Enabling Agentless Scanning

This product is not supported for your selected Datadog site. ().

Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without requiring you to install the Datadog Agent. To learn more about Agentless Scanning’s capabilities and how it works, see the Agentless Scanning docs.

Prerequisites

Before setting up Agentless Scanning, ensure the following prerequisites are met:

  • Remote Configuration: Remote Configuration is required to enable Datadog to send information to Agentless scanners, such as which cloud resources to scan.

  • API and Application Keys:

    • An API key with Remote Configuration enabled is required for scanners to report scan results to Datadog.
    • An Application key with either Integrations Manage or Org Management permissions is required to enable scanning features through the Datadog API.

  • Cloud permissions: The Agentless Scanning instance requires specific permissions to scan hosts, host images, container registries, and functions. These permissions are automatically applied as part of the installation process and are strictly limited to the minimum permissions required to perform the necessary scans, following the principle of least privilege.

    Scanning permissions:

    • ebs:GetSnapshotBlock
    • ebs:ListChangedBlocks
    • ebs:ListSnapshotBlocks
    • ec2:CopySnapshot
    • ec2:CreateSnapshot
    • ec2:CreateTags
    • ec2:DeleteSnapshot
    • ec2:DeregisterImage
    • ec2:DescribeSnapshotAttribute
    • ec2:DescribeSnapshots
    • ec2:DescribeVolumes
    • ecr:BatchGetImage
    • ecr:GetAuthorizationToken
    • ecr:GetDownloadUrlForLayer
    • kms:CreateGrant
    • kms:Decrypt
    • kms:DescribeKey
    • lambda:GetFunction
    • lambda:GetLayerVersion

    Only when Sensitive Data Scanning (DSPM) is enabled:

    • kms:GenerateDataKey
    • s3:GetObject
    • s3:ListBucket

    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/instanceView/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/beginGetAccess/action
    • Microsoft.Compute/disks/endGetAccess/action
    • Microsoft.ContainerRegistry/registries/pull/read
    • compute.disks.create
    • compute.disks.createSnapshot
    • compute.disks.delete
    • compute.disks.get
    • compute.disks.setLabels
    • compute.disks.use
    • compute.globalOperations.get
    • compute.images.get
    • compute.instances.attachDisk
    • compute.instances.detachDisk
    • compute.snapshots.create
    • compute.snapshots.get
    • compute.snapshots.list
    • compute.snapshots.delete
    • compute.snapshots.setLabels

Setup

To enable Agentless Scanning, use one of the following workflows:

Quick start

Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration.

Designed for new users, the quick start workflow offers an efficient setup process for Cloud Security, enabling immediate monitoring of AWS resources. It uses AWS CloudFormation to automate the configuration, and includes the Cloud Security features: Misconfigurations, Identity Risks (CIEM), and Vulnerability Management.

This article provides instructions for the new user quick start workflow that uses AWS CloudFormation to set up Agentless Scanning. For existing users who want to add a new AWS account or enable Agentless Scanning on an existing integrated AWS account, see the instructions for Terraform or AWS CloudFormation.
Sensitive Data Scanner for cloud storage is in Limited Availability. Request Access to enroll.
Installation
  1. On the Intro to Cloud Security page, click Get Started with Cloud Security.
  2. Click Quick Start. The Features page is displayed, showing the features included with Agentless Scanning Quick Start.
  3. Click Start Using Cloud Security to continue.
  4. Select the AWS region where you want to create the CloudFormation stack.
  5. Select an API key that has Remote Configuration enabled.
  6. Choose whether to enable Sensitive Data Scanner for cloud storage. This automatically catalogs and classifies sensitive data in Amazon S3 resources.
  7. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.
Update the CloudFormation stack

Datadog recommends updating the CloudFormation stack regularly, so you can get access to new features and bug fixes as they get released. To do so, follow these steps:

  1. Log in to your AWS console and go to the CloudFormation Stacks page.
  2. Select the DatadogIntegration-DatadogAgentlessScanning-… CloudFormation sub-stack, click Update, then click Update nested stack.
  3. Click Replace existing template.
  4. In the following S3 URL: https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/<VERSION>/datadog_agentless_scanning.yaml, replace <VERSION> with the version found in aws_quickstart/version.txt. Paste that URL into the Amazon S3 URL field.
  5. Click Next to advance through the next several pages without modifying them, then submit the form.

AWS Cloudformation

Use the AWS CloudFormation template to create a CloudFormation stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.

If you’ve already set up Cloud Security and want to add a new cloud account or enable Agentless Scanning on an existing integrated AWS account, you can use either Terraform or AWS CloudFormation. This article provides detailed instructions for the AWS CloudFormation approach.

If you're setting up Cloud Security for the first time, you can follow the quick start workflow, which also uses AWS CloudFormation to enable Agentless Scanning.
Sensitive Data Scanner for cloud storage is in Limited Availability. Request Access to enroll.
Set up AWS CloudFormation
    1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
    2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
    3. Select the AWS region where you want to create the CloudFormation stack.
    4. Select an API key that has [Remote Configuration][3] enabled.
    5. Choose whether to enable Sensitive Data Scanner for cloud storage. This automatically catalogs and classifies sensitive data in Amazon S3 resources.
    6. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack. The template includes the IAM permissions required to deploy and manage Agentless scanners.
    1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
    2. Click the AWS account where you want to deploy the Agentless scanner, which opens the side panel.
    3. On the Features tab, click Configure Agentless Scanning or Manage to open the Agentless Scanning Setup modal.
    4. In the How would you like to set up Agentless Scanning? section, select CloudFormation.
    5. Select an API key that has [Remote Configuration][3] enabled.
    6. Toggle the features you want to enable, such as Vulnerability Management or Sensitive Data Scanner.
    7. Click Launch CloudFormation Template. A new window opens, displaying the AWS CloudFormation screen. Use the provided CloudFormation template to create a stack.
    8. Click Done.
    Update the CloudFormation stack

    Datadog recommends updating the CloudFormation stack regularly, so you can get access to new features and bug fixes as they get released. To do so, follow these steps:

    1. Log in to your AWS console and go to the CloudFormation Stacks page.
    2. Select the DatadogIntegration-DatadogAgentlessScanning-… CloudFormation sub-stack, click Update, then click Update nested stack.
    3. Click Replace existing template.
    4. In the following S3 URL: https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/<VERSION>/datadog_agentless_scanning.yaml, replace <VERSION> with the version found in aws_quickstart/version.txt. Paste that URL into the Amazon S3 URL field.
    5. Click Next to advance through the next several pages without modifying them, then submit the form.

    AWS CloudFormation StackSet (Multi-Account)

    For AWS Organizations with multiple accounts, use a CloudFormation StackSet to deploy the Agentless Scanning delegate role across all member accounts. This approach automates the onboarding process and ensures new accounts added to your Organization are automatically configured.

    This setup deploys the delegate role required for cross-account scanning across your AWS Organization or specific Organizational Units (OUs).

    Prerequisites
    1. Access to the AWS management account.
    2. Trusted Access with AWS Organizations must be enabled for CloudFormation StackSets.
    3. Agentless Scanning must already be configured in your central scanning account. See AWS CloudFormation or Terraform setup.
    Deploy the StackSet

    1. Log in to your AWS management account and navigate to CloudFormation > StackSets.

    2. Click Create StackSet.

    3. Select Service-managed permissions.

    4. Under Specify template, select Amazon S3 URL and enter the following URL:

       https://datadog-cloudformation-template-quickstart.s3.amazonaws.com/aws/v4.3.1/datadog_agentless_delegate_role_stackset.yaml
    1. Enter a StackSet name (for example, DatadogAgentlessScanningStackSet).
    2. Configure the required parameters:
      • ScannerInstanceRoleARN: The ARN of the IAM role attached to your Agentless scanner instances.
    The ScannerInstanceRoleARN must be the exact ARN of the scanner instance role (for example, arn:aws:iam::123456789012:role/DatadogAgentlessScannerRole). Using a root ARN such as arn:aws:iam::123456789012:root does not work.

    The ScannerInstanceRoleARN establishes a trust relationship between the delegate role (created in target accounts) and your scanner instances (already running in the central account). This enables cross-account scanning where:

    1. The scanner runs in Account A.
    2. The delegate role exists in Accounts B, C, D (deployed through the StackSet).
    3. The scanner assumes the delegate roles to scan resources in those accounts.
    4. Set Deployment targets to deploy across your Organization or specific OUs.
    5. Enable Automatic deployment to automatically configure new accounts added to your Organization.
    6. Select a single region for deployment (the IAM role is global and only needs to be deployed once per account).
    7. Review and submit the StackSet.

    After the StackSet deploys successfully, the member accounts are configured to allow cross-account scanning from your central scanner account.


    GCP Cloud Shell

    Use Google Cloud Shell to set up Agentless Scanning for your GCP projects. This method downloads a setup script that you can review, and then runs it to wrap the Terraform Datadog Agentless Scanner module for GCP, making the installation process straightforward and without needing to manage Terraform directly.

    If you’ve already set up Cloud Security and want to enable Agentless Scanning on an existing integrated GCP project, you can use Google Cloud Shell for a guided setup experience.

    Set up GCP Cloud Shell
    1. On the Cloud Security Setup page, click Cloud Integrations > GCP.
    2. Expand the account containing the project where you want to deploy the Agentless scanner.
    3. Click the Enable button for the GCP project where you want to deploy the Agentless scanner. The Vulnerability Scanning modal opens.
    4. In the How would you like to set up Agentless Scanning? section, select Cloud Shell.
    5. Select an API key that has Remote Configuration enabled.
    6. Create an Application key.
    7. Select the GCP projects you want to scan.
    8. Configure the Scanner project (the project where the scanner will be deployed, which must be one of the selected projects) and Scanner region.
    9. Click Open Google Cloud Shell to open Google Cloud Shell, which displays the setup command in the terminal. Copy and run the displayed command.
    10. Review and run the command in Google Cloud Shell. The script downloads the setup script, which applies the Terraform Datadog Agentless Scanner module for GCP to deploy and configure the scanner in your selected project and region.
    11. After the command completes successfully, return to the Datadog setup page and click Done.

    Azure Resource Manager

    Use the Azure Resource Manager template to deploy the Agentless Scanner. The template includes the role definitions required to deploy and manage Agentless scanners.

    If you’ve already set up Cloud Security and want to add a new Azure subscription or enable Agentless Scanning on an existing integrated Azure subscription, you can use either Terraform or Azure Resource Manager. This article provides detailed instructions for the Azure Resource Manager approach.

      Set up the Datadog Azure integration

      Follow the instructions for setting up the Datadog Azure integration.

      Enable Agentless Scanning for your Azure subscriptions

      Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

      Cloud Security Setup page

      1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
      2. Locate the tenant ID of your subscription.
      3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
      4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
      5. Click the Enable button under Vulnerability Scanning.
      6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
      7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
      8. Click Launch Azure Resource Manager to be redirected to the Azure portal.

      Azure portal

      1. Log in to the Azure portal. The template creation form is displayed.
      2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
      3. In Subscriptions to scan, select all the subscriptions you want to scan.
      4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
      5. Click on Review + create.

      Enable Agentless Scanning for your Azure subscriptions

      Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

      Cloud Security Setup page

      1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
      2. Locate the tenant ID of your subscription.
      3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
      4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
      5. Click the Enable button under Vulnerability Scanning.
      6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
      7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
      8. Click Launch Azure Resource Manager to be redirected to the Azure portal.

      Azure portal

      1. Log in to the Azure portal. The template creation form is displayed.
      2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
      3. In Subscriptions to scan, select all the subscriptions you want to scan.
      4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
      5. Click on Review + create.

      Terraform

      The Terraform Datadog Agentless Scanner module provides a simple and reusable configuration for installing the Datadog Agentless scanner for AWS, Azure, and GCP.

      If you’ve already set up Cloud Security and want to add a new cloud account or enable Agentless Scanning on an existing integrated cloud account, you can use either Terraform, AWS CloudFormation, or Azure Resource Manager. This article provides detailed instructions for the Terraform approach.

      If you're setting up Cloud Security for the first time, you can follow the quick start workflow, which uses AWS CloudFormation to enable Agentless Scanning.
        1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
        2. At the bottom of the AWS section, click Add AWS accounts by following these steps. The Add New AWS Account(s) dialog is displayed.
        3. Under Choose a method for adding your AWS account, select Manually.
        4. Follow the instructions for installing the Datadog Agentless Scanner module.
        5. Select the I confirm that the Datadog IAM Role has been added to the AWS Account checkbox.
        6. Enter the AWS Account ID and AWS Role Name.
        7. Click Save.
        1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
        2. Click the AWS account where you want to deploy the Agentless scanner to open the side panel.
        3. On the Features tab, click Configure Agentless Scanning or Manage to open the Agentless Scanning Setup modal.
        4. In the How would you like to set up Agentless Scanning? section, select Terraform.
        5. Follow the instructions for installing the Datadog Agentless Scanner module.
        6. Select the I confirm the Terraform module is installed check box.
        7. Click Done.
        1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
        2. Expand the Tenant containing the subscription where you want to deploy the Agentless scanner.
        3. Click the Enable button for the Azure subscription where you want to deploy the Agentless scanner.
        4. Toggle Vulnerability Scanning to the on position.
        5. In the How would you like to set up Agentless Scanning? section, select Terraform.
        6. Follow the instructions for installing the Datadog Agentless Scanner module.
        7. Click Done.
        1. On the Cloud Security Setup page, click Cloud Integrations > GCP.
        2. Expand the account containing the project where you want to deploy the Agentless scanner.
        3. Click the Enable button for the GCP project where you want to deploy the Agentless scanner.
        4. Toggle Vulnerability Scanning to the on position.
        5. Follow the instructions for installing the Datadog Agentless Scanner module.
        6. Click Done.
        Update the Terraform modules version

        Update the source reference for the Agentless Scanner modules to the latest release. You can find the latest version on GitHub Releases.

        For usage examples, refer to our Github repository.

        Configuration

        Verify your setup

        After completing the setup, you can verify that Agentless Scanning is working correctly by checking for scan results in Datadog. Results typically appear after the first scan cycle completes.

        View scan results in the following locations:

        Exclude resources from scans

        To exclude hosts, containers, and functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions, refer to the Resource Filters documentation.

        Disable Agentless scanning

          1. On the Cloud Security Setup page, click Cloud Integrations > AWS.
          2. If required, use filters to find the account you want to stop agentless scanning for. Click the account to open the side panel that contains its settings.
          3. On the Features tab, click Configure Agentless Scanning or Manage to open the Agentless Scanning Setup modal.
          4. Under How would you like to set up Agentless scanning?, click Terraform.
          5. Under Enable Features, beside Enable Agentless Vulnerability management, switch the toggle to the off position.
          6. Click Done.
          1. On the Cloud Security Setup page, click Cloud Integrations > Azure.
          2. Locate your subscription’s tenant, expand the list of subscriptions, and identify the subscription for which you want to disable Agentless Scanning.
          3. Beside the Enabled label, click the Edit button () to open the Vulnerability Scanning modal.
          4. Beside Vulnerability Scanning, switch the toggle to the off position.
          5. Click Done.
          1. On the Cloud Security Setup page, click Cloud Integrations > GCP.
          2. Expand the account containing the project where you want to disable Agentless scanning.
          3. Beside the Enabled label, click the Edit button () to open the Vulnerability Scanning modal.
          4. Beside Vulnerability Scanning, switch the toggle to the off position.
          5. Click Done.

          Uninstall Agentless scanning

            To uninstall Agentless Scanning, remove the scanner module from your Terraform code. For more information, see the Terraform module documentation.

            To uninstall Agentless Scanning, log in to your AWS console and delete the CloudFormation stack created for Agentless Scanning.

            To uninstall Agentless Scanning that was set up using Google Cloud Shell, run the same setup command you used during installation, replacing deploy with destroy at the end. For example:

            curl -sSL "<CLOUD_SHELL_SCRIPT_URL>" -o gcp_agentless_setup.pyz && \
DD_API_KEY="<DD_API_KEY>" \
DD_APP_KEY="<DD_APP_KEY>" \
DD_SITE="<DD_SITE>" \
SCANNER_PROJECT="<SCANNER_PROJECT>" \
SCANNER_REGIONS="<SCANNER_REGION>" \
PROJECTS_TO_SCAN="<PROJECTS>" \
python3 gcp_agentless_setup.pyz destroy

            You can review the [setup script source][21] before running the command.

            To uninstall Agentless Scanning, log in to your Azure subscription. If you created a dedicated resource group for the Agentless scanner, delete this resource group along with the following Azure role definitions:

            • Datadog Agentless Scanner Role
            • Datadog Agentless Scanner Delegate Role

            If you did not use a dedicated resource group, you must manually delete the scanner resources, which can be identified by the tags Datadog:true and DatadogAgentlessScanner:true.

            Further reading

            Additional helpful documentation, links, and articles:

            Setting up Cloud SecurityDOCUMENTATION more more Cloud Security Agentless ScanningDOCUMENTATION more more