feat(aws_quickstart): add datadog_agentless_delegate_role_saas.yaml for SaaS-mode Agentless Scanning

[k3nz0]

Summary

• Adds datadog_agentless_saas.yaml: a new CloudFormation template for SaaS-mode Agentless Scanning. It provisions a single DatadogAgentlessSaaSScanningPolicy managed policy (covering EBS snapshot access, Lambda/ECR scanning, S3/DSPM, and KMS decryption) and attaches it directly to the local Datadog integration role — no scanner EC2/VPC/ASG resources and no delegate-role chaining. A Lambda-backed custom resource also unconditionally attaches SecurityAudit to the integration role.
• Updates release.sh to include the new template in the placeholder substitution and S3 upload pipeline.
• Adds CHANGELOG entry as 4.14.0.

Test plan

• Verify datadog_agentless_saas.yaml passes CloudFormation template validation (aws cloudformation validate-template)
• Deploy the stack in a test account and confirm DatadogAgentlessSaaSScanningPolicy is attached to DatadogIntegrationRole and SecurityAudit is attached via the custom resource
• Run release.sh in dry-run / test bucket and confirm the new template is uploaded with placeholders substituted
• Confirm no other templates are affected

🤖 Generated with Claude Code

[datadog-datadog-prod-us1-2]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/cloudformation-template | validate_versions     

See error

YAML files changed but version.txt not updated in aws_quickstart. Validation failed: version.txt must be updated when changes occur in YAML files.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: badd744 | Docs | Datadog PR Page | Give us feedback!}