Skip to content

Comments

[K9VULN-11615] Add SecurityAudit policy attachment to agentless scanning templates#275

Open
k3nz0 wants to merge 3 commits intomasterfrom
moez/add-security-audit-policy-agentless
Open

[K9VULN-11615] Add SecurityAudit policy attachment to agentless scanning templates#275
k3nz0 wants to merge 3 commits intomasterfrom
moez/add-security-audit-policy-agentless

Conversation

@k3nz0
Copy link
Member

@k3nz0 k3nz0 commented Feb 16, 2026
edited
Loading

Summary

  • Enhances the existing datadog_agentless_api_call.py Lambda to attach the SecurityAudit AWS managed policy to the Datadog integration role during stack creation, which is required for agentless scanning
  • Adds ensure_security_audit_policy() function that checks if SecurityAudit is already attached (idempotent) and attaches it if missing, with graceful skip when no role name is provided
  • Adds scoped IAM permissions (iam:ListAttachedRolePolicies, iam:AttachRolePolicy restricted to SecurityAudit ARN) to the Lambda execution role in all three agentless templates
  • For delegate role templates, the DatadogIntegrationRoleName parameter is optional — when empty, the IAM policy resource is not created and the Lambda skips attachment

Templates modified

  • datadog_agentless_scanning.yaml — IAM policy + custom resource properties
  • datadog_agentless_delegate_role.yaml — parameter + condition + IAM policy + custom resource properties + metadata
  • datadog_agentless_delegate_role_stackset.yaml — same as delegate role

Test plan

  • Unit tests pass (5 new tests for ensure_security_audit_policy: already-attached, not-attached, empty role name, error propagation, GovCloud partition)
  • cfn-lint on all three modified YAML templates
  • Deploy datadog_agentless_scanning.yaml and verify SecurityAudit is attached to integration role
  • Deploy delegate role template with empty DatadogIntegrationRoleName — verify graceful skip
  • Deploy delegate role template with populated DatadogIntegrationRoleName — verify attachment
  • Re-deploy when SecurityAudit is already attached — verify idempotency (no errors)

🤖 Generated with Claude Code

@k3nz0 k3nz0 requested review from a team as code owners February 16, 2026 09:47
@k3nz0 k3nz0 changed the title Add SecurityAudit policy attachment to agentless scanning templates [K9VULN-11615] Add SecurityAudit policy attachment to agentless scanning templates Feb 16, 2026
k3nz0 and others added 3 commits February 16, 2026 11:24
@k3nz0 @claude
Add SecurityAudit policy attachment to agentless scanning templates
d537643 
Enhance the existing agentless API call Lambda to ensure the SecurityAudit
AWS managed policy is attached to the Datadog integration role during stack
creation. This is required for agentless scanning to work, even when CSPM
or Resource Collection are not explicitly enabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@k3nz0 @claude
Move boto3 import inside function to fix CI
1c55404 
boto3 is available in the Lambda runtime but not in CI. Move the import
inside ensure_security_audit_policy so the module loads without boto3,
and mock it in tests via sys.modules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@k3nz0 @claude
Bump aws_quickstart version to v4.6.0
f103ee6 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@k3nz0 k3nz0 force-pushed the moez/add-security-audit-policy-agentless branch from 92d77ab to f103ee6 Compare February 16, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@k3nz0