Skip to content

[K9VULN-11615] Add SecurityAudit policy attachment to agentless scanning templates#275

Merged
k3nz0 merged 3 commits intomasterfrom
moez/add-security-audit-policy-agentless
Feb 25, 2026
Merged

[K9VULN-11615] Add SecurityAudit policy attachment to agentless scanning templates#275
k3nz0 merged 3 commits intomasterfrom
moez/add-security-audit-policy-agentless

Conversation

@k3nz0
Copy link
Member

@k3nz0 k3nz0 commented Feb 16, 2026
edited
Loading

Summary

  • Enhances the existing datadog_agentless_api_call.py Lambda to attach the SecurityAudit AWS managed policy to the Datadog integration role during stack creation, which is required for agentless scanning
  • Adds ensure_security_audit_policy() function that checks if SecurityAudit is already attached (idempotent) and attaches it if missing, with graceful skip when no role name is provided
  • Adds scoped IAM permissions (iam:ListAttachedRolePolicies, iam:AttachRolePolicy restricted to SecurityAudit ARN) to the Lambda execution role in all three agentless templates
  • For delegate role templates, the DatadogIntegrationRoleName parameter is optional — when empty, the IAM policy resource is not created and the Lambda skips attachment

Templates modified

  • datadog_agentless_scanning.yaml — IAM policy + custom resource properties
  • datadog_agentless_delegate_role.yaml — parameter + condition + IAM policy + custom resource properties + metadata
  • datadog_agentless_delegate_role_stackset.yaml — same as delegate role

Test plan

  • Unit tests pass (5 new tests for ensure_security_audit_policy: already-attached, not-attached, empty role name, error propagation, GovCloud partition)
  • cfn-lint on all three modified YAML templates
  • Deploy datadog_agentless_scanning.yaml and verify SecurityAudit is attached to integration role
  • Deploy delegate role template with empty DatadogIntegrationRoleName — verify graceful skip
  • Deploy delegate role template with populated DatadogIntegrationRoleName — verify attachment
  • Re-deploy when SecurityAudit is already attached — verify idempotency (no errors)

🤖 Generated with Claude Code

@k3nz0 k3nz0 requested review from a team as code owners February 16, 2026 09:47
@k3nz0 k3nz0 changed the title Add SecurityAudit policy attachment to agentless scanning templates [K9VULN-11615] Add SecurityAudit policy attachment to agentless scanning templates Feb 16, 2026
@k3nz0 k3nz0 force-pushed the moez/add-security-audit-policy-agentless branch from 92d77ab to f103ee6 Compare February 16, 2026 10:24
k3nz0 and others added 3 commits February 23, 2026 11:42
@k3nz0 @claude
Add SecurityAudit policy attachment to agentless scanning templates
750694f 
Enhance the existing agentless API call Lambda to ensure the SecurityAudit
AWS managed policy is attached to the Datadog integration role during stack
creation. This is required for agentless scanning to work, even when CSPM
or Resource Collection are not explicitly enabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@k3nz0 @claude
Move boto3 import inside function to fix CI
0ab9b44 
boto3 is available in the Lambda runtime but not in CI. Move the import
inside ensure_security_audit_policy so the module loads without boto3,
and mock it in tests via sys.modules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@k3nz0 @claude
Bump aws_quickstart version to v4.6.0
ad9a386 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@k3nz0 k3nz0 force-pushed the moez/add-security-audit-policy-agentless branch from f103ee6 to ad9a386 Compare February 23, 2026 10:43
ksirrah13
ksirrah13 approved these changes Feb 24, 2026
View reviewed changes
Copy link

@ksirrah13 ksirrah13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓Question(non-blocking): Is there any kind of clean up needed during delete for this policy and attachment? Thinking that may have unexpected consequences like removing the security audit policy when it was added by another service, but just wanted to clarify the expected behavior on delete and if the lingering policy would be a problem.

@k3nz0 k3nz0 merged commit 217ec31 into master Feb 25, 2026
5 checks passed
@k3nz0 k3nz0 deleted the moez/add-security-audit-policy-agentless branch February 25, 2026 12:29
@k3nz0
Copy link
Member Author

k3nz0 commented Feb 25, 2026

Question(non-blocking): Is there any kind of clean up needed during delete for this policy and attachment? Thinking that may have unexpected consequences like removing the security audit policy when it was added by another service, but just wanted to clarify the expected behavior on delete and if the lingering policy would be a problem.

Not really. I don't think we'll need clean-ups. The Security Audit policy is AWS managed and attached. Our lambda just attaches it to the Datadog Integration role if it's missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ksirrah13 ksirrah13 ksirrah13 approved these changes

@mohamed-challal mohamed-challal mohamed-challal approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@k3nz0 @ksirrah13 @mohamed-challal