diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md
index bd658364..3d288ce9 100644
--- a/aws_quickstart/CHANGELOG.md
+++ b/aws_quickstart/CHANGELOG.md
@@ -1,3 +1,8 @@
+# 4.8.1 (April 13, 2026)
+
+- Add EC2 agent install IAM permissions (`DatadogAgentInstallEC2Policy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to manage SSM documents, send SSM commands, create Secrets Manager secrets scoped to `/datadog/ec2-instrumenter/*`, create and manage `datadog-ssm-*` IAM roles and instance profiles, and associate instance profiles with EC2 instances.
+- Add EKS agent install/uninstall IAM permissions (`DatadogAgentInstallEKSPolicy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions for full EKS cluster lifecycle: list/describe clusters, create/delete access entries, associate access policies, manage `dd-eks-instrumenter-*` Lambda functions and IAM roles, manage Secrets Manager secrets scoped to `/datadog/eks-instrumenter/*`, simulate principal policy (preflight check), and check NAT gateways for private-endpoint clusters.
+
 # 4.8.0 (April 7, 2026)
 
 - Add `InstallAgentOnCloudResources` parameter to enable automated Datadog Agent installation on EKS clusters, EC2 instances, and ECS clusters via EventBridge. When enabled, grants Datadog's backend IAM permissions to create and manage EventBridge rules in each active AWS region using the existing cross-account integration role.
diff --git a/aws_quickstart/datadog_integration_role.yaml b/aws_quickstart/datadog_integration_role.yaml
index 75f1157f..95f238bd 100644
--- a/aws_quickstart/datadog_integration_role.yaml
+++ b/aws_quickstart/datadog_integration_role.yaml
@@ -132,6 +132,111 @@ Resources:
               StringEquals:
                 iam:PassedToService: events.amazonaws.com
 
+  DatadogAgentInstallEC2Policy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    Properties:
+      PolicyName: DatadogAgentInstallEC2Policy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - ssm:DescribeInstanceInformation
+              - ssm:SendCommand
+              - ssm:GetDocument
+              - ssm:CreateDocument
+              - ssm:UpdateDocument
+              - ssm:UpdateDocumentDefaultVersion
+              - ec2:AssociateIamInstanceProfile
+              - resource-groups:ListGroupResources
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:CreateSecret
+            Resource:
+              - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/ec2-instrumenter/*"
+          - Effect: Allow
+            Action:
+              - iam:CreateRole
+              - iam:CreateInstanceProfile
+              - iam:AddRoleToInstanceProfile
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/datadog-ssm-*"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/datadog-ssm-profile-*"
+          - Effect: Allow
+            Action:
+              - iam:GetInstanceProfile
+              - iam:ListAttachedRolePolicies
+              - iam:AttachRolePolicy
+              - iam:PutRolePolicy
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/datadog-ssm-*"
+            Condition:
+              StringEquals:
+                iam:PassedToService: ec2.amazonaws.com
+
+  DatadogAgentInstallEKSPolicy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    Properties:
+      PolicyName: DatadogAgentInstallEKSPolicy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - eks:ListClusters
+              - eks:DescribeCluster
+              - eks:DescribeAccessEntry
+              - eks:CreateAccessEntry
+              - eks:AssociateAccessPolicy
+              - eks:DeleteAccessEntry
+              - ec2:DescribeNatGateways
+              - iam:SimulatePrincipalPolicy
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - lambda:GetFunction
+              - lambda:CreateFunction
+              - lambda:InvokeFunction
+              - lambda:DeleteFunction
+            Resource:
+              - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:dd-eks-instrumenter-*"
+          - Effect: Allow
+            Action:
+              - iam:GetRole
+              - iam:CreateRole
+              - iam:PutRolePolicy
+              - iam:DeleteRole
+              - iam:DeleteRolePolicy
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
+          - Effect: Allow
+            Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:CreateSecret
+              - secretsmanager:DeleteSecret
+            Resource:
+              - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/eks-instrumenter/*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
+            Condition:
+              StringEquals:
+                iam:PassedToService: lambda.amazonaws.com
+
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:
diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt
index ba50f2da..c1577fb8 100644
--- a/aws_quickstart/version.txt
+++ b/aws_quickstart/version.txt
@@ -1 +1 @@
-v4.8.0
+v4.8.1