Deploying Agentless Scanning
This product is not supported for your selected
Datadog site. (
).
This guide helps you choose the right deployment topology for Agentless Scanning based on your cloud environment. For setup instructions, see Enabling Agentless Scanning.
Overview
Datadog recommends the following guidelines:
- Use a dedicated scanner account for multi-account environments.
- Deploy a scanner in each region that contains more than 150 hosts.
- If you use Cloud Storage Scanning, deploy a scanner in each region that contains a data store (for example, S3 buckets or RDS instances).
Scanners only send the collected list of packages and host metadata (hostnames, EC2/VM/Compute Engine instance identifiers) to Datadog. All scanned data remains in your infrastructure.
Cloud account and region configuration
The deployment topology you use depends on how many cloud accounts (AWS accounts, Azure subscriptions, or GCP projects) you need to scan, and which regions they cover.
- Cloud accounts: If you only need to scan a single account, deploy one or more scanners directly in that account. Otherwise, use a dedicated scanner account, and use delegate roles to grant it access to scan other accounts. This is called cross-account scanning.
- Regions: A single scanner can scan hosts in any region, including regions other than its own. However, cross-region scanning incurs data transfer costs. Whether you deploy additional scanners depends on how many hosts you have in each region.
These tabs contain information on how to configure your deployment topology. Select the tab that describes how many accounts you need to scan, then learn more based on how many regions you need to cover.
If you only need to scan a single account, deploy one or more scanners directly in that account.
Decide how many scanners to deploy
A single scanner can scan hosts in any region, including regions other than its own. Cross-region scanning incurs data transfer costs, so the decision of where to deploy additional scanners depends on how many hosts you have in each region.
- Fewer than ~150 hosts total across all regions: A single scanner in one region is the most cost-effective setup. The cross-region data transfer costs for scanning remote hosts are lower than the fixed cost of running an additional scanner.
- More than ~150 hosts in a specific region: Deploy a dedicated scanner in that region. At this threshold, the egress savings from scanning locally outweigh the cost of running the scanner.
- Multiple regions above the threshold: Deploy a scanner in each region that exceeds ~150 hosts. Regions below the threshold can be scanned cross-region from the nearest scanner.
Datadog automatically routes scans to the appropriate regional scanner to minimize cross-region costs.
Scanner capacity limits
Each scanner has throughput limits governed by cloud provider API quotas:
| Limit | Value |
|---|
| Maximum scanners per account per region | 4 (hard cap; cloud providers like AWS limit concurrent snapshots to 100 per account per region) |
| Scan interval | Every 12 hours |
Do not increase the Autoscaling Group (ASG) desired count beyond four scanners per region. Additional scanners cannot create snapshots due to cloud providers' concurrent snapshot limit.
Decide which accounts to deploy scanners in
Datadog recommends using a dedicated scanner account to deploy scanners in, and using cross-account delegate roles to grant scanners access to target accounts (including the scanner account).
For AWS Organizations, use a CloudFormation StackSet to deploy a delegate role across all member accounts, automating onboarding for cross-account scanning.
The following diagram illustrates cross-account scanning from a central account (Account 4):
If you do not want to grant cross-account permissions, deploy a scanner in each account instead. This incurs higher costs because each scanner performs cross-region scans within its account.
Decide how many scanners to deploy
A single scanner can scan hosts in any region, including regions other than its own. Cross-region scanning incurs data transfer costs, so the decision of where to deploy additional scanners depends on how many hosts you have in each region.
- Fewer than ~150 hosts total across all regions: A single scanner in one region is the most cost-effective setup. The cross-region data transfer costs for scanning remote hosts are lower than the fixed cost of running an additional scanner.
- More than ~150 hosts in a specific region: Deploy a dedicated scanner in that region. At this threshold, the egress savings from scanning locally outweigh the cost of running the scanner.
- Multiple regions above the threshold: Deploy a scanner in each region that exceeds ~150 hosts. Regions below the threshold can be scanned cross-region from the nearest scanner.
Datadog automatically routes scans to the appropriate regional scanner to minimize cross-region costs.
Scanner capacity limits
Each scanner has throughput limits governed by cloud provider API quotas:
| Limit | Value |
|---|
| Maximum scanners per account per region | 4 (hard cap; cloud providers like AWS limit concurrent snapshots to 100 per account per region) |
| Scan interval | Every 12 hours |
Do not increase the Autoscaling Group (ASG) desired count beyond four scanners per region. Additional scanners cannot create snapshots due to cloud providers' concurrent snapshot limit.
Enterprise networking considerations
By default, the scanner creates a new VPC during deployment. If your organization is using Terraform and has Service Control Policies (SCPs) that restrict VPC creation, use the custom VPC option during setup to use an existing VPC instead of creating a new one.
Further reading
Additional helpful documentation, links, and articles:
