If you’ve already set up Cloud Security Management and want to add a new AWS account or enable Agentless Scanning on an existing integrated AWS account, you can use either Terraform or AWS CloudFormation. This article provides detailed instructions for the AWS CloudFormation approach.

If you're setting up Cloud Security Management for the first time, you can follow the quick start workflow, which also uses AWS CloudFormation to enable Agentless Scanning.
Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.
  1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
  2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
  3. Select the AWS region where you want to create the CloudFormation stack.
  4. Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection.
  5. Send AWS Logs to Datadog and Enable Cloud Security Management are automatically selected by default. Leave the selections as is.
  6. In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
  7. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.
  1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
  2. Click the Edit button for the AWS account where you want to deploy the Agentless scanner.
  3. Verify that Enable Resource Scanning is toggled on. If it isn’t, switch the Enable Resource Scanning toggle to the on position and complete Steps 3-7 in New AWS Account.
  4. In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
  5. Click Done.

Exclude resources from scans

To exclude AWS hosts, containers, and Lambda functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions on adding this tag, refer to the AWS documentation.

Update the CloudFormation stack

Datadog recommends updating the CloudFormation stack regularly, so you can get access to new features and bug fixes as they get released. To do so, follow these steps:

  1. Log in to your AWS console and go to the CloudFormation Stacks page.
  2. Select the DatadogIntegration-DatadogAgentlessScanning-… CloudFormation sub-stack, click Update, then click Update nested stack.
  3. Click Replace existing template.
  4. In the following S3 URL: https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/<VERSION>/datadog_agentless_scanning.yaml, replace <VERSION> with the version found in aws_quickstart/version.txt. Paste that URL into the Amazon S3 URL field.
  5. Click Next to advance through the next several pages without modifying them, then submit the form.

Disable Agentless Scanning

  1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
  2. To disable Agentless Scanning for an account, click the Edit button and toggle the Agentless Scanning section to the off position.
  3. Click Done.

Uninstall with CloudFormation

To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.

Further Reading