From c3ed9a5ef21ddda027fafd4c26535c0fc71c01ab Mon Sep 17 00:00:00 2001 From: Antoine Valette Date: Mon, 2 Mar 2026 21:52:51 +0100 Subject: [PATCH 1/5] [K9VULN-12046] Add compliance_host option for Agentless Scanning Add AgentlessComplianceHostScanning parameter across all agentless CloudFormation templates, mirroring the existing sensitive_data pattern. The option flows from CFN parameters through the custom resource Lambda to the Datadog API payload as compliance_host. Made-with: Cursor --- aws_quickstart/datadog_agentless_api_call.py | 2 ++ .../datadog_agentless_api_call_test.py | 1 + .../datadog_agentless_delegate_role.yaml | 10 ++++++++++ ...tadog_agentless_delegate_role_stackset.yaml | 10 ++++++++++ aws_quickstart/datadog_agentless_scanning.yaml | 13 +++++++++++++ aws_quickstart/main_extended.yaml | 18 ++++++++++++++++++ aws_quickstart/main_extended_workflow.yaml | 18 ++++++++++++++++++ 7 files changed, 72 insertions(+) diff --git a/aws_quickstart/datadog_agentless_api_call.py b/aws_quickstart/datadog_agentless_api_call.py index 427dd5b7..98295f68 100644 --- a/aws_quickstart/datadog_agentless_api_call.py +++ b/aws_quickstart/datadog_agentless_api_call.py @@ -17,6 +17,7 @@ def call_datadog_agentless_api(context, event, method): account_id = event["ResourceProperties"]["AccountId"] vulnerability_scanning = event["ResourceProperties"]["VulnerabilityScanning"] sensitive_data = event["ResourceProperties"]["SensitiveData"] + compliance_host = event["ResourceProperties"]["ComplianceHost"] # Optional parameters launch_template_id = event["ResourceProperties"].get("LaunchTemplateId") asg_arn = event["ResourceProperties"].get("AutoScalingGroupArn") @@ -78,6 +79,7 @@ def call_datadog_agentless_api(context, event, method): "vuln_host_os": vulnerability_scanning == "true", "lambda": vulnerability_scanning == "true", "sensitive_data": sensitive_data == "true", + "compliance_host": compliance_host == "true", }, }, } diff --git a/aws_quickstart/datadog_agentless_api_call_test.py b/aws_quickstart/datadog_agentless_api_call_test.py index 4857f50b..8c19ce33 100644 --- a/aws_quickstart/datadog_agentless_api_call_test.py +++ b/aws_quickstart/datadog_agentless_api_call_test.py @@ -35,6 +35,7 @@ def setUp(self): "AccountId": "123456789012", "VulnerabilityScanning": "true", "SensitiveData": "false", + "ComplianceHost": "false", }, "StackId": "arn:aws:cloudformation:us-east-1:358251252154:stack/DatadogAgentlessIntegration/22b23bca-de8b-451c-99e4-c69b9ad20ec7", } diff --git a/aws_quickstart/datadog_agentless_delegate_role.yaml b/aws_quickstart/datadog_agentless_delegate_role.yaml index 1056e03a..760d4287 100644 --- a/aws_quickstart/datadog_agentless_delegate_role.yaml +++ b/aws_quickstart/datadog_agentless_delegate_role.yaml @@ -48,6 +48,14 @@ Parameters: Description: Enable Agentless Scanning of datastores (S3 buckets). Default: false + AgentlessComplianceHostScanning: + Type: String + AllowedValues: + - true + - false + Description: Enable Agentless Compliance Scanning for hosts. + Default: false + ScannerInstanceRoleARN: Type: CommaDelimitedList Description: The ARNs of the roles of the Datadog Agentless Scanner instances that will assume the delegate role. @@ -339,6 +347,7 @@ Resources: AccountId: !Ref "AWS::AccountId" VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" + ComplianceHost: !Ref "AgentlessComplianceHostScanning" IntegrationRoleName: !Ref "DatadogIntegrationRoleName" Partition: !Ref "AWS::Partition" # Optional parameters @@ -375,4 +384,5 @@ Metadata: default: "Advanced" Parameters: - AgentlessSensitiveDataScanning + - AgentlessComplianceHostScanning - AccountId diff --git a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml index ae751a83..0065d311 100644 --- a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml +++ b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml @@ -52,6 +52,14 @@ Parameters: Description: Enable Agentless Scanning of datastores (S3 buckets). Default: false + AgentlessComplianceHostScanning: + Type: String + AllowedValues: + - true + - false + Description: Enable Agentless Compliance Scanning for hosts. + Default: false + DatadogIntegrationRoleName: Type: String Description: The name of IAM role used by the Datadog AWS integration. If provided, the SecurityAudit policy will be attached to this role. @@ -323,6 +331,7 @@ Resources: AccountId: !Ref "AWS::AccountId" VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" + ComplianceHost: !Ref "AgentlessComplianceHostScanning" IntegrationRoleName: !Ref "DatadogIntegrationRoleName" Partition: !Ref "AWS::Partition" # Optional parameters @@ -389,3 +398,4 @@ Metadata: Parameters: - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning + - AgentlessComplianceHostScanning diff --git a/aws_quickstart/datadog_agentless_scanning.yaml b/aws_quickstart/datadog_agentless_scanning.yaml index 1f3fb7af..70ea0cb7 100644 --- a/aws_quickstart/datadog_agentless_scanning.yaml +++ b/aws_quickstart/datadog_agentless_scanning.yaml @@ -44,6 +44,15 @@ Parameters: Enable Agentless Scanning of datastores (S3 buckets). Default: false + AgentlessComplianceHostScanning: + Type: String + AllowedValues: + - true + - false + Description: >- + Enable Agentless Compliance Scanning for hosts. + Default: false + DatadogAPIKeySecretArn: Type: String Description: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You must store the secret as a plaintext, rather than a key-value pair. @@ -1058,6 +1067,7 @@ Resources: AccountId: !Ref "AWS::AccountId" VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" + ComplianceHost: !Ref "AgentlessComplianceHostScanning" IntegrationRoleName: !Ref "DatadogIntegrationRoleName" Partition: !Ref "AWS::Partition" # Optional parameters @@ -1099,6 +1109,7 @@ Metadata: - DatadogSite - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning + - AgentlessComplianceHostScanning - Label: default: Advanced Parameters: @@ -1130,3 +1141,5 @@ Metadata: default: "AgentlessVulnerabilityScanning *" AgentlessSensitiveDataScanning: default: "AgentlessSensitiveDataScanning *" + AgentlessComplianceHostScanning: + default: "AgentlessComplianceHostScanning *" diff --git a/aws_quickstart/main_extended.yaml b/aws_quickstart/main_extended.yaml index e4f7bf7b..1874b3ac 100644 --- a/aws_quickstart/main_extended.yaml +++ b/aws_quickstart/main_extended.yaml @@ -103,6 +103,14 @@ Parameters: Description: >- Enable Agentless Scanning of datastores (S3 buckets). Default: false + AgentlessComplianceHostScanning: + Type: String + AllowedValues: + - true + - false + Description: >- + Enable Agentless Compliance Scanning for hosts. + Default: false ScannerDelegateRoleName: Type: String Description: The name of the role assumed by the Datadog Agentless Scanner @@ -141,6 +149,9 @@ Rules: - Fn::Equals: - Ref: AgentlessSensitiveDataScanning - 'true' + - Fn::Equals: + - Ref: AgentlessComplianceHostScanning + - 'true' AssertDescription: Agentless Scanning options require ResourceCollection, must enable ResourceCollection Conditions: InstallForwarder: @@ -164,6 +175,9 @@ Conditions: - Fn::Equals: - !Ref AgentlessSensitiveDataScanning - true + - Fn::Equals: + - !Ref AgentlessComplianceHostScanning + - true IsAP1: Fn::Equals: - !Ref DatadogSite @@ -203,6 +217,7 @@ Resources: AccountId: !Ref AWS::AccountId AgentlessVulnerabilityScanning: !Ref AgentlessVulnerabilityScanning AgentlessSensitiveDataScanning: !Ref AgentlessSensitiveDataScanning + AgentlessComplianceHostScanning: !Ref AgentlessComplianceHostScanning ScannerDelegateRoleName: !Ref ScannerDelegateRoleName ScannerInstanceRoleARN: !If [IsCrossAccountScanning, !Join [",", !Ref "ScannerInstanceRoleARN"], !Ref "AWS::NoValue"] DatadogIntegrationRoleName: !If [IsCrossAccountScanning, !Ref "AWS::NoValue", !Ref "IAMRoleName"] @@ -283,6 +298,7 @@ Metadata: - CloudSecurityPostureManagement - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning + - AgentlessComplianceHostScanning - Label: default: Advanced Parameters: @@ -303,5 +319,7 @@ Metadata: default: "AgentlessVulnerabilityScanning *" AgentlessSensitiveDataScanning: default: "AgentlessSensitiveDataScanning *" + AgentlessComplianceHostScanning: + default: "AgentlessComplianceHostScanning *" InstallLambdaLogForwarder: default: "InstallLambdaLogForwarder *" diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index f2e44e18..dacb17b4 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -113,6 +113,14 @@ Parameters: Description: >- Enable Agentless Scanning of datastores (S3 buckets). Default: false + AgentlessComplianceHostScanning: + Type: String + AllowedValues: + - true + - false + Description: >- + Enable Agentless Compliance Scanning for hosts. + Default: false ScannerDelegateRoleName: Type: String Description: The name of the role assumed by the Datadog Agentless Scanner @@ -161,6 +169,9 @@ Rules: - Fn::Equals: - Ref: AgentlessSensitiveDataScanning - 'true' + - Fn::Equals: + - Ref: AgentlessComplianceHostScanning + - 'true' AssertDescription: Agentless Scanning options require ResourceCollection, must enable ResourceCollection Conditions: InstallForwarder: @@ -187,6 +198,9 @@ Conditions: - Fn::Equals: - !Ref AgentlessSensitiveDataScanning - true + - Fn::Equals: + - !Ref AgentlessComplianceHostScanning + - true NoAgentlessScanning: Fn::Not: - Condition: EnableAgentlessScanning @@ -549,6 +563,7 @@ Resources: AccountId: !Ref AWS::AccountId AgentlessVulnerabilityScanning: !Ref AgentlessVulnerabilityScanning AgentlessSensitiveDataScanning: !Ref AgentlessSensitiveDataScanning + AgentlessComplianceHostScanning: !Ref AgentlessComplianceHostScanning ScannerDelegateRoleName: !Ref ScannerDelegateRoleName ScannerInstanceRoleARN: !If [IsCrossAccountScanning, !Join [",", !Ref "ScannerInstanceRoleARN"], !Ref "AWS::NoValue"] DatadogIntegrationRoleName: !If [IsCrossAccountScanning, !Ref "AWS::NoValue", !Ref "IAMRoleName"] @@ -702,6 +717,7 @@ Metadata: - CloudSecurityPostureManagement - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning + - AgentlessComplianceHostScanning - Label: default: Advanced Parameters: @@ -726,5 +742,7 @@ Metadata: default: "AgentlessVulnerabilityScanning *" AgentlessSensitiveDataScanning: default: "AgentlessSensitiveDataScanning *" + AgentlessComplianceHostScanning: + default: "AgentlessComplianceHostScanning *" InstallLambdaLogForwarder: default: "InstallLambdaLogForwarder *" From 81ea4461f0adc3fef4b7b761ec57dad3c7ef8f65 Mon Sep 17 00:00:00 2001 From: Antoine Valette Date: Mon, 2 Mar 2026 21:55:16 +0100 Subject: [PATCH 2/5] [K9VULN-12046] Bump version to v4.6.6 Made-with: Cursor --- aws_quickstart/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index 7378a3bb..c0aa3929 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.6.5 +v4.6.6 From 3e87afcfe8988f00cc5c32b9f208797932e14606 Mon Sep 17 00:00:00 2001 From: Antoine Valette Date: Mon, 2 Mar 2026 21:56:11 +0100 Subject: [PATCH 3/5] [K9VULN-12046] Bump version to v4.7.0 Made-with: Cursor --- aws_quickstart/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index c0aa3929..79214dce 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.6.6 +v4.7.0 From bf038fde44304ff7d934ea27bee1ae6f931ebdd3 Mon Sep 17 00:00:00 2001 From: Antoine Valette Date: Mon, 9 Mar 2026 10:28:48 +0100 Subject: [PATCH 4/5] Trigger CI From 0337c8aa8d0603e94ea140d87149fc20e11736b0 Mon Sep 17 00:00:00 2001 From: Antoine Valette Date: Mon, 9 Mar 2026 11:22:37 +0100 Subject: [PATCH 5/5] Trigger CI