DataDog · aliciascott · Apr 30, 2024 · Feb 21, 2024 · Feb 21, 2024 · Feb 21, 2024
@@ -4290,6 +4290,11 @@ menu:
       parent: csm_setup
       identifier: csm_setup_cloud_workload_security
       weight: 10010
+    - name: CSM Agentless Scanning
+      url: security/cloud_security_management/setup/agentless_scanning
+      parent: csm_setup
+      identifier: csm_setup_agentless_scanning
+      weight: 10015
     - name: Agent
       url: security/cloud_security_management/setup/csm_cloud_workload_security/agent
       parent: csm_setup_cloud_workload_security
@@ -4385,16 +4390,21 @@ menu:
       parent: csm
       identifier: vulnerabilities
       weight: 5
+    - name: Agentless  Scanning
+      url: security/cloud_security_management/agentless_scanning
+      parent: csm
+      identifier: csm_agentless
+      weight: 6
     - name: OOTB Rules
       url: security/default_rules/#cat-cloud-security-management
       parent: csm
       identifier: csm_default_rules
-      weight: 6
+      weight: 7
     - name: Review and Remediate
       url: security/cloud_security_management/review_remediate
       parent: csm
       identifier: csm_review_remediate
-      weight: 7
+      weight: 8
     - name: Mute Issues
       url: security/cloud_security_management/review_remediate/mute_issues
       parent: csm_review_remediate
@@ -4414,7 +4424,7 @@ menu:
       url: security/cloud_security_management/severity_scoring/
       parent: csm
       identifier: csm_severity_scoring
-      weight: 10
+      weight: 9
     - name: Guides
       url: security/cloud_security_management/guide/
       parent: csm

@@ -0,0 +1,109 @@
+---
+title: Cloud Security Management Agentless Scanning
+kind: documentation
+aliases:
+ - /security/agentless_scanning
+further_reading:
+- link: "/security/cloud_security_management/setup/agentless_scanning"
+  tag: "Documentation"
+  text: "Setting up Agentless Scanning"
+- link: "/security/vulnerabilities"
+  tag: "Documentation"
+  text: "Read more about CSM Vulnerabilities"
+---
+
+<div class="alert alert-info">Agentless Scanning for Cloud Security Management is in public beta for AWS cloud environments.</div>
+
+## Overview
+
+Agentless Scanning provides visibility into vulnerabilities that exist within your AWS hosts, running containers, Lambda functions, and Amazon Machine Images (AMIs) without requiring you to install the Datadog Agent. Datadog recommends enabling Agentless Scanning as a first step to gain complete visibility into your cloud resources, and then installing the Datadog Agent on your core assets over time for deeper security and observability context.
+
+## Availability
+
+The following table provides a summary of Agentless scanning technologies in relation to their corresponding components:
+
+| Component                   | Supported technology                                        |
+|-----------------------------|-------------------------------------------------------------|
+| Cloud Provider              | AWS                                                         |
+| Operating System            | Linux                                                       |
+| Host Filesystem             | Btrfs, Ext2, Ext3, Ext4, xfs                                |
+| Package Manager             | Deb (debian, ubuntu) <br> RPM (amazon-linux, fedora, redhat, centos) <br> APK (alpine) |
+| Encryption                  | AWS </br> Unencrypted </br> Encrypted - Platform Managed Key (PMK) </br> **Note**: Encrypted - Customer Managed Key (CMK) is **not** supported |
+| Container runtime           | Docker, containerd </br> **Note**: CRI-O is **not** supported                                         |
+| Serverless                  | AWS, AWS Lambda                                             |
+| Serverless languages        | .Net, Python, Java, Ruby, Node.js, Go                        |
+
+## How it works
+
+After [setting up Agentless scanning][1] for your resources, Datadog schedules automated scans in 12-hour intervals through [Remote Configuration][2]. During a scan cycle, Agentless scanners gather Lambda code dependencies and create snapshots of your EC2 instances. With these snapshots, the Agentless scanners scan, generate, and transmit a list of packages to Datadog to check for vulnerabilities, along with Lambda code dependencies. When scans of a snapshot are completed, the snapshot is deleted.
+
+The following diagram illustrates how Agentless Scanning works:
+
+{{< img src="/security/agentless_scanning/how_agentless_works.png" alt="Diagram showing how Agentless scanning works" width="90%" >}}
+
+1. Datadog schedules a scan and sends which resources to scan through Remote Configuration.
+
+    **Note**: Scheduled scans ignore hosts that already have the [Datadog Agent installed with Cloud Security Management enabled](#agentless-scanning-with-existing-agent-installation). Datadog schedules a continuous re-scanning of resources every 12 hours to provide up-to-date insights into potential vulnerabilities and weaknesses.
+
+2. For Lambda functions, the scanners fetch the function's code.
+3. The scanner creates snapshots of EBS volumes used by EC2 instances. These snapshots serve as the basis for conducting scans. Using the snapshots, or the code, the scanner generates a list of packages.
+4. After the scan is complete, only the list of packages is transmitted to Datadog, while all other data remains within your infrastructure. Snapshots created during the scan cycle are deleted.
+5. Leveraging the collected package list along with Datadog's access to the Trivy vulnerabilities database, Datadog finds matching affected vulnerabilities in your resources and code.
+
+**Notes**:
+- The scanner operates as a separate EC2 instance within your infrastructure, ensuring minimal impact on existing systems and resources.
+- The scanner securely collects a list of packages from your hosts without transmitting any confidential or private information outside your infrastructure.
+- The scanner limits its use of the AWS API to prevent reaching the AWS rate limit, and uses exponential backoff if needed.
+
+## What data is sent to Datadog
+The Agentless scanner uses the OSWAP [cycloneDX][5] format to transmit a list of packages to Datadog. No confidential or private information is ever transmitted outside of your infrastructure.
+
+Datadog does **not** send:
+- System and package configurations
+- Encryption keys and certificates
+- Logs and Audit Trails
+- Sensitive business data
+
+## Security considerations
+
+Because the scanner instances grant [permissions][3] to create and copy EBS snapshots, and describe volumes, Datadog advises restricting access to these instances solely to administrative users. 
+
+To further mitigate this risk, Datadog implements the following security measures:
+
+- The Datadog scanner operates _within_ your infrastructure, ensuring that all data, including snapshots and list of packages, remain isolated and secure.
+- All data transmission between the scanner and Datadog is encrypted using industry standard protocols (such as HTTPS) to ensure data confidentiality and integrity.
+- The Datadog scanner operates under the principle of least privilege. This means that it is granted only the minimum permissions necessary to perform its intended functions effectively.
+- Datadog carefully reviews and limits the permissions granted to the scanner to ensure that it can conduct scans without unnecessary access to sensitive data or resources.
+- Unattended security updates are enabled on Datadog's scanner instances. This feature automates the process of installing critical security patches and updates without requiring manual intervention.
+- The Datadog scanner instances are automatically rotated every 24 hours. This rotation ensures that the scanner instances are continually updated with the latest Ubuntu Amazon Machine Images (AMIs).
+- Access to the scanner instances is tightly controlled through the use of security groups. No inbound access to the scanner is allowed, restricting possibility to compromise the instance.
+- No confidential or private information is ever transmitted outside your infrastructure.
+
+## Agentless Scanning with existing Agent installations
+
+When installed, the Datadog Agent offers real-time, deep visibility into risks and vulnerabilities that exist in your cloud workloads. It is recommended to fully install the Datadog Agent.
+
+As a result, Agentless Scanning excludes resources from its scans that have the Datadog Agent installed and configured for [Vulnerability Management][8]. In this way, Cloud Security Management offers complete visibility of your risk landscape without overriding the benefits received from installing the Datadog Agent with Vulnerability Management.
+
+The following diagram illustrations how Agentless scanning works with existing Agent installations:
+
+{{< img src="/security/agentless_scanning/agentless_existing.png" alt="Diagram showing how Agentless scanning works when the Agent is already installed with CSM vulnerability management" width="90%" >}}
+
+## Cloud service provider cost
+
+When using Agentless Scanning, there are additional costs for running scanners in your cloud environments. To optimize on costs while being able to reliably scan every 12 hours, Datadog recommends setting up [Agentless Scanning with Terraform][4] as the default template, as this also avoids cross-region networking. 
+
+To establish estimates on scanner costs, reach out to your [Datadog Customer Success Manager.][7]
+
+## Further reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: /security/cloud_security_management/setup/agentless_scanning
+[2]: /agent/remote_config/?tab=configurationyamlfile
+[3]: /security/cloud_security_management/setup/agentless_scanning/#permissions
+[4]: /security/cloud_security_management/setup/agentless_scanning#terraform
+[5]: https://cyclonedx.org/
+[7]: mailto:[email protected]
+[8]: https://app.datadoghq.com/security/csm/vm
+[9]: /security/vulnerabilities