Setting up Agentless Scanning using Terraform

If you’ve already set up Cloud Security Management and want to add a new AWS account or enable Agentless Scanning on an existing integrated AWS account, you can use either Terraform or AWS CloudFormation. This article provides detailed instructions for the Terraform approach.

If you're setting up Cloud Security Management for the first time, you can follow the quick start workflow, which uses AWS CloudFormation to enable Agentless Scanning.
    1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
    2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
    3. Under Choose a method for adding your AWS account, select Manually.
    4. Follow the instructions for installing the Datadog Agentless Scanner module.
    5. Select the I confirm that the Datadog IAM Role has been added to the AWS Account checkbox.
    6. Enter the AWS Account ID and AWS Role Name.
    7. Click Save.
    1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
    2. Click the Edit scanning button for the AWS account where you want to deploy the Agentless scanner.
    3. Enable Resource Scanning should already be toggled on. If it isn’t, toggle Enable Resource Scanning to the on position.
    4. In the How would you like to set up Agentless Scanning? section, select Terraform.
    5. Follow the instructions for installing the Datadog Agentless Scanner module.
    6. In the Agentless Scanning section, toggle Host Vulnerability Scanning, Container Vulnerability Scanning, Lambda Vulnerability Scanning, and Data Security Scanning to the on position.
    7. Click Done.

    Exclude resources from scans

    To exclude AWS hosts, containers, and Lambda functions from scans, apply the tag CompanyAgentlessScanner:false to each resource. For detailed instructions on adding this tag, refer to the AWS documentation.

    Disable Agentless Scanning

    1. On the Cloud Security Management Setup page, click Cloud Integrations > AWS.
    2. To disable Agentless Scanning for an account, click the Edit button and toggle the Agentless Scanning section to the off position.
    3. Click Done.

    Uninstall with Terraform

    Follow the instructions for Terraform uninstallation.

    Further Reading

    Additional helpful documentation, links, and articles:

    Cloud Security Management Agentless ScanningDOCUMENTATION more more Agentless Scanning Quick Start for Cloud Security ManagementDOCUMENTATION more more Setting up Agentless Scanning using AWS CloudFormationDOCUMENTATION more more