From efa096253d7be99c1577a82428aae396bf9d2ded Mon Sep 17 00:00:00 2001 From: Moez Ezzeddine Date: Tue, 24 Feb 2026 16:22:14 +0100 Subject: [PATCH 1/2] Merge agentless scanning params into single AgentlessVulnerabilityScanning Replace AgentlessHostScanning, AgentlessContainerScanning, and AgentlessLambdaScanning with a single AgentlessVulnerabilityScanning parameter. The Lambda function fans out the single value to the three fine-grained API attributes (vuln_host_os, vuln_containers_os, lambda) that the Datadog API expects. Co-Authored-By: Claude Opus 4.6 --- aws_quickstart/datadog_agentless_api_call.py | 10 ++-- .../datadog_agentless_api_call_test.py | 4 +- .../datadog_agentless_delegate_role.yaml | 24 ++------- ...adog_agentless_delegate_role_stackset.yaml | 4 +- .../datadog_agentless_scanning.yaml | 38 +++----------- aws_quickstart/main_extended.yaml | 52 +++---------------- aws_quickstart/main_extended_workflow.yaml | 52 +++---------------- aws_quickstart/taskcat/.taskcat_extended.yml | 4 +- 8 files changed, 32 insertions(+), 156 deletions(-) diff --git a/aws_quickstart/datadog_agentless_api_call.py b/aws_quickstart/datadog_agentless_api_call.py index 2aced84f..427dd5b7 100644 --- a/aws_quickstart/datadog_agentless_api_call.py +++ b/aws_quickstart/datadog_agentless_api_call.py @@ -15,9 +15,7 @@ def call_datadog_agentless_api(context, event, method): app_key = event["ResourceProperties"]["APPKey"] dd_site = event["ResourceProperties"]["DatadogSite"] account_id = event["ResourceProperties"]["AccountId"] - hosts = event["ResourceProperties"]["Hosts"] - containers = event["ResourceProperties"]["Containers"] - lambdas = event["ResourceProperties"]["Lambdas"] + vulnerability_scanning = event["ResourceProperties"]["VulnerabilityScanning"] sensitive_data = event["ResourceProperties"]["SensitiveData"] # Optional parameters launch_template_id = event["ResourceProperties"].get("LaunchTemplateId") @@ -76,9 +74,9 @@ def call_datadog_agentless_api(context, event, method): "id": account_id, "type": "aws_scan_options", "attributes": { - "vuln_containers_os": containers == "true", - "vuln_host_os": hosts == "true", - "lambda": lambdas == "true", + "vuln_containers_os": vulnerability_scanning == "true", + "vuln_host_os": vulnerability_scanning == "true", + "lambda": vulnerability_scanning == "true", "sensitive_data": sensitive_data == "true", }, }, diff --git a/aws_quickstart/datadog_agentless_api_call_test.py b/aws_quickstart/datadog_agentless_api_call_test.py index 384e2149..4857f50b 100644 --- a/aws_quickstart/datadog_agentless_api_call_test.py +++ b/aws_quickstart/datadog_agentless_api_call_test.py @@ -33,9 +33,7 @@ def setUp(self): "APPKey": "0123456789abcdef0123456789abcdef12345678", "DatadogSite": "datadoghq.com", "AccountId": "123456789012", - "Hosts": "true", - "Containers": "false", - "Lambdas": "true", + "VulnerabilityScanning": "true", "SensitiveData": "false", }, "StackId": "arn:aws:cloudformation:us-east-1:358251252154:stack/DatadogAgentlessIntegration/22b23bca-de8b-451c-99e4-c69b9ad20ec7", diff --git a/aws_quickstart/datadog_agentless_delegate_role.yaml b/aws_quickstart/datadog_agentless_delegate_role.yaml index b9685282..1056e03a 100644 --- a/aws_quickstart/datadog_agentless_delegate_role.yaml +++ b/aws_quickstart/datadog_agentless_delegate_role.yaml @@ -32,28 +32,12 @@ Parameters: - ap1.datadoghq.com - ap2.datadoghq.com - AgentlessHostScanning: + AgentlessVulnerabilityScanning: Type: String AllowedValues: - true - false - Description: Enable Agentless Scanning of host vulnerabilities. - Default: false - - AgentlessContainerScanning: - Type: String - AllowedValues: - - true - - false - Description: Enable Agentless Scanning of container vulnerabilities. - Default: false - - AgentlessLambdaScanning: - Type: String - AllowedValues: - - true - - false - Description: Enable Agentless Scanning of Lambda vulnerabilities. + Description: Enable Agentless Vulnerability Scanning (hosts, containers, and Lambda functions). Default: false AgentlessSensitiveDataScanning: @@ -353,9 +337,7 @@ Resources: APPKey: !Ref "DatadogAPPKey" DatadogSite: !Ref "DatadogSite" AccountId: !Ref "AWS::AccountId" - Hosts: !Ref "AgentlessHostScanning" - Containers: !Ref "AgentlessContainerScanning" - Lambdas: !Ref "AgentlessLambdaScanning" + VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" IntegrationRoleName: !Ref "DatadogIntegrationRoleName" Partition: !Ref "AWS::Partition" diff --git a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml index fdaf6f00..ae751a83 100644 --- a/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml +++ b/aws_quickstart/datadog_agentless_delegate_role_stackset.yaml @@ -321,9 +321,7 @@ Resources: APPKey: !Ref "DatadogAPPKey" DatadogSite: !Ref "DatadogSite" AccountId: !Ref "AWS::AccountId" - Hosts: !Ref "AgentlessVulnerabilityScanning" - Containers: !Ref "AgentlessVulnerabilityScanning" - Lambdas: !Ref "AgentlessVulnerabilityScanning" + VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" IntegrationRoleName: !Ref "DatadogIntegrationRoleName" Partition: !Ref "AWS::Partition" diff --git a/aws_quickstart/datadog_agentless_scanning.yaml b/aws_quickstart/datadog_agentless_scanning.yaml index 51f240a3..1f3fb7af 100644 --- a/aws_quickstart/datadog_agentless_scanning.yaml +++ b/aws_quickstart/datadog_agentless_scanning.yaml @@ -26,31 +26,13 @@ Parameters: Description: Your current AWS account ID for stack deployment AllowedPattern: "^[0-9]{12}$" - AgentlessHostScanning: + AgentlessVulnerabilityScanning: Type: String AllowedValues: - true - false Description: >- - Enable Agentless Scanning of host vulnerabilities. - Default: false - - AgentlessContainerScanning: - Type: String - AllowedValues: - - true - - false - Description: >- - Enable Agentless Scanning of container vulnerabilities. - Default: false - - AgentlessLambdaScanning: - Type: String - AllowedValues: - - true - - false - Description: >- - Enable Agentless Scanning of Lambda vulnerabilities. + Enable Agentless Vulnerability Scanning (hosts, containers, and Lambda functions). Default: false AgentlessSensitiveDataScanning: @@ -1074,9 +1056,7 @@ Resources: APPKey: !Ref "DatadogAPPKey" DatadogSite: !Ref "DatadogSite" AccountId: !Ref "AWS::AccountId" - Hosts: !Ref "AgentlessHostScanning" - Containers: !Ref "AgentlessContainerScanning" - Lambdas: !Ref "AgentlessLambdaScanning" + VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning" SensitiveData: !Ref "AgentlessSensitiveDataScanning" IntegrationRoleName: !Ref "DatadogIntegrationRoleName" Partition: !Ref "AWS::Partition" @@ -1117,9 +1097,7 @@ Metadata: - DatadogIntegrationRoleName - AccountId - DatadogSite - - AgentlessHostScanning - - AgentlessContainerScanning - - AgentlessLambdaScanning + - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning - Label: default: Advanced @@ -1148,11 +1126,7 @@ Metadata: default: "AWS Account ID *" DatadogSite: default: "DatadogSite *" - AgentlessHostScanning: - default: "AgentlessHostScanning *" - AgentlessContainerScanning: - default: "AgentlessContainerScanning *" - AgentlessLambdaScanning: - default: "AgentlessLambdaScanning *" + AgentlessVulnerabilityScanning: + default: "AgentlessVulnerabilityScanning *" AgentlessSensitiveDataScanning: default: "AgentlessSensitiveDataScanning *" diff --git a/aws_quickstart/main_extended.yaml b/aws_quickstart/main_extended.yaml index ee20f1fe..e4f7bf7b 100644 --- a/aws_quickstart/main_extended.yaml +++ b/aws_quickstart/main_extended.yaml @@ -87,29 +87,13 @@ Parameters: Datadog CSPM is a product that automatically detects resource misconfigurations in your AWS account according to industry benchmarks. More info: https://www.datadoghq.com/product/security-platform/cloud-security-posture-management/ Default: false - AgentlessHostScanning: + AgentlessVulnerabilityScanning: Type: String AllowedValues: - true - false Description: >- - Enable Agentless Scanning of host vulnerabilities. - Default: false - AgentlessContainerScanning: - Type: String - AllowedValues: - - true - - false - Description: >- - Enable Agentless Scanning of container vulnerabilities. - Default: false - AgentlessLambdaScanning: - Type: String - AllowedValues: - - true - - false - Description: >- - Enable Agentless Scanning of Lambda vulnerabilities. + Enable Agentless Vulnerability Scanning (hosts, containers, and Lambda functions). Default: false AgentlessSensitiveDataScanning: Type: String @@ -152,13 +136,7 @@ Rules: - 'true' - Fn::Or: - Fn::Equals: - - Ref: AgentlessHostScanning - - 'true' - - Fn::Equals: - - Ref: AgentlessContainerScanning - - 'true' - - Fn::Equals: - - Ref: AgentlessLambdaScanning + - Ref: AgentlessVulnerabilityScanning - 'true' - Fn::Equals: - Ref: AgentlessSensitiveDataScanning @@ -181,13 +159,7 @@ Conditions: - ddog-gov.com - Fn::Or: - Fn::Equals: - - !Ref AgentlessHostScanning - - true - - Fn::Equals: - - !Ref AgentlessContainerScanning - - true - - Fn::Equals: - - !Ref AgentlessLambdaScanning + - !Ref AgentlessVulnerabilityScanning - true - Fn::Equals: - !Ref AgentlessSensitiveDataScanning @@ -229,9 +201,7 @@ Resources: DatadogAPPKey: !Ref APPKey DatadogSite: !Ref DatadogSite AccountId: !Ref AWS::AccountId - AgentlessHostScanning: !Ref AgentlessHostScanning - AgentlessContainerScanning: !Ref AgentlessContainerScanning - AgentlessLambdaScanning: !Ref AgentlessLambdaScanning + AgentlessVulnerabilityScanning: !Ref AgentlessVulnerabilityScanning AgentlessSensitiveDataScanning: !Ref AgentlessSensitiveDataScanning ScannerDelegateRoleName: !Ref ScannerDelegateRoleName ScannerInstanceRoleARN: !If [IsCrossAccountScanning, !Join [",", !Ref "ScannerInstanceRoleARN"], !Ref "AWS::NoValue"] @@ -311,9 +281,7 @@ Metadata: - DatadogSite - InstallLambdaLogForwarder - CloudSecurityPostureManagement - - AgentlessHostScanning - - AgentlessContainerScanning - - AgentlessLambdaScanning + - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning - Label: default: Advanced @@ -331,12 +299,8 @@ Metadata: default: "DatadogSite *" CloudSecurityPostureManagement: default: "CloudSecurityPostureManagement *" - AgentlessHostScanning: - default: "AgentlessHostScanning *" - AgentlessContainerScanning: - default: "AgentlessContainerScanning *" - AgentlessLambdaScanning: - default: "AgentlessLambdaScanning *" + AgentlessVulnerabilityScanning: + default: "AgentlessVulnerabilityScanning *" AgentlessSensitiveDataScanning: default: "AgentlessSensitiveDataScanning *" InstallLambdaLogForwarder: diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index fea55cfe..2ae142d8 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -97,29 +97,13 @@ Parameters: Datadog CSPM is a product that automatically detects resource misconfigurations in your AWS account according to industry benchmarks. More info: https://www.datadoghq.com/product/security-platform/cloud-security-posture-management/ Default: false - AgentlessHostScanning: + AgentlessVulnerabilityScanning: Type: String AllowedValues: - true - false Description: >- - Enable Agentless Scanning of host vulnerabilities. - Default: false - AgentlessContainerScanning: - Type: String - AllowedValues: - - true - - false - Description: >- - Enable Agentless Scanning of container vulnerabilities. - Default: false - AgentlessLambdaScanning: - Type: String - AllowedValues: - - true - - false - Description: >- - Enable Agentless Scanning of Lambda vulnerabilities. + Enable Agentless Vulnerability Scanning (hosts, containers, and Lambda functions). Default: false AgentlessSensitiveDataScanning: Type: String @@ -172,13 +156,7 @@ Rules: - 'true' - Fn::Or: - Fn::Equals: - - Ref: AgentlessHostScanning - - 'true' - - Fn::Equals: - - Ref: AgentlessContainerScanning - - 'true' - - Fn::Equals: - - Ref: AgentlessLambdaScanning + - Ref: AgentlessVulnerabilityScanning - 'true' - Fn::Equals: - Ref: AgentlessSensitiveDataScanning @@ -204,13 +182,7 @@ Conditions: - ddog-gov.com - Fn::Or: - Fn::Equals: - - !Ref AgentlessHostScanning - - true - - Fn::Equals: - - !Ref AgentlessContainerScanning - - true - - Fn::Equals: - - !Ref AgentlessLambdaScanning + - !Ref AgentlessVulnerabilityScanning - true - Fn::Equals: - !Ref AgentlessSensitiveDataScanning @@ -575,9 +547,7 @@ Resources: DatadogAPPKey: !Ref APPKey DatadogSite: !Ref DatadogSite AccountId: !Ref AWS::AccountId - AgentlessHostScanning: !Ref AgentlessHostScanning - AgentlessContainerScanning: !Ref AgentlessContainerScanning - AgentlessLambdaScanning: !Ref AgentlessLambdaScanning + AgentlessVulnerabilityScanning: !Ref AgentlessVulnerabilityScanning AgentlessSensitiveDataScanning: !Ref AgentlessSensitiveDataScanning ScannerDelegateRoleName: !Ref ScannerDelegateRoleName ScannerInstanceRoleARN: !If [IsCrossAccountScanning, !Join [",", !Ref "ScannerInstanceRoleARN"], !Ref "AWS::NoValue"] @@ -730,9 +700,7 @@ Metadata: - ExternalId - InstallLambdaLogForwarder - CloudSecurityPostureManagement - - AgentlessHostScanning - - AgentlessContainerScanning - - AgentlessLambdaScanning + - AgentlessVulnerabilityScanning - AgentlessSensitiveDataScanning - Label: default: Advanced @@ -754,12 +722,8 @@ Metadata: default: "ExternalId *" CloudSecurityPostureManagement: default: "CloudSecurityPostureManagement *" - AgentlessHostScanning: - default: "AgentlessHostScanning *" - AgentlessContainerScanning: - default: "AgentlessContainerScanning *" - AgentlessLambdaScanning: - default: "AgentlessLambdaScanning *" + AgentlessVulnerabilityScanning: + default: "AgentlessVulnerabilityScanning *" AgentlessSensitiveDataScanning: default: "AgentlessSensitiveDataScanning *" InstallLambdaLogForwarder: diff --git a/aws_quickstart/taskcat/.taskcat_extended.yml b/aws_quickstart/taskcat/.taskcat_extended.yml index e9bdc178..b019b2d6 100644 --- a/aws_quickstart/taskcat/.taskcat_extended.yml +++ b/aws_quickstart/taskcat/.taskcat_extended.yml @@ -19,7 +19,5 @@ tests: DisableMetricCollection: "false" CloudSecurityPostureManagement: "false" DisableResourceCollection: "false" - AgentlessHostScanning: "true" - AgentlessContainerScanning: "true" - AgentlessLambdaScanning: "true" + AgentlessVulnerabilityScanning: "true" AgentlessSensitiveDataScanning: "true" From 524be52fb9b2b4dbcba5da2180cb8ad91c87244b Mon Sep 17 00:00:00 2001 From: Moez Ezzeddine Date: Wed, 25 Feb 2026 13:39:21 +0100 Subject: [PATCH 2/2] Bump quickstart version from v4.6.0 to v4.6.1 Co-Authored-By: Claude Opus 4.6 --- aws_quickstart/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index 1db9ff27..a7a9fdd9 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.6.3 +v4.6.4