Setting up Cloud Security

Overview

To get started with Cloud Security, review the following:

Enable Agentless Scanning

Agentless Scanning is not available in the selected site ().

The simplest way to get started with Cloud Security is by enabling Agentless Scanning. Agentless Scanning provides the broadest coverage across your AWS, Azure, and GCP cloud infrastructure: it scans all hosts, running containers, and other supported workloads without requiring you to install anything on individual resources.

To learn more about Agentless Scanning, see Cloud Security Agentless Scanning.

Deploy the Agent for deeper context

Agentless Scanning covers your entire cloud infrastructure, but deploying the Datadog Agent on critical hosts adds deeper security context such as runtime vulnerability prioritization, real-time updates, and host benchmarks. The following table outlines the improvements offered by Agent-based deployments. For more information, see Setting up Cloud Security on the Agent.

FeatureAgentlessAgentless + Agent-based deploymentAgent-based deployment
Cloud Security Identity Risks
Cloud Security Misconfigurations
Host benchmarks
Cloud Security Vulnerabilities
Vulnerability prioritization
With runtime context
With runtime context
Vulnerability update frequency12 hoursReal timeReal time
Security Inbox
With more accurate insights
With more accurate insights

Enable additional features

Container Image Scanning in CI/CD

Scan container images for vulnerabilities during your CI/CD pipelines, before deploying images to production. The Datadog Security CLI runs directly in your CI jobs, giving you control over when and how scans are executed. For more information, see Container Image Scanning in CI/CD.

AWS CloudTrail Logs

Maximize the benefits of Cloud Security Identity Risks with AWS CloudTrail Logs. Gain deeper insights into cloud resource usage, identifying users and roles with significant gaps between provisioned and utilized permissions. For more information, check out Setting up AWS CloudTrail Logs for Cloud Security.

Deploy using cloud integrations

Monitor your compliance security coverage and secure your cloud infrastructure against IAM-based attacks by enabling resource scanning for AWS, Azure, GCP, and OCI resources. For more information, see Deploying Cloud Security using Cloud Integrations.

Disable Cloud Security

For information on disabling Cloud Security, see the following:

Further reading

Additional helpful documentation, links, and articles:

Supported Deployment TypesDOCUMENTATION more more AWS Fargate Configuration Guide for Datadog SecurityDOCUMENTATION more more Cloud Security Agent VariablesGUIDE more more