---
title: Enabling Agentless Scanning
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Cloud Security > Setting up Cloud Security > Cloud
  Security Agentless Scanning > Enabling Agentless Scanning
---

# Enabling Agentless Scanning

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without installing the Datadog Agent. Agentless Scanning runs entirely within your infrastructure, sending minimal data to Datadog, and leaving your sensitive data in your environment. Because the scanner runs in your cloud account, standard [cloud provider costs](https://docs.datadoghq.com/security/cloud_security_management/agentless_scanning#cloud-service-provider-cost) apply. To learn more, see the [Agentless Scanning overview](https://docs.datadoghq.com/security/cloud_security_management/agentless_scanning).

Setup takes approximately 30 minutes per cloud account:

1. Verify prerequisites below.
1. Choose your cloud provider and deployment method.
1. Launch a template in your cloud account.
1. Verify scan results in Datadog.

## Prerequisites{% #prerequisites %}

Before setting up Agentless Scanning, verify that the following prerequisites are met:

- **Remote Configuration**: [Remote Configuration](https://docs.datadoghq.com/remote_configuration) must be enabled on your Datadog organization to send scan instructions to Agentless scanners.

- **[API and Application Keys](https://docs.datadoghq.com/account_management/api-app-keys/)**:

  - An **API key** with Remote Configuration enabled is required for scanners to report scan results to Datadog.
  - An **Application key** with either **Integrations Manage** or **Org Management** permissions is required for you to enable scanning features through the Datadog API.

- **Cloud permissions**: The Agentless Scanning instance requires specific permissions to scan hosts, host images, container registries, and functions. Datadog automatically applies these permissions, listed below for transparency, during installation.

  {% collapsible-section %}
  AWS scanning permissions: 
Scanning permissions:

  - `ebs:GetSnapshotBlock`
  - `ebs:ListChangedBlocks`
  - `ebs:ListSnapshotBlocks`
  - `ec2:CopySnapshot`
  - `ec2:CreateSnapshot`
  - `ec2:CreateTags`
  - `ec2:DeleteSnapshot`
  - `ec2:DeregisterImage`
  - `ec2:DescribeSnapshotAttribute`
  - `ec2:DescribeSnapshots`
  - `ec2:DescribeVolumes`
  - `ecr:BatchGetImage`
  - `ecr:GetAuthorizationToken`
  - `ecr:GetDownloadUrlForLayer`
  - `kms:CreateGrant`
  - `kms:Decrypt`
  - `kms:DescribeKey`
  - `lambda:GetFunction`
  - `lambda:GetLayerVersion`

Only when Sensitive Data Scanning (DSPM) is enabled:

  - `kms:GenerateDataKey`
  - `s3:GetObject`
  - `s3:ListBucket`

    {% /collapsible-section %}



  {% collapsible-section %}
  Azure scanning permissions: 
  - `Microsoft.Compute/virtualMachines/read`
  - `Microsoft.Compute/virtualMachines/instanceView/read`
  - `Microsoft.Compute/virtualMachineScaleSets/read`
  - `Microsoft.Compute/virtualMachineScaleSets/instanceView/read`
  - `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read`
  - `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read`
  - `Microsoft.Compute/disks/read`
  - `Microsoft.Compute/disks/beginGetAccess/action`
  - `Microsoft.Compute/disks/endGetAccess/action`
  - `Microsoft.ContainerRegistry/registries/pull/read`

    {% /collapsible-section %}

  {% collapsible-section %}
  GCP scanning permissions: 
  - `compute.disks.create`
  - `compute.disks.createSnapshot`
  - `compute.disks.delete`
  - `compute.disks.get`
  - `compute.disks.setLabels`
  - `compute.disks.use`
  - `compute.globalOperations.get`
  - `compute.images.get`
  - `compute.instances.attachDisk`
  - `compute.instances.detachDisk`
  - `compute.snapshots.create`
  - `compute.snapshots.get`
  - `compute.snapshots.list`
  - `compute.snapshots.delete`
  - `compute.snapshots.setLabels`

    {% /collapsible-section %}

## Setup{% #setup %}

See [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods) for information on how to structure your deployment, including how many accounts and how many regions you deploy scanners across.

Select your cloud provider to see the available setup methods. If you are setting up Agentless Scanning across multiple cloud providers, complete the setup for each provider independently.

{% tab title="AWS" %}
### Choose your setup{% #choose-your-setup %}

- **New to Datadog**: On the [Intro to Cloud Security](https://app.datadoghq.com/security/csm/) page, click **Get Started with Cloud Security**, then click **Quick Start**. Quick Start is a guided setup flow that uses AWS CloudFormation to deploy Agentless Scanning with all Cloud Security features pre-enabled. It is only available for organizations that have not yet set up Cloud Security Management.
- **Single AWS account in Datadog**: Use CloudFormation or Terraform. Terraform is recommended for multi-region deployments.
- **AWS organization with multiple accounts**: Use CloudFormation StackSet to deploy scanning capabilities across all member accounts.
- **Multiple accounts without AWS Organizations**: Repeat the CloudFormation or Terraform setup for each account individually.

{% collapsible-section #aws-cloudformation-setup %}
### CloudFormation

Use CloudFormation if you already have an AWS account integrated with Datadog and want to enable Agentless Scanning, or if you want to add a new AWS account.

#### New AWS account{% #new-aws-account %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **AWS**.
1. At the bottom of the AWS section, click **Add AWS accounts by following these steps**. The **Add New AWS Account(s)** dialog is displayed.
1. Select the AWS region where you want to create the CloudFormation stack.
1. Select an API key that has [Remote Configuration](https://docs.datadoghq.com/remote_configuration) enabled.
1. Choose whether to enable **Sensitive Data Scanner** for cloud storage. This automatically catalogs and classifies sensitive data in Amazon S3 resources.
1. Click **Launch CloudFormation Template**. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.

#### Existing AWS account{% #existing-aws-account %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **AWS**.
1. Click the AWS account where you want to deploy the Agentless scanner, which opens the side panel.
1. On the **Features** tab, click **Configure Agentless Scanning** or **Manage** to open the Agentless Scanning Setup modal.
1. In the **How would you like to set up Agentless Scanning?** section, select **CloudFormation**.
1. Select an API key that has [Remote Configuration](https://docs.datadoghq.com/remote_configuration) enabled.
1. Toggle the features you want to enable, such as **Vulnerability Management** or **Sensitive Data Scanner**.
1. Click **Launch CloudFormation Template**. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack.
1. Click **Done**.

{% /collapsible-section %}

{% collapsible-section #aws-cloudformation-stackset-setup %}
### CloudFormation StackSet (Multi-Account)

For AWS Organizations with multiple accounts, use a CloudFormation StackSet to deploy the Agentless Scanning delegate role across all member accounts. This approach automates onboarding and configures new accounts added to your AWS Organization.

This setup deploys the delegate role required for [cross-account scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods) across your AWS Organization or specific Organizational Units (OUs). First, set up Agentless Scanning in your central scanning account using CloudFormation or Terraform, then deploy the StackSet to configure the remaining accounts.

#### Prerequisites{% #prerequisites %}

1. Access to the AWS management account.
1. [Trusted Access with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) must be enabled for CloudFormation StackSets.
1. Agentless Scanning is already configured in your central scanning account (see above).

#### Deploy the StackSet{% #deploy-the-stackset %}

1. Log in to your AWS management account and navigate to **CloudFormation > StackSets**.
1. Click **Create StackSet**.
1. Select **Service-managed permissions**.
1. Under **Specify template**, select **Amazon S3 URL** and enter the following URL:
   ```
   https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/v4.3.1/datadog_agentless_delegate_role_stackset.yaml
   ```

1. Enter a **StackSet name** (for example, `DatadogAgentlessScanningStackSet`).
1. Configure the **ScannerInstanceRoleARN** parameter, which is the ARN of the IAM role attached to your Agentless scanner instances.Important alert (level: danger): The `ScannerInstanceRoleARN` must be the exact ARN of the scanner instance role (for example, `arn:aws:iam::123456789012:role/DatadogAgentlessScannerRole`). Using a root ARN such as `arn:aws:iam::123456789012:root` does not work.
The `ScannerInstanceRoleARN` establishes a trust relationship between the delegate role (created in target accounts) and your scanner instances (already running in the central account). This enables cross-account scanning where:

   - The scanner runs in Account 4.
   - The delegate role exists in Accounts 1, 2, 3 (deployed through the StackSet).
   - The scanner assumes the delegate roles to scan resources in those accounts.

1. Set **Deployment targets** to deploy across your AWS Organization or specific OUs.
1. Enable **Automatic deployment** to configure new accounts added to your AWS Organization.
1. Select a **single region** for deployment (the IAM role is global and only needs to be deployed once per account).
1. Review and submit the StackSet.

After the StackSet deploys, the member accounts are configured to allow cross-account scanning from your central scanner account.
{% /collapsible-section %}

{% collapsible-section #aws-terraform-setup %}
### Terraform

The [Terraform Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner) provides a reusable configuration for installing the Datadog Agentless scanner. Terraform is the recommended deployment method for multi-region environments. It deploys one scanner per region, which avoids cross-region networking costs. For guidance on choosing your deployment topology, see [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods). For usage examples including multi-region configurations, see the [examples directory](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/examples) in the GitHub repository.

#### New AWS account{% #new-aws-account %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **AWS**.
1. At the bottom of the AWS section, click **Add AWS accounts by following these steps**. The **Add New AWS Account(s)** dialog is displayed.
1. Under **Choose a method for adding your AWS account**, select **Manually**.
1. Follow the instructions for installing the [Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/blob/main/README.md).
1. Select the **I confirm that the Datadog IAM Role has been added to the AWS Account** checkbox.
1. Enter the **AWS Account ID** and **AWS Role Name**.
1. Click **Save**.

#### Existing AWS account{% #existing-aws-account %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **AWS**.
1. Click the AWS account where you want to deploy the Agentless scanner to open the side panel.
1. On the **Features** tab, click **Configure Agentless Scanning** or **Manage** to open the Agentless Scanning Setup modal.
1. In the **How would you like to set up Agentless Scanning?** section, select **Terraform**.
1. Follow the instructions for installing the [Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/blob/main/README.md).
1. Select the **I confirm the Terraform module is installed** checkbox.
1. Click **Done**.

{% /collapsible-section %}

After completing any of the setup methods above, verify your setup.
{% /tab %}

{% tab title="Azure" %}
### Choose your setup{% #choose-your-setup %}

- **New Azure subscription**: Use Azure Resource Manager (recommended) or Terraform.
- **Existing Azure subscription**: Use Azure Resource Manager or Terraform.
- **Multiple subscriptions**: Use Terraform for repeatable, multi-subscription deployments.

{% collapsible-section #azure-resource-manager-setup %}
### Azure Resource Manager

Use the Azure Resource Manager template to deploy the Agentless Scanner. The template includes the role definitions required to deploy and manage Agentless scanners.

#### New Azure subscription{% #new-azure-subscription %}

{% alert level="info" %}
Ensure you have the [Datadog Azure integration](https://docs.datadoghq.com/integrations/guide/azure-manual-setup/?tab=azurecli) set up.
{% /alert %}

Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

##### Cloud Security Setup page{% #cloud-security-setup-page %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **Azure**.
1. Locate the tenant ID of your subscription.
1. **(Optional)** To enable detection of misconfigurations, toggle **Resource Scanning** to the on position.
1. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
1. Click the **Enable** button under **Vulnerability Scanning**.
1. The **Vulnerability Scanning** dialog is displayed. Toggle **Vulnerability Scanning** to the on position.
1. Under **How would you like to set up Agentless Scanning?**, select **Azure Resource Manager**.
1. Click **Launch Azure Resource Manager** to be redirected to the Azure portal.

##### Azure portal{% #azure-portal %}

1. Log in to the Azure portal. The template creation form is displayed.
1. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
1. In **Subscriptions to scan**, select all the subscriptions you want to scan.
1. Enter your **Datadog API Key**, select your **Datadog Site**, and fill out the remainder of the form.
1. Click **Review + create**.

#### Existing Azure subscription{% #existing-azure-subscription %}

Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

##### Cloud Security Setup page{% #cloud-security-setup-page-1 %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **Azure**.
1. Locate the tenant ID of your subscription.
1. **(Optional)** To enable detection of misconfigurations, toggle **Resource Scanning** to the on position.
1. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
1. Click the **Enable** button under **Vulnerability Scanning**.
1. The **Vulnerability Scanning** dialog is displayed. Toggle **Vulnerability Scanning** to the on position.
1. Under **How would you like to set up Agentless Scanning?**, select **Azure Resource Manager**.
1. Click **Launch Azure Resource Manager** to be redirected to the Azure portal.

##### Azure portal{% #azure-portal-1 %}

1. Log in to the Azure portal. The template creation form is displayed.
1. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
1. In **Subscriptions to scan**, select all the subscriptions you want to scan.
1. Enter your **Datadog API Key**, select your **Datadog Site**, and fill out the remainder of the form.
1. Click **Review + create**.

{% /collapsible-section %}

{% collapsible-section #azure-terraform-setup %}
### Terraform

The [Terraform Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner) provides a reusable configuration for installing the Datadog Agentless scanner. For guidance on choosing your deployment topology, see [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods). For usage examples, see the [examples directory](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/examples) in the GitHub repository.

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **Azure**.
1. Expand the Tenant containing the subscription where you want to deploy the Agentless scanner.
1. Click the **Enable** button for the Azure subscription where you want to deploy the Agentless scanner.
1. Toggle **Vulnerability Scanning** to the on position.
1. In the **How would you like to set up Agentless Scanning?** section, select **Terraform**.
1. Follow the instructions for installing the [Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/azure#readme).
1. Click **Done**.

{% /collapsible-section %}

After completing any of the setup methods above, verify your setup.
{% /tab %}

{% tab title="GCP" %}
### Choose your setup{% #choose-your-setup %}

- **New GCP customer**: [Set up the GCP integration](https://app.datadoghq.com/security/configuration/csm/setup?active_steps=cloud-accounts&active_sub_step=gcp) first, then enable Agentless Scanning.
- **Existing integrated GCP project**: Use Cloud Shell (recommended) or Terraform.

{% alert level="info" %}
If you haven't connected your GCP project to Datadog yet, [set up the GCP integration](https://app.datadoghq.com/security/configuration/csm/setup?active_steps=cloud-accounts&active_sub_step=gcp) first.
{% /alert %}

{% collapsible-section #gcp-cloud-shell-setup %}
### Cloud Shell

Use Google Cloud Shell to set up Agentless Scanning for your GCP projects. This method downloads a [setup script](https://github.com/DataDog/integrations-management/tree/main/gcp/agentless) that wraps the [Terraform Datadog Agentless Scanner module for GCP](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/gcp#readme), so you do not need to manage Terraform directly. You can review the script before running it.

**Required GCP permissions:** The identity you use in Cloud Shell must have **Owner** or equivalent on the scanner project. The script creates a GCS bucket for Terraform state, so you must also have **Storage** permissions on that project (for example, `roles/storage.admin` or `storage.buckets.create` / `storage.buckets.get` / `storage.buckets.update`). Alternatively, you can **reuse an existing bucket** for Terraform state by setting the `TF_STATE_BUCKET` environment variable to an existing bucket name; the script will not create a bucket in that case. If you see a 403 error on "Setting up Terraform state storage", see [GCP: Failed to create state bucket][26] in the troubleshooting guide.

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **GCP**.
1. Expand the account containing the project where you want to deploy the Agentless scanner.
1. Click the **Enable** button for the GCP project where you want to deploy the Agentless scanner. The **Vulnerability Scanning** modal opens.
1. In the **How would you like to set up Agentless Scanning?** section, select **Cloud Shell**.
1. Select an **API key** that has [Remote Configuration](https://docs.datadoghq.com/remote_configuration) enabled. An application key is automatically generated.
1. Select the **GCP projects** you want to scan.
1. Configure the scanner:
   - If you already have scanners deployed, you can choose to **use an existing scanner** (recommended) or **deploy a new scanner**.
   - If deploying a new scanner, select the Scanner project (which must be one of the selected projects). We recommend installing scanners in every region where you have more than 150 hosts
1. Click **Copy command** to copy the generated command, and click **Open Google Cloud Shell** to open [Google Cloud Shell](https://ssh.cloud.google.com/cloudshell). Review and run the command. The script applies the [Terraform Datadog Agentless Scanner module for GCP](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/gcp#readme) to deploy and configure the scanner in your selected project and region(s).
1. After the command completes, return to the Datadog setup page and click **Done**.

{% /collapsible-section %}

{% collapsible-section #gcp-terraform-setup %}
### Terraform

The [Terraform Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner) provides a reusable configuration for installing the Datadog Agentless scanner. For guidance on choosing your deployment topology, see [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods). For usage examples, see the [examples directory](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/examples) in the GitHub repository.

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **GCP**.
1. Expand the account containing the project where you want to deploy the Agentless scanner.
1. Click the **Enable** button for the GCP project where you want to deploy the Agentless scanner.
1. Toggle **Vulnerability Scanning** to the on position.
1. Follow the instructions for installing the [Datadog Agentless Scanner module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/gcp#readme).
1. Click **Done**.

{% /collapsible-section %}

After completing any of the setup methods above, verify your setup.
{% /tab %}

## Verify your setup{% #verify-your-setup %}

After completing the setup, Agentless Scanning takes time to produce initial results. The first scan cycle takes approximately 30 minutes to complete.

{% alert level="info" %}
If no results appear after two hours, see the [Agentless Scanning troubleshooting guide](https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/agentless_scanning).
{% /alert %}

View scan results in the following locations:

- **For host and container vulnerabilities**: [Cloud Security Vulnerabilities Explorer](https://app.datadoghq.com/security/csm/vm). To view only vulnerabilities detected by Agentless Scanning, use the filter `origin:"Agentless scanner"` in the search bar.
- **For Lambda vulnerabilities**: [Code Security (SCA) Explorer](https://app.datadoghq.com/security/code-security/sca).
- **For sensitive data findings**: [Sensitive Data Scanner](https://app.datadoghq.com/sensitive-data-scanner/storage).

## Exclude resources from scans{% #exclude-resources-from-scans %}

To exclude specific hosts, containers, or functions from scans, see [Resource Evaluation Filters](https://docs.datadoghq.com/security/cloud_security_management/guide/resource_evaluation_filters).

## Disable Agentless Scanning{% #disable-agentless-scanning %}

{% tab title="AWS" %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **AWS**.
1. If required, use filters to find the account you want to stop Agentless Scanning for. Click the account to open the side panel that contains its settings.
1. On the **Features** tab, click **Configure Agentless Scanning** or **Manage** to open the Agentless Scanning Setup modal.
1. Under **How would you like to set up Agentless Scanning?**, click **Terraform**.
1. Under **Enable Features**, beside **Enable Agentless Vulnerability management**, switch the toggle to the off position.
1. Click **Done**.

{% /tab %}

{% tab title="Azure" %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **Azure**.
1. Locate your subscription's tenant, expand the list of subscriptions, and identify the subscription for which you want to disable Agentless Scanning.
1. Beside the **Enabled** label, click the **Edit** button () to open the Vulnerability Scanning modal.
1. Beside **Vulnerability Scanning**, switch the toggle to the off position.
1. Click **Done**.

{% /tab %}

{% tab title="GCP" %}

1. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, click **Cloud Integrations** > **GCP**.
1. Expand the account containing the project where you want to disable Agentless Scanning.
1. Beside the **Enabled** label, click the **Edit** button () to open the Vulnerability Scanning modal.
1. Beside **Vulnerability Scanning**, switch the toggle to the off position.
1. Click **Done**.

{% /tab %}

## Uninstall Agentless Scanning{% #uninstall-agentless-scanning %}

Select the deployment method you used to install Agentless Scanning:

{% tab title="Terraform" %}
To uninstall Agentless Scanning, remove the scanner module from your Terraform code. For more information, see the [Terraform module](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/blob/main/README.md#uninstall) documentation.
{% /tab %}

{% tab title="AWS CloudFormation" %}
To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning (the sub-stack name follows the pattern `DatadogIntegration-DatadogAgentlessScanning-...`).
{% /tab %}

{% tab title="GCP Cloud Shell" %}
To uninstall Agentless Scanning that was set up using Google Cloud Shell, run the same setup command you used during installation, replacing `deploy` with `destroy` at the end. For example:

```text
curl -sSL "<CLOUD_SHELL_SCRIPT_URL>" -o gcp_agentless_setup.pyz && \
DD_API_KEY="<DD_API_KEY>" \
DD_APP_KEY="<DD_APP_KEY>" \
DD_SITE="<DD_SITE>" \
SCANNER_PROJECT="<SCANNER_PROJECT>" \
SCANNER_REGIONS="<SCANNER_REGIONS>" \
PROJECTS_TO_SCAN="<PROJECTS>" \
python3 gcp_agentless_setup.pyz destroy
```

You can review the [setup script source](https://github.com/DataDog/integrations-management/tree/main/gcp/agentless) before running the command.
{% /tab %}

{% tab title="Azure Resource Manager" %}
To uninstall Agentless Scanning, log in to your Azure subscription. If you created a dedicated resource group for the Agentless scanner, delete this resource group along with the following Azure role definitions:

- Datadog Agentless Scanner Role
- Datadog Agentless Scanner Delegate Role

If you did not use a dedicated resource group, you must manually delete the scanner resources, which can be identified by the tags `Datadog:true` and `DatadogAgentlessScanner:true`.
{% /tab %}

## Further reading{% #further-reading %}

- [Setting up Cloud Security](https://docs.datadoghq.com/security/cloud_security_management/setup)
- [Cloud Security Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/agentless_scanning)
- [Updating Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/update)
- [Troubleshooting Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/troubleshooting/agentless_scanning)