Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security Management, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration, and includes the Cloud Security Management features: Misconfigurations, Identity Risks (CIEM), and Vulnerability Management.

This article provides instructions for the new user quick start workflow that uses AWS CloudFormation to set up Agentless Scanning. For existing users who want to add a new AWS account or enable Agentless Scanning on an existing integrated AWS account, see the instructions for Terraform or AWS CloudFormation.
Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.

Installation

  1. On the Intro to Cloud Security Management page, click Get Started with Cloud Security Management.
  2. Click Quick Start. The Features page is displayed, showing the features included with Agentless Scanning Quick Start.
  3. Click Start Using Cloud Security Management to continue.
  4. Select the AWS region where you want to create the CloudFormation stack.
  5. Select an API key that is already configured for Remote Configuration. If the API key you select does not have Remote Configuration enabled, Remote Configuration is automatically enabled for that key upon selection.
  6. Send AWS Logs to Datadog and Enable Cloud Security Management are automatically selected by default. Leave the selections as is.
  7. In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
  8. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.

Exclude resources from scans

To exclude AWS hosts, containers, and Lambda functions from scans, apply the tag CompanyAgentlessScanner:false to each resource. For detailed instructions on adding this tag, refer to the AWS documentation.

Disable Agentless Scanning

  1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
  2. To disable Agentless Scanning for an account, click the Edit button and toggle the Agentless Scanning section to the off position.
  3. Click Done.

Uninstall Agentless Scanning

To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.

Further Reading