DataDog · swang392 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
@@ -1,3 +1,8 @@
+# 4.8.1 (April 13, 2026)
+
+- Add EC2 agent install IAM permissions (`DatadogAgentInstallEC2Policy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions to manage SSM documents, send SSM commands, create Secrets Manager secrets scoped to `/datadog/ec2-instrumenter/*`, create and manage `datadog-ssm-*` IAM roles and instance profiles, and associate instance profiles with EC2 instances.
+- Add EKS agent install/uninstall IAM permissions (`DatadogAgentInstallEKSPolicy`) gated on `InstallAgentOnCloudResources`. Grants the integration role permissions for full EKS cluster lifecycle: list/describe clusters, create/delete access entries, associate access policies, manage `dd-eks-instrumenter-*` Lambda functions and IAM roles, manage Secrets Manager secrets scoped to `/datadog/eks-instrumenter/*`, simulate principal policy (preflight check), and check NAT gateways for private-endpoint clusters.
+
 # 4.8.0 (April 7, 2026)
 
 - Add `InstallAgentOnCloudResources` parameter to enable automated Datadog Agent installation on EKS clusters, EC2 instances, and ECS clusters via EventBridge. When enabled, grants Datadog's backend IAM permissions to create and manage EventBridge rules in each active AWS region using the existing cross-account integration role.

@@ -132,6 +132,111 @@ Resources:
               StringEquals:
                 iam:PassedToService: events.amazonaws.com
 
+  DatadogAgentInstallEC2Policy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    Properties:
+      PolicyName: DatadogAgentInstallEC2Policy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - ssm:DescribeInstanceInformation
+              - ssm:SendCommand
+              - ssm:GetDocument
+              - ssm:CreateDocument
+              - ssm:UpdateDocument
+              - ssm:UpdateDocumentDefaultVersion
+              - ec2:AssociateIamInstanceProfile
+              - resource-groups:ListGroupResources
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:CreateSecret
+            Resource:
+              - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/ec2-instrumenter/*"
+          - Effect: Allow
+            Action:
+              - iam:CreateRole
+              - iam:CreateInstanceProfile
+              - iam:AddRoleToInstanceProfile
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/datadog-ssm-*"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/datadog-ssm-profile-*"
+          - Effect: Allow
+            Action:
+              - iam:GetInstanceProfile
+              - iam:ListAttachedRolePolicies
+              - iam:AttachRolePolicy
+              - iam:PutRolePolicy
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/datadog-ssm-*"
+            Condition:
+              StringEquals:
+                iam:PassedToService: ec2.amazonaws.com
+
+  DatadogAgentInstallEKSPolicy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    Properties:
+      PolicyName: DatadogAgentInstallEKSPolicy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - eks:ListClusters
+              - eks:DescribeCluster
+              - eks:DescribeAccessEntry
+              - eks:CreateAccessEntry
+              - eks:AssociateAccessPolicy
+              - eks:DeleteAccessEntry
+              - ec2:DescribeNatGateways
+              - iam:SimulatePrincipalPolicy
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - lambda:GetFunction
+              - lambda:CreateFunction
+              - lambda:InvokeFunction
+              - lambda:DeleteFunction
+            Resource:
+              - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:dd-eks-instrumenter-*"
+          - Effect: Allow
+            Action:
+              - iam:GetRole
+              - iam:CreateRole
+              - iam:PutRolePolicy
+              - iam:DeleteRole
+              - iam:DeleteRolePolicy
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
+          - Effect: Allow
+            Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:CreateSecret
+              - secretsmanager:DeleteSecret
+            Resource:
+              - !Sub "arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:/datadog/eks-instrumenter/*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/dd-eks-instrumenter-*"
+            Condition:
+              StringEquals:
+                iam:PassedToService: lambda.amazonaws.com
+
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:

@@ -1 +1 @@
-v4.8.0
+v4.8.1