diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md
index 8e53944..a62ea3f 100644
--- a/aws_quickstart/CHANGELOG.md
+++ b/aws_quickstart/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 4.12.0 (May 27, 2026)
+
+- Make the `InstrumentationResourceTypes` parameter (added in 4.10.0) available in `main_workflow.yaml` and `main_extended_workflow.yaml` as well
+
 # 4.11.0 (May 19, 2026)
 
 - Allow the Datadog Agent running in agentless scanner instances to read the systemd journal.
diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml
index 5b2e19a..1b316b0 100644
--- a/aws_quickstart/main_extended_workflow.yaml
+++ b/aws_quickstart/main_extended_workflow.yaml
@@ -126,6 +126,13 @@ Parameters:
       For cross-account Agentless Scanning: the ARNs of Agentless Scanner roles authorized to scan this account.
     AllowedPattern: "|arn:aws:iam::[0-9]{12}:role/.+"
     Default: ""
+  InstrumentationResourceTypes:
+    Type: CommaDelimitedList
+    Description: >-
+      Comma-separated list of AWS resource types, in UDM format, that Datadog uses to determine which additional
+      IAM permissions to grant the integration role. These permissions are used for Datadog Agent instrumentation.
+      Leave blank to skip granting extra instrumentation permissions.
+    Default: ""
   WorkflowId:
     Description: >-
       Unique identifier for this workflow instance. This is generated by the Datadog UI and used to track
@@ -474,6 +481,8 @@ Resources:
         ExternalId: !Ref ExternalId
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+        DatadogSite: !Ref DatadogSite
         DdAWSAccountId: !If
           - IsGov
           - !If
@@ -756,6 +765,7 @@ Metadata:
         - ScannerDelegateRoleName
         - ScannerInstanceRoleARN
         - DisableMetricCollection
+        - InstrumentationResourceTypes
     ParameterLabels:
       APIKey:
         default: "DatadogApiKey *"
diff --git a/aws_quickstart/main_workflow.yaml b/aws_quickstart/main_workflow.yaml
index d361e22..9160492 100644
--- a/aws_quickstart/main_workflow.yaml
+++ b/aws_quickstart/main_workflow.yaml
@@ -68,6 +68,13 @@ Parameters:
       External ID for the IAM role trust policy. This is generated by the Datadog UI and ensures
       that only your Datadog organization can assume this role.
     Type: String
+  InstrumentationResourceTypes:
+    Type: CommaDelimitedList
+    Description: >-
+      Comma-separated list of AWS resource types, in UDM format, that Datadog uses to determine which additional
+      IAM permissions to grant the integration role. These permissions are used for Datadog Agent instrumentation.
+      Leave blank to skip granting extra instrumentation permissions.
+    Default: ""
 Mappings:
   # AccountIdGovCloud is only read on GovCloud sites (ddog-gov.com, us2.ddog-gov.com).
   # Commercial sites carry "NOT_APPLICABLE" so Fn::FindInMap can resolve the key at
@@ -330,6 +337,8 @@ Resources:
         ExternalId: !Ref ExternalId
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+        DatadogSite: !Ref DatadogSite
         DdAWSAccountId: !If
           - IsGov
           - !If
@@ -490,6 +499,7 @@ Metadata:
       Parameters:
         - IAMRoleName
         - DisableResourceCollection
+        - InstrumentationResourceTypes
     ParameterLabels:
       APIKey:
         default: "DatadogApiKey *"
diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt
index bf721f5..63a54c4 100644
--- a/aws_quickstart/version.txt
+++ b/aws_quickstart/version.txt
@@ -1 +1 @@
-v4.11.0
+v4.12.0