From 3cc1db3f6ca20c1bb997695315e2f502aa923e37 Mon Sep 17 00:00:00 2001 From: Moez Ezzeddine Date: Fri, 19 Dec 2025 18:17:41 +0100 Subject: [PATCH 1/4] Add stack to be used in stackset to deploy Agentless --- ...adog_agentless_delegate_role_stackset.yaml | 377 ++++++++++++++++++ 1 file changed, 377 insertions(+) create mode 100644 aws_quickstart/datadog_agentless_delegate_role_stackset.yaml diff --git a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml new file mode 100644 index 0000000..5ede6f2 --- /dev/null +++ b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml @@ -0,0 +1,377 @@ +# version: v +AWSTemplateFormatVersion: '2010-09-09' +Description: Creates a Datadog Agentless Scanning delegate role for StackSet deployment + +Parameters: + ScannerInstanceRoleARN: + Type: CommaDelimitedList + Description: The ARNs of the roles of the Datadog Agentless Scanner instances that will assume the delegate role. + + ScannerDelegateRoleName: + Type: String + Description: The name of the role assumed by the Datadog Agentless Scanner + Default: DatadogAgentlessScannerDelegateRole + + DatadogAPIKey: + Type: String + AllowedPattern: "[0-9a-f]{32}" + Description: API key for the Datadog account + NoEcho: true + + DatadogAPPKey: + Type: String + AllowedPattern: "[0-9a-f]{40}" + Description: Application key for the Datadog account + NoEcho: true + + DatadogSite: + Type: String + Description: The Datadog site to use for the Datadog Agentless Scanner + Default: datadoghq.com + AllowedValues: + - datadoghq.com + - datadoghq.eu + - us3.datadoghq.com + - us5.datadoghq.com + - ap1.datadoghq.com + - ap2.datadoghq.com + + AgentlessHostScanning: + Type: String + AllowedValues: + - true + - false + Description: Enable Agentless Scanning of host vulnerabilities. + Default: false + + AgentlessContainerScanning: + Type: String + AllowedValues: + - true + - false + Description: Enable Agentless Scanning of container vulnerabilities. + Default: false + + AgentlessLambdaScanning: + Type: String + AllowedValues: + - true + - false + Description: Enable Agentless Scanning of Lambda vulnerabilities. + Default: false + + AgentlessSensitiveDataScanning: + Type: String + AllowedValues: + - true + - false + Description: Enable Agentless Scanning of datastores (S3 buckets). + Default: false + +Conditions: + DSPMEnabled: !Equals + - !Ref 'AgentlessSensitiveDataScanning' + - 'true' + +Resources: + ScannerDelegateRoleOrchestratorPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Policy for the Datadog Agentless Scanner orchestrator allowing the creation and deletion of snapshots. + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: DatadogAgentlessScannerResourceTagging + Action: 'ec2:CreateTags' + Effect: Allow + Resource: + - 'arn:aws:ec2:*:*:volume/*' + - 'arn:aws:ec2:*:*:snapshot/*' + - 'arn:aws:ec2:*:*:image/*' + Condition: + StringEquals: + 'ec2:CreateAction': + - CreateSnapshot + - CreateVolume + - CopySnapshot + - CopyImage + - Sid: DatadogAgentlessScannerVolumeSnapshotCreation + Action: 'ec2:CreateSnapshot' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:volume/*' + Condition: + StringNotEquals: + 'aws:ResourceTag/DatadogAgentlessScanner': 'false' + - Sid: DatadogAgentlessScannerCopySnapshotSource + Action: 'ec2:CopySnapshot' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:snapshot/snap-*' + - Sid: DatadogAgentlessScannerCopySnapshotDestination + Action: 'ec2:CopySnapshot' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:snapshot/${*}' + Condition: + 'ForAllValues:StringLike': + 'aws:TagKeys': DatadogAgentlessScanner* + StringEquals: + 'aws:RequestTag/DatadogAgentlessScanner': 'true' + - Sid: DatadogAgentlessScannerSnapshotCreation + Action: 'ec2:CreateSnapshot' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:snapshot/*' + Condition: + 'ForAllValues:StringLike': + 'aws:TagKeys': DatadogAgentlessScanner* + StringEquals: + 'aws:RequestTag/DatadogAgentlessScanner': 'true' + - Sid: DatadogAgentlessScannerSnapshotCleanup + Action: 'ec2:DeleteSnapshot' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:snapshot/*' + Condition: + StringEquals: + 'aws:ResourceTag/DatadogAgentlessScanner': 'true' + - Sid: DatadogAgentlessScannerDescribeSnapshots + Action: 'ec2:DescribeSnapshots' + Effect: Allow + Resource: '*' + - Sid: DatadogAgentlessScannerEncryptedCopyGrant + Action: 'kms:CreateGrant' + Effect: Allow + Resource: 'arn:aws:kms:*:*:key/*' + Condition: + 'ForAnyValue:StringEquals': + 'kms:EncryptionContextKeys': 'aws:ebs:id' + StringLike: + 'kms:ViaService': 'ec2.*.amazonaws.com' + Bool: + 'kms:GrantIsForAWSResource': true + - Sid: DatadogAgentlessScannerEncryptedCopyDescribe + Action: 'kms:DescribeKey' + Effect: Allow + Resource: 'arn:aws:kms:*:*:key/*' + - Sid: DatadogAgentlessScannerImageCleanup + Action: 'ec2:DeregisterImage' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:image/*' + Condition: + StringEquals: + 'aws:ResourceTag/DatadogAgentlessScanner': 'true' + + ScannerDelegateRoleWorkerPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Policy for the Datadog Agentless Scanner worker allowing the listing and reading of snapshots. + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: DatadogAgentlessScannerSnapshotAccess + Action: + - 'ebs:ListSnapshotBlocks' + - 'ebs:ListChangedBlocks' + - 'ebs:GetSnapshotBlock' + Effect: Allow + Resource: 'arn:aws:ec2:*:*:snapshot/*' + Condition: + StringEquals: + 'aws:ResourceTag/DatadogAgentlessScanner': 'true' + - Sid: DatadogAgentlessScannerDescribeSnapshots + Action: 'ec2:DescribeSnapshots' + Effect: Allow + Resource: '*' + - Sid: DatadogAgentlessScannerDescribeVolumes + Action: 'ec2:DescribeVolumes' + Effect: Allow + Resource: '*' + - Sid: DatadogAgentlessScannerDecryptEncryptedSnapshots + Action: 'kms:Decrypt' + Effect: Allow + Resource: 'arn:aws:kms:*:*:key/*' + Condition: + 'ForAnyValue:StringEquals': + 'kms:EncryptionContextKeys': 'aws:ebs:id' + StringLike: + 'kms:ViaService': 'ec2.*.amazonaws.com' + - Sid: DatadogAgentlessScannerKMSDescribe + Action: 'kms:DescribeKey' + Effect: Allow + Resource: 'arn:aws:kms:*:*:key/*' + - Sid: DatadogAgentlessScannerGetLambdaDetails + Action: 'lambda:GetFunction' + Effect: Allow + Resource: 'arn:aws:lambda:*:*:function:*' + Condition: + StringNotEquals: + 'aws:ResourceTag/DatadogAgentlessScanner': 'false' + - Sid: DatadogAgentlessScannerGetLambdaLayerDetails + Action: 'lambda:GetLayerVersion' + Effect: Allow + Resource: 'arn:aws:lambda:*:*:layer:*:*' + Condition: + StringNotEquals: + 'aws:ResourceTag/DatadogAgentlessScanner': 'false' + - Sid: DatadogAgentlessScannerECRAuthorizationToken + Action: + - "ecr:GetAuthorizationToken" + Effect: Allow + Resource: "*" + - Sid: DatadogAgentlessScannerECRImages + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + Condition: + StringNotEquals: + "ecr:ResourceTag/DatadogAgentlessScanner": "false" + Effect: Allow + Resource: "arn:aws:ecr:*:*:repository/*" + + ScannerDelegateRoleWorkerDSPMPolicy: + Type: AWS::IAM::ManagedPolicy + Condition: DSPMEnabled + Properties: + Description: Policy for the Datadog Agentless Scanner worker allowing the listing and reading of S3 buckets. + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: DatadogAgentlessScannerAccessS3Objects + Action: 's3:GetObject' + Effect: Allow + Resource: 'arn:aws:s3:::*/*' + - Sid: DatadogAgentlessScannerListS3Buckets + Action: 's3:ListBucket' + Effect: Allow + Resource: 'arn:aws:s3:::*' + - Sid: DatadogAgentlessScannerDecryptS3Objects + Action: + - 'kms:Decrypt' + - 'kms:GenerateDataKey' + Effect: Allow + Resource: 'arn:aws:kms:*:*:key/*' + Condition: + StringLike: + 'kms:ViaService': 's3.*.amazonaws.com' + + ScannerDelegateRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Ref 'ScannerDelegateRoleName' + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: EC2AssumeRole + Effect: Allow + Principal: + AWS: '*' + Condition: + 'ArnLike': + 'aws:PrincipalArn': !Ref 'ScannerInstanceRoleARN' + StringEquals: + 'aws:PrincipalTag/Datadog': 'true' + 'aws:PrincipalTag/DatadogAgentlessScanner': 'true' + Action: 'sts:AssumeRole' + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref 'ScannerDelegateRoleOrchestratorPolicy' + - !Ref 'ScannerDelegateRoleWorkerPolicy' + - !If [DSPMEnabled, !Ref 'ScannerDelegateRoleWorkerDSPMPolicy', !Ref 'AWS::NoValue'] + Description: Role assumed by the Datadog Agentless scanner agent to perform scans + Tags: + - Key: DatadogAgentlessScanner + Value: 'true' + - Key: Datadog + Value: 'true' + + LambdaExecutionRoleDatadogAgentlessAPICall: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + Path: "/" + ManagedPolicyArns: + - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + + DatadogAgentlessAPICall: + Type: "Custom::DatadogAgentlessAPICall" + Properties: + ServiceToken: !GetAtt "DatadogAgentlessAPICallFunction.Arn" + TemplateVersion: "" + APIKey: !Ref "DatadogAPIKey" + APPKey: !Ref "DatadogAPPKey" + DatadogSite: !Ref "DatadogSite" + AccountId: !Ref "AWS::AccountId" + Hosts: !Ref "AgentlessHostScanning" + Containers: !Ref "AgentlessContainerScanning" + Lambdas: !Ref "AgentlessLambdaScanning" + SensitiveData: !Ref "AgentlessSensitiveDataScanning" + # Optional parameters + DelegateRoleArn: !GetAtt "ScannerDelegateRole.Arn" + OrchestratorPolicyArn: !Ref "ScannerDelegateRoleOrchestratorPolicy" + WorkerPolicyArn: !Ref "ScannerDelegateRoleWorkerPolicy" + WorkerDSPMPolicyArn: !If [DSPMEnabled, !Ref "ScannerDelegateRoleWorkerDSPMPolicy", !Ref "AWS::NoValue"] + + DatadogAgentlessAPICallFunction: + Type: "AWS::Lambda::Function" + Properties: + Description: A function to call the Datadog Agentless API. + Role: !GetAtt LambdaExecutionRoleDatadogAgentlessAPICall.Arn + Handler: "index.handler" + LoggingConfig: + ApplicationLogLevel: "INFO" + LogFormat: "JSON" + Runtime: "python3.13" + Timeout: 30 + Code: + ZipFile: | + + +Outputs: + ScannerDelegateRoleArn: + Description: ARN of the Datadog Agentless Scanner Delegate Role + Value: !GetAtt 'ScannerDelegateRole.Arn' + Export: + Name: !Sub '${AWS::StackName}-DelegateRoleArn' + + OrchestratorPolicyArn: + Description: ARN of the Orchestrator Policy + Value: !Ref 'ScannerDelegateRoleOrchestratorPolicy' + Export: + Name: !Sub '${AWS::StackName}-OrchestratorPolicyArn' + + WorkerPolicyArn: + Description: ARN of the Worker Policy + Value: !Ref 'ScannerDelegateRoleWorkerPolicy' + Export: + Name: !Sub '${AWS::StackName}-WorkerPolicyArn' + + WorkerDSPMPolicyArn: + Condition: DSPMEnabled + Description: ARN of the Worker DSPM Policy + Value: !Ref 'ScannerDelegateRoleWorkerDSPMPolicy' + Export: + Name: !Sub '${AWS::StackName}-WorkerDSPMPolicyArn' + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: "Required" + Parameters: + - ScannerInstanceRoleARN + - ScannerDelegateRoleName + - DatadogAPIKey + - DatadogAPPKey + - DatadogSite + - Label: + default: "Scanning Options" + Parameters: + - AgentlessHostScanning + - AgentlessContainerScanning + - AgentlessLambdaScanning + - AgentlessSensitiveDataScanning From bfd266f64aa11bf0e64754b5f426d165abdc766e Mon Sep 17 00:00:00 2001 From: Moez Ezzeddine Date: Mon, 22 Dec 2025 14:30:22 +0100 Subject: [PATCH 2/4] Merge scanning options into one option --- ...adog_agentless_delegate_role_stackset.yaml | 32 ++++--------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml index 5ede6f2..dcf9499 100644 --- a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml +++ b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml @@ -36,29 +36,13 @@ Parameters: - ap1.datadoghq.com - ap2.datadoghq.com - AgentlessHostScanning: + AgentlessVulnerabilityScanning: Type: String AllowedValues: - true - false - Description: Enable Agentless Scanning of host vulnerabilities. - Default: false - - AgentlessContainerScanning: - Type: String - AllowedValues: - - true - - false - Description: Enable Agentless Scanning of container vulnerabilities. - Default: false - - AgentlessLambdaScanning: - Type: String - AllowedValues: - - true - - false - Description: Enable Agentless Scanning of Lambda vulnerabilities. - Default: false + Description: Enable Agentless Vulnerability Scanning (hosts, containers, and Lambda functions). + Default: true AgentlessSensitiveDataScanning: Type: String @@ -306,9 +290,9 @@ Resources: APPKey: !Ref "DatadogAPPKey" DatadogSite: !Ref "DatadogSite" AccountId: !Ref "AWS::AccountId" - Hosts: !Ref "AgentlessHostScanning" - Containers: !Ref "AgentlessContainerScanning" - Lambdas: !Ref "AgentlessLambdaScanning" + Hosts: !Ref "AgentlessVulnerabilityScanning" + Containers: !Ref "AgentlessVulnerabilityScanning" + Lambdas: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" # Optional parameters DelegateRoleArn: !GetAtt "ScannerDelegateRole.Arn" @@ -371,7 +355,5 @@ Metadata: - Label: default: "Scanning Options" Parameters: - - AgentlessHostScanning - - AgentlessContainerScanning - - AgentlessLambdaScanning + - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning From 8810d5dcf79041dce4f88ffd5037ee20901abf7f Mon Sep 17 00:00:00 2001 From: Moez Ezzeddine Date: Tue, 23 Dec 2025 11:29:29 +0100 Subject: [PATCH 3/4] Add stackset file to release script --- aws_quickstart/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_quickstart/release.sh b/aws_quickstart/release.sh index 47ffc0f..53c3133 100755 --- a/aws_quickstart/release.sh +++ b/aws_quickstart/release.sh @@ -64,7 +64,7 @@ for template in main_workflow.yaml main_v2.yaml main_extended.yaml; do done # Process Agentless Scanning templates -for template in datadog_agentless_delegate_role.yaml datadog_agentless_scanning.yaml datadog_agentless_delegate_role_snapshot.yaml datadog_integration_autoscaling_policy.yaml datadog_integration_sds_policy.yaml; do +for template in datadog_agentless_delegate_role.yaml datadog_agentless_scanning.yaml datadog_agentless_delegate_role_snapshot.yaml datadog_integration_autoscaling_policy.yaml datadog_integration_sds_policy.yaml datadog_agentless_delegate_role_stackset.yaml; do # Note: unlike above, here we remove the 'v' prefix from the version perl -pi -e "s//${VERSION#v}/g" "$template" From 37233bb690e0960edd43cef3f3e370bd68563e78 Mon Sep 17 00:00:00 2001 From: Moez Ezzeddine Date: Mon, 12 Jan 2026 16:25:53 +0100 Subject: [PATCH 4/4] Bump version --- aws_quickstart/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index 9ca2398..6062a5e 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.3.0 +v4.3.1