From 10be60e522bd37bd356fd3f19efc24832a88a27d Mon Sep 17 00:00:00 2001
From: Sarah Wang <sarah.wang2009@gmail.com>
Date: Mon, 13 Apr 2026 15:17:25 -0400
Subject: [PATCH 1/3] [TON-197] Add EC2 agent install IAM permissions to
 CloudFormation template

Adds DatadogAgentInstallEC2Policy (gated on AgentOnCloudResources condition)
with 5 statements covering: SSM document/command operations, SecretsManager
secrets scoped to /datadog/ec2-instrumenter/*, datadog-ssm-* role/profile
creation, IAM read+attach for existing customer resources, and iam:PassRole
scoped to datadog-ssm-* roles with ec2.amazonaws.com condition. Bumps to v4.8.1.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 aws_quickstart/CHANGELOG.md                  |  4 ++
 aws_quickstart/datadog_integration_role.yaml | 51 ++++++++++++++++++++
 aws_quickstart/version.txt                   |  2 +-
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md
index bd658364..6d586d6d 100644
--- a/aws_quickstart/CHANGELOG.md
+++ b/aws_quickstart/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 4.8.1 (April 13, 2026)
+
+- Add EC2 agent install IAM permissions (`DatadogAgentInstallEC2Policy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to manage SSM documents, send SSM commands, create Secrets Manager secrets scoped to `/datadog/ec2-instrumenter/*`, create and manage `datadog-ssm-*` IAM roles and instance profiles, and associate instance profiles with EC2 instances.
+
 # 4.8.0 (April 7, 2026)
 
 - Add `InstallAgentOnCloudResources` parameter to enable automated Datadog Agent installation on EKS clusters, EC2 instances, and ECS clusters via EventBridge. When enabled, grants Datadog's backend IAM permissions to create and manage EventBridge rules in each active AWS region using the existing cross-account integration role.
diff --git a/aws_quickstart/datadog_integration_role.yaml b/aws_quickstart/datadog_integration_role.yaml
index 75f1157f..789078b9 100644
--- a/aws_quickstart/datadog_integration_role.yaml
+++ b/aws_quickstart/datadog_integration_role.yaml
@@ -132,6 +132,57 @@ Resources:
               StringEquals:
                 iam:PassedToService: events.amazonaws.com
 
+  DatadogAgentInstallEC2Policy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    Properties:
+      PolicyName: DatadogAgentInstallEC2Policy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - ssm:DescribeInstanceInformation
+              - ssm:SendCommand
+              - ssm:GetDocument
+              - ssm:CreateDocument
+              - ssm:UpdateDocument
+              - ssm:UpdateDocumentDefaultVersion
+              - ec2:AssociateIamInstanceProfile
+              - resource-groups:ListGroupResources
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:CreateSecret
+            Resource:
+              - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/ec2-instrumenter/*"
+          - Effect: Allow
+            Action:
+              - iam:CreateRole
+              - iam:CreateInstanceProfile
+              - iam:AddRoleToInstanceProfile
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/datadog-ssm-*"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/datadog-ssm-profile-*"
+          - Effect: Allow
+            Action:
+              - iam:GetInstanceProfile
+              - iam:ListAttachedRolePolicies
+              - iam:AttachRolePolicy
+              - iam:PutRolePolicy
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/datadog-ssm-*"
+            Condition:
+              StringEquals:
+                iam:PassedToService: ec2.amazonaws.com
+
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:
diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt
index ba50f2da..c1577fb8 100644
--- a/aws_quickstart/version.txt
+++ b/aws_quickstart/version.txt
@@ -1 +1 @@
-v4.8.0
+v4.8.1

From c9d71a39076be7feac96bf0cffad37f1601c34ec Mon Sep 17 00:00:00 2001
From: Sarah Wang <sarah.wang2009@gmail.com>
Date: Mon, 13 Apr 2026 15:43:07 -0400
Subject: [PATCH 2/3] [TON-197] Add EKS agent uninstall IAM permissions to
 CloudFormation template

Adds DatadogAgentInstallEKSPolicy (gated on AgentOnCloudResources) with the
5 delete permissions needed for EKS uninstall: eks:DeleteAccessEntry,
lambda:DeleteFunction, iam:DeleteRolePolicy, iam:DeleteRole, and
secretsmanager:DeleteSecret. All scoped to dd-eks-instrumenter-* resources
and the /datadog/eks-instrumenter/* secret path.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 aws_quickstart/CHANGELOG.md                  |  1 +
 aws_quickstart/datadog_integration_role.yaml | 29 ++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md
index 6d586d6d..5438eb4c 100644
--- a/aws_quickstart/CHANGELOG.md
+++ b/aws_quickstart/CHANGELOG.md
@@ -1,6 +1,7 @@
 # 4.8.1 (April 13, 2026)
 
 - Add EC2 agent install IAM permissions (`DatadogAgentInstallEC2Policy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to manage SSM documents, send SSM commands, create Secrets Manager secrets scoped to `/datadog/ec2-instrumenter/*`, create and manage `datadog-ssm-*` IAM roles and instance profiles, and associate instance profiles with EC2 instances.
+- Add EKS agent uninstall IAM permissions (`DatadogAgentInstallEKSPolicy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to delete EKS access entries, Lambda functions, IAM roles and inline policies, and Secrets Manager secrets — all scoped to `dd-eks-instrumenter-*` resources and the `/datadog/eks-instrumenter/*` secret path.
 
 # 4.8.0 (April 7, 2026)
 
diff --git a/aws_quickstart/datadog_integration_role.yaml b/aws_quickstart/datadog_integration_role.yaml
index 789078b9..8d251203 100644
--- a/aws_quickstart/datadog_integration_role.yaml
+++ b/aws_quickstart/datadog_integration_role.yaml
@@ -183,6 +183,35 @@ Resources:
               StringEquals:
                 iam:PassedToService: ec2.amazonaws.com
 
+  DatadogAgentInstallEKSPolicy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    Properties:
+      PolicyName: DatadogAgentInstallEKSPolicy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - eks:DeleteAccessEntry
+            Resource:
+              - !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*"
+          - Effect: Allow
+            Action:
+              - lambda:DeleteFunction
+              - iam:DeleteRolePolicy
+              - iam:DeleteRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:dd-eks-instrumenter-*"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
+          - Effect: Allow
+            Action:
+              - secretsmanager:DeleteSecret
+            Resource:
+              - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/eks-instrumenter/*"
+
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:

From c8c1fb9395a373900871483d98d96e2e80a24a9b Mon Sep 17 00:00:00 2001
From: Sarah Wang <sarah.wang2009@gmail.com>
Date: Mon, 13 Apr 2026 16:02:03 -0400
Subject: [PATCH 3/3] [TON-197] Expand DatadogAgentInstallEKSPolicy to cover
 full install/uninstall

Replaces the uninstall-only stub with a complete 5-statement policy matching
the enclave instrumenter-snap policy for EKS operations: EKS cluster
list/describe/access-entry management (Resource: *), Lambda CRUD scoped to
dd-eks-instrumenter-*, IAM role CRUD scoped to dd-eks-instrumenter-*,
SecretsManager CRUD scoped to /datadog/eks-instrumenter/*, and iam:PassRole
to lambda.amazonaws.com for dd-eks-instrumenter-* roles. Also adds
ec2:DescribeNatGateways and iam:SimulatePrincipalPolicy (used in
MatchesFilters preflight check).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 aws_quickstart/CHANGELOG.md                  |  2 +-
 aws_quickstart/datadog_integration_role.yaml | 33 +++++++++++++++++---
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md
index 5438eb4c..3d288ce9 100644
--- a/aws_quickstart/CHANGELOG.md
+++ b/aws_quickstart/CHANGELOG.md
@@ -1,7 +1,7 @@
 # 4.8.1 (April 13, 2026)
 
 - Add EC2 agent install IAM permissions (`DatadogAgentInstallEC2Policy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to manage SSM documents, send SSM commands, create Secrets Manager secrets scoped to `/datadog/ec2-instrumenter/*`, create and manage `datadog-ssm-*` IAM roles and instance profiles, and associate instance profiles with EC2 instances.
-- Add EKS agent uninstall IAM permissions (`DatadogAgentInstallEKSPolicy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to delete EKS access entries, Lambda functions, IAM roles and inline policies, and Secrets Manager secrets — all scoped to `dd-eks-instrumenter-*` resources and the `/datadog/eks-instrumenter/*` secret path.
+- Add EKS agent install/uninstall IAM permissions (`DatadogAgentInstallEKSPolicy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions for full EKS cluster lifecycle: list/describe clusters, create/delete access entries, associate access policies, manage `dd-eks-instrumenter-*` Lambda functions and IAM roles, manage Secrets Manager secrets scoped to `/datadog/eks-instrumenter/*`, simulate principal policy (preflight check), and check NAT gateways for private-endpoint clusters.
 
 # 4.8.0 (April 7, 2026)
 
diff --git a/aws_quickstart/datadog_integration_role.yaml b/aws_quickstart/datadog_integration_role.yaml
index 8d251203..95f238bd 100644
--- a/aws_quickstart/datadog_integration_role.yaml
+++ b/aws_quickstart/datadog_integration_role.yaml
@@ -195,22 +195,47 @@ Resources:
         Statement:
           - Effect: Allow
             Action:
+              - eks:ListClusters
+              - eks:DescribeCluster
+              - eks:DescribeAccessEntry
+              - eks:CreateAccessEntry
+              - eks:AssociateAccessPolicy
               - eks:DeleteAccessEntry
-            Resource:
-              - !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*"
+              - ec2:DescribeNatGateways
+              - iam:SimulatePrincipalPolicy
+            Resource: "*"
           - Effect: Allow
             Action:
+              - lambda:GetFunction
+              - lambda:CreateFunction
+              - lambda:InvokeFunction
               - lambda:DeleteFunction
-              - iam:DeleteRolePolicy
-              - iam:DeleteRole
             Resource:
               - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:dd-eks-instrumenter-*"
+          - Effect: Allow
+            Action:
+              - iam:GetRole
+              - iam:CreateRole
+              - iam:PutRolePolicy
+              - iam:DeleteRole
+              - iam:DeleteRolePolicy
+            Resource:
               - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
           - Effect: Allow
             Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:CreateSecret
               - secretsmanager:DeleteSecret
             Resource:
               - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/eks-instrumenter/*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
+            Condition:
+              StringEquals:
+                iam:PassedToService: lambda.amazonaws.com
 
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role