DataDog · raymondeah · May 29, 2026 · May 19, 2026 · May 19, 2026 · May 20, 2026
@@ -1,3 +1,7 @@
+# 4.12.0 (May 28, 2026)
+
+- Add an EventBridge pipeline that forwards EC2 and EKS resource lifecycle and configuration update events to Datadog, enabling the Datadog Agent management feature to react to changes in real time. Customers enable forwarding per resource type when configuring Agent management.
+
 # 4.11.1 (May 27, 2026)
 
 - Forward `InstrumentationResourceTypes` and `DatadogSite` from workflow and extended templates to the nested integration role stack, so launches can attach the Agent instrumentation IAM permissions selected during onboarding. Affects `main_workflow.yaml`, `main_extended_workflow.yaml`, and `main_extended.yaml`

@@ -0,0 +1,145 @@
+# version: <VERSION_PLACEHOLDER>
+AWSTemplateFormatVersion: 2010-09-09
+Description: Datadog AWS Integration - EventBridge forwarding of resource update events
+Parameters:
+  APIKey:
+    Description: >-
+      API key for the Datadog account (find at https://app.datadoghq.com/organization-settings/api-keys).
+    Type: String
+    AllowedPattern: "([0-9a-f]{32})?"
+    NoEcho: true
+  APPKey:
+    Description: >-
+      APP key for the Datadog account (find at https://app.datadoghq.com/organization-settings/application-keys).
+    Type: String
+    AllowedPattern: "(([0-9a-f]{40})|(ddapp_[a-zA-Z0-9]{34}))?"
+    NoEcho: true
+  DatadogSite:
+    Type: String
+    Default: datadoghq.com
+    Description: >-
+      Datadog site events are forwarded to.
+  InstrumentationResourceTypes:
+    Type: String
+    Default: ""
+    Description: >-
+      Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance,
+      aws:eks:cluster) to forward CloudTrail events for. Only rules for the listed
+      types are deployed.
+Conditions:
+  IncludeEC2:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Split [",aws:ec2:instance,", !Sub ",${InstrumentationResourceTypes},"]]
+          - !Sub ",${InstrumentationResourceTypes},"
+  IncludeEKS:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Split [",aws:eks:cluster,", !Sub ",${InstrumentationResourceTypes},"]]
+          - !Sub ",${InstrumentationResourceTypes},"
+Resources:
+  DDIntakeConnection:
+    Type: AWS::Events::Connection
+    Properties:
+      Name: datadog-agent-resource-update-intake-connection
+      Description: Credentials for the Datadog resource update intake
+      AuthorizationType: API_KEY
+      AuthParameters:
+        ApiKeyAuthParameters:
+          ApiKeyName: DD-API-KEY
+          ApiKeyValue: !Ref APIKey
+        InvocationHttpParameters:
+          HeaderParameters:
+            - Key: DD-APPLICATION-KEY
+              Value: !Ref APPKey
+              IsValueSecret: true
+  DDIntakeApiDestination:
+    Type: AWS::Events::ApiDestination
+    Properties:
+      Name: datadog-agent-resource-update-intake-destination
+      ConnectionArn: !GetAtt DDIntakeConnection.Arn
+      InvocationEndpoint: !Sub "https://api.${DatadogSite}/api/unstable/instrumenter/events"
+      HttpMethod: POST
+      InvocationRateLimitPerSecond: 10
+  DDEventBridgeInvocationRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+      Policies:
+        - PolicyName: datadog-eventbridge-invoke
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action: events:InvokeApiDestination
+                Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/*"
+  DDEventForwardingRuleEC2:
+    Type: AWS::Events::Rule
+    Condition: IncludeEC2
+    Properties:
+      Name: datadog-agent-resource-update-rule-ec2
+      Description: Forward EC2 CloudTrail events to the Datadog resource update intake
+      State: ENABLED
+      EventPattern:
+        source:
+          - aws.ec2
+        detail-type:
+          - "AWS API Call via CloudTrail"
+        detail:
+          errorCode:
+            - exists: false
+          $or:
+            - eventName:
+                - RunInstances
+                - ModifyInstanceAttribute
+            - eventName:
+                - CreateTags
+                - DeleteTags
+              requestParameters:
+                resourcesSet:
+                  items:
+                    resourceId:
+                      - prefix: "i-"
+      Targets:
+        - Id: datadog-intake
+          Arn: !GetAtt DDIntakeApiDestination.Arn
+          RoleArn: !GetAtt DDEventBridgeInvocationRole.Arn
+  DDEventForwardingRuleEKS:
+    Type: AWS::Events::Rule
+    Condition: IncludeEKS
+    Properties:
+      Name: datadog-agent-resource-update-rule-eks
+      Description: Forward EKS CloudTrail events to the Datadog resource update intake
+      State: ENABLED
+      EventPattern:
+        source:
+          - aws.eks
+        detail-type:
+          - "AWS API Call via CloudTrail"
+        detail:
+          errorCode:
+            - exists: false
+          $or:
+            - eventName:
+                - CreateCluster
+                - UpdateClusterConfig
+                - UpdateClusterVersion
+            - eventName:
+                - TagResource
+                - UntagResource
+              requestParameters:
+                resourceArn:
+                  - wildcard: "*:cluster/*"
+      Targets:
+        - Id: datadog-intake
+          Arn: !GetAtt DDIntakeApiDestination.Arn
+          RoleArn: !GetAtt DDEventBridgeInvocationRole.Arn
@@ -219,6 +219,11 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
+  ShouldForwardEvents:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Ref InstrumentationResourceTypes]
+          - ""
   EnableAgentlessScanning:
     Fn::And:
       - Fn::Not:
@@ -556,6 +561,20 @@ Resources:
         stack_id: !Ref AWS::StackId
         forwarder_arn: !GetAtt ForwarderStack.Outputs.DatadogForwarderArn
 
+  # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update
+  # intake. Deployed only when at least one InstrumentationResourceTypes value is set;
+  # single-region (covers the region this stack is deployed in).
+  DatadogAgentResourceUpdateForwardingStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: ShouldForwardEvents
+    Properties:
+      TemplateURL: "https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agent_resource_update_forwarding.yaml"
+      Parameters:
+        APIKey: !Ref APIKey
+        APPKey: !Ref APPKey
+        DatadogSite: !Ref DatadogSite
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+
   # Step 6: Notify starting agentless scanning setup (if enabling)
   NotifyAgentlessScanningStarted:
     Type: Custom::WorkflowStatus

@@ -119,6 +119,11 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
+  ShouldForwardEvents:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Ref InstrumentationResourceTypes]
+          - ""
   IsGov:
     Fn::Or:
       - Fn::Equals:
@@ -412,6 +417,20 @@ Resources:
         stack_id: !Ref AWS::StackId
         forwarder_arn: !GetAtt ForwarderStack.Outputs.DatadogForwarderArn
 
+  # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update
+  # intake. Deployed only when at least one InstrumentationResourceTypes value is set;
+  # single-region (covers the region this stack is deployed in).
+  DatadogAgentResourceUpdateForwardingStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: ShouldForwardEvents
+    Properties:
+      TemplateURL: "https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agent_resource_update_forwarding.yaml"
+      Parameters:
+        APIKey: !Ref APIKey
+        APPKey: !Ref APPKey
+        DatadogSite: !Ref DatadogSite
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+
   # Step 6: Final notification - stack complete (with forwarder)
   NotifyStackCompleteWithForwarder:
     Type: Custom::WorkflowStatus

@@ -1 +1 @@
-v4.11.1
+v4.12.0