization to send scan instructions to Agentless scanners.

  • API and Application Keys:

    • An API key with Remote Configuration enabled is required for scanners to report scan results to Datadog.
    • An Application key with either Integrations Manage or Org Management permissions is required for you to enable scanning features through the Datadog API.

  • Cloud permissions: The Agentless Scanning instance requires specific permissions to scan hosts, host images, container registries, and functions. Datadog automatically applies these permissions, listed below for transparency, during installation.

    Scanning permissions:

    • ebs:GetSnapshotBlock
    • ebs:ListChangedBlocks
    • ebs:ListSnapshotBlocks
    • ec2:CopySnapshot
    • ec2:CreateSnapshot
    • ec2:CreateTags
    • ec2:DeleteSnapshot
    • ec2:DeregisterImage
    • ec2:DescribeSnapshotAttribute
    • ec2:DescribeSnapshots
    • ec2:DescribeVolumes
    • ecr:BatchGetImage
    • ecr:GetAuthorizationToken
    • ecr:GetDownloadUrlForLayer
    • kms:CreateGrant
    • kms:Decrypt
    • kms:DescribeKey
    • lambda:GetFunction
    • lambda:GetLayerVersion

    Only when Sensitive Data Scanning (DSPM) is enabled:

    • kms:GenerateDataKey
    • s3:GetObject
    • s3:ListBucket

    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/beginGetAccess/action
    • Microsoft.Compute/disks/endGetAccess/action
    • Microsoft.ContainerRegistry/registries/pull/read
    • compute.disks.create
    • compute.disks.createSnapshot
    • compute.disks.delete
    • compute.disks.get
    • compute.disks.setLabels
    • compute.disks.use
    • compute.globalOperations.get
    • compute.images.get
    • compute.instances.attachDisk
    • compute.instances.detachDisk
    • compute.snapshots.create
    • compute.snapshots.get
    • compute.snapshots.list
    • compute.snapshots.delete
    • compute.snapshots.setLabels

Setup

See Deploying Agentless Scanning for information on how to structure your deployment, including how many accounts and how many regions you deploy scanners across.

Select your cloud provider to see the available setup methods. If you are setting up Agentless Scanning across multiple cloud providers, complete the setup for each provider independently.

    Choose your setup

    • New to Datadog: On the Intro to Cloud Security page, click Get Started with Cloud Security, then click Quick Start. Quick Start is a guided setup flow that uses AWS CloudFormation to deploy Agentless Scanning with all Cloud Security features pre-enabled. It is only available for organizations that have not yet set up Cloud Security Management.
    • Single AWS account in Datadog: Use CloudFormation or Terraform. Terraform is recommended for multi-region deployments.
    • AWS organization with multiple accounts: Use CloudFormation StackSet to deploy scanning capabilities across all member accounts.
    • Multiple accounts without AWS Organizations: Repeat the CloudFormation or Terraform setup for each account individually.

    Use CloudFormation if you already have an AWS account integrated with Datadog and want to enable Agentless Scanning, or if you want to add a new AWS account.

    New AWS account

    1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
    2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
    3. Select the AWS region where you want to create the CloudFormation stack.
    4. Select an API key that has Remote Configuration enabled.
    5. Choose whether to enable Sensitive Data Scanner for cloud storage. This automatically catalogs and classifies sensitive data in Amazon S3 resources.
    6. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.

    Existing AWS account

    1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
    2. Click the AWS account where you want to deploy the Agentless scanner, which opens the side panel.
    3. On the Features tab, click Configure Agentless Scanning or Manage to open the Agentless Scanning Setup modal.
    4. In the How would you like to set up Agentless Scanning? section, select CloudFormation.
    5. Select an API key that has Remote Configuration enabled.
    6. Toggle the features you want to enable, such as Vulnerability Management or Sensitive Data Scanner.
    7. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack.
    8. Click Done.

    For AWS Organizations with multiple accounts, use a CloudFormation StackSet to deploy the Agentless Scanning delegate role across all member accounts. This approach automates onboarding and configures new accounts added to your AWS Organization.

    This setup deploys the delegate role required for cross-account scanning across your AWS Organization or specific Organizational Units (OUs). First, set up Agentless Scanning in your central scanning account using CloudFormation or Terraform, then deploy the StackSet to configure the remaining accounts.

    Prerequisites

    1. Access to the AWS management account.
    2. Trusted Access with AWS Organizations must be enabled for CloudFormation StackSets.
    3. Agentless Scanning is already configured in your central scanning account (see above).

    Deploy the StackSet

    1. Log in to your AWS management account and navigate to CloudFormation > StackSets.
    2. Click Create StackSet.
    3. Select Service-managed permissions.
    4. Under Specify template, select Amazon S3 URL and enter the following URL:
      https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/v4.3.1/datadog_agentless_delegate_role_stackset.yaml
    5. Enter a StackSet name (for example, DatadogAgentlessScanningStackSet).
    6. Configure the ScannerInstanceRoleARN parameter, which is the ARN of the IAM role attached to your Agentless scanner instances.
      The ScannerInstanceRoleARN must be the exact ARN of the scanner instance role (for example, arn:aws:iam::123456789012:role/DatadogAgentlessScannerRole). Using a root ARN such as arn:aws:iam::123456789012:root does not work.

      The ScannerInstanceRoleARN establishes a trust relationship between the delegate role (created in target accounts) and your scanner instances (already running in the central account). This enables cross-account scanning where:

      • The scanner runs in Account 4.
      • The delegate role exists in Accounts 1, 2, 3 (deployed through the StackSet).
      • The scanner assumes the delegate roles to scan resources in those accounts.
    7. Set Deployment targets to deploy across your AWS Organization or specific OUs.
    8. Enable Automatic deployment to configure new accounts added to your AWS Organization.
    9. Select a single region for deployment (the IAM role is global and only needs to be deployed once per account).
    10. Review and submit the StackSet.

    After the StackSet deploys, the member accounts are configured to allow cross-account scanning from your central scanner account.

    The Terraform Datadog Agentless Scanner module provides a reusable configuration for installing the Datadog Agentless scanner. Terraform is the recommended deployment method for multi-region environments. It deploys one scanner per region, which avoids cross-region networking costs. For guidance on choosing your deployment topology, see Deploying Agentless Scanning. For usage examples including multi-region configurations, see the examples directory in the GitHub repository.

    New AWS account

    1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
    2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
    3. Under Choose a method for adding your AWS account, select Manually.
    4. Follow the instructions for installing the Datadog Agentless Scanner module.
    5. Select the I confirm that the Datadog IAM Role has been added to the AWS Account checkbox.
    6. Enter the AWS Account ID and AWS Role Name.
    7. Click Save.

    Existing AWS account

    1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
    2. Click the AWS account where you want to deploy the Agentless scanner to open the side panel.
    3. On the Features tab, click Configure Agentless Scanning or Manage to open the Agentless Scanning Setup modal.
    4. In the How would you like to set up Agentless Scanning? section, select Terraform.
    5. Follow the instructions for installing the Datadog Agentless Scanner module.
    6. Select the I confirm the Terraform module is installed checkbox.
    7. Click Done.

    After completing any of the setup methods above, verify your setup.

    Choose your setup

    Use the Azure Resource Manager template to deploy the Agentless Scanner. The template includes the role definitions required to deploy and manage Agentless scanners.

    New Azure subscription

    Ensure you have the Datadog Azure integration set up.

    Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

    Cloud Security Setup page
    1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
    2. Locate the tenant ID of your subscription.
    3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
    4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
    5. Click the Enable button under Vulnerability Scanning.
    6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
    7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
    8. Click Launch Azure Resource Manager to be redirected to the Azure portal.
    Azure portal
    1. Log in to the Azure portal. The template creation form is displayed.
    2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
    3. In Subscriptions to scan, select all the subscriptions you want to scan.
    4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
    5. Click Review + create.

    Existing Azure subscription

    Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

    Cloud Security Setup page
    1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
    2. Locate the tenant ID of your subscription.
    3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
    4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
    5. Click the Enable button under Vulnerability Scanning.
    6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
    7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
    8. Click Launch Azure Resource Manager to be redirected to the Azure portal.
    Azure portal
    1. Log in to the Azure portal. The template creation form is displayed.
    2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
    3. In Subscriptions to scan, select all the subscriptions you want to scan.
    4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
    5. Click Review + create.

    The Terraform Datadog Agentless Scanner module provides a reusable configuration for installing the Datadog Agentless scanner. For guidance on choosing your deployment topology, see Deploying Agentless Scanning. For usage examples, see the examples directory in the GitHub repository.

    1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
    2. Expand the Tenant containing the subscription where you want to deploy the Agentless scanner.
    3. Click the Enable button for the Azure subscription where you want to deploy the Agentless scanner.
    4. Toggle Vulnerability Scanning to the on position.
    5. In the How would you like to set up Agentless Scanning? section, select Terraform.
    6. Follow the instructions for installing the Datadog Agentless Scanner module.
    7. Click Done.

    After completing any of the setup methods above, verify your setup.

    Choose your setup

    If you haven't connected your GCP project to Datadog yet, set up the GCP integration first.

    Use Google Cloud Shell to set up Agentless Scanning for your GCP projects. This method downloads a setup script that wraps the Terraform Datadog Agentless Scanner module for GCP, so you do not need to manage Terraform directly. You can review the script before running it.

    1. On the Cloud Security Setup page, click Cloud Integrations > GCP.
    2. Expand the account containing the project where you want to deploy the Agentless scanner.
    3. Click the Enable button for the GCP project where you want to deploy the Agentless scanner. The Vulnerability Scanning modal opens.
    4. In the How would you like to set up Agentless Scanning? section, select Cloud Shell.
    5. Select an API key that has Remote Configuration enabled.
    6. Create an Application key.
    7. Select the GCP projects you want to scan.
    8. Configure the Scanner project (the project where the scanner will be deployed, which must be one of the selected projects) and Scanner region.
    9. Click Open Google Cloud Shell to open Google Cloud Shell. Review and run the displayed command. The script applies the Terraform Datadog Agentless Scanner module for GCP to deploy and configure the scanner in your selected project and region.
    10. After the command completes, return to the Datadog setup page and click Done.

    The Terraform Datadog Agentless Scanner module provides a reusable configuration for installing the Datadog Agentless scanner. For guidance on choosing your deployment topology, see Deploying Agentless Scanning. For usage examples, see the examples directory in the GitHub repository.

    1. On the Cloud Security Setup page, click Cloud Integrations > GCP.
    2. Expand the account containing the project where you want to deploy the Agentless scanner.
    3. Click the Enable button for the GCP project where you want to deploy the Agentless scanner.
    4. Toggle Vulnerability Scanning to the on position.
    5. Follow the instructions for installing the Datadog Agentless Scanner module.
    6. Click Done.

    After completing any of the setup methods above, verify your setup.

    Verify your setup

    After completing the setup, Agentless Scanning takes time to produce initial results. The first scan cycle takes approximately 30 minutes to complete.

    If no results appear after two hours, see the Agentless Scanning troubleshooting guide.

    View scan results in the following locations:

    Exclude resources from scans

    To exclude specific hosts, containers, or functions from scans, see Resource Evaluation Filters.

    Disable Agentless Scanning

      1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
      2. If required, use filters to find the account you want to stop Agentless Scanning for. Click the account to open the side panel that contains its settings.
      3. On the Features tab, click Configure Agentless Scanning or Manage to open the Agentless Scanning Setup modal.
      4. Under How would you like to set up Agentless Scanning?, click Terraform.
      5. Under Enable Features, beside Enable Agentless Vulnerability management, switch the toggle to the off position.
      6. Click Done.
      1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
      2. Locate your subscription’s tenant, expand the list of subscriptions, and identify the subscription for which you want to disable Agentless Scanning.
      3. Beside the Enabled label, click the Edit button () to open the Vulnerability Scanning modal.
      4. Beside Vulnerability Scanning, switch the toggle to the off position.
      5. Click Done.
      1. On the Cloud Security Setup page, click Cloud Integrations > GCP.
      2. Expand the account containing the project where you want to disable Agentless Scanning.
      3. Beside the Enabled label, click the Edit button () to open the Vulnerability Scanning modal.
      4. Beside Vulnerability Scanning, switch the toggle to the off position.
      5. Click Done.

      Uninstall Agentless Scanning

      Select the deployment method you used to install Agentless Scanning:

        To uninstall Agentless Scanning, remove the scanner module from your Terraform code. For more information, see the Terraform module documentation.

        To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning (the sub-stack name follows the pattern DatadogIntegration-DatadogAgentlessScanning-...).

        To uninstall Agentless Scanning that was set up using Google Cloud Shell, run the same setup command you used during installation, replacing deploy with destroy at the end. For example:

        curl -sSL "<CLOUD_SHELL_SCRIPT_URL>" -o gcp_agentless_setup.pyz && \
DD_API_KEY="<DD_API_KEY>" \
DD_APP_KEY="<DD_APP_KEY>" \
DD_SITE="<DD_SITE>" \
SCANNER_PROJECT="<SCANNER_PROJECT>" \
SCANNER_REGIONS="<SCANNER_REGION>" \
PROJECTS_TO_SCAN="<PROJECTS>" \
python3 gcp_agentless_setup.pyz destroy

        You can review the setup script source before running the command.

        To uninstall Agentless Scanning, log in to your Azure subscription. If you created a dedicated resource group for the Agentless scanner, delete this resource group along with the following Azure role definitions:

        • Datadog Agentless Scanner Role
        • Datadog Agentless Scanner Delegate Role

        If you did not use a dedicated resource group, you must manually delete the scanner resources, which can be identified by the tags Datadog:true and DatadogAgentlessScanner:true.

        Further reading

        Additional helpful documentation, links, and articles:

        Setting up Cloud SecurityDOCUMENTATION more more Cloud Security Agentless ScanningDOCUMENTATION more more Updating Agentless ScanningDOCUMENTATION more more Troubleshooting Agentless ScanningDOCUMENTATION more more