From b8337697907733eb0b9b162bf0f605f12ceb2a93 Mon Sep 17 00:00:00 2001
From: Pierre Guilleminot <pierre.guilleminot@datadoghq.com>
Date: Thu, 15 May 2025 16:37:09 +0200
Subject: [PATCH] [AGENTLESS] Avoid principal wildcard in trust relationship

---
 aws_quickstart/datadog_agentless_delegate_role.yaml | 4 +---
 aws_quickstart/datadog_agentless_scanning.yaml      | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/aws_quickstart/datadog_agentless_delegate_role.yaml b/aws_quickstart/datadog_agentless_delegate_role.yaml
index bd7a7b74..0ac43831 100644
--- a/aws_quickstart/datadog_agentless_delegate_role.yaml
+++ b/aws_quickstart/datadog_agentless_delegate_role.yaml
@@ -220,10 +220,8 @@ Resources:
           - Sid: EC2AssumeRole
             Effect: Allow
             Principal:
-              AWS: '*'
+              AWS: !Ref 'ScannerInstanceRoleARN'
             Condition:
-              ArnLike:
-                'aws:PrincipalArn': !Ref 'ScannerInstanceRoleARN'
               StringEquals:
                 'aws:PrincipalTag/Datadog': 'true'
                 'aws:PrincipalTag/DatadogAgentlessScanner': 'true'
diff --git a/aws_quickstart/datadog_agentless_scanning.yaml b/aws_quickstart/datadog_agentless_scanning.yaml
index d948cde6..0a5f900f 100644
--- a/aws_quickstart/datadog_agentless_scanning.yaml
+++ b/aws_quickstart/datadog_agentless_scanning.yaml
@@ -744,10 +744,8 @@ Resources:
           - Sid: EC2AssumeRole
             Effect: Allow
             Principal:
-              AWS: '*'
+              AWS: !GetAtt 'ScannerInstanceRole.Arn'
             Condition:
-              ArnLike:
-                'aws:PrincipalArn': !GetAtt 'ScannerInstanceRole.Arn'
               StringEquals:
                 'aws:PrincipalTag/Datadog': 'true'
                 'aws:PrincipalTag/DatadogAgentlessScanner': 'true'