DataDog · raymondeah · May 19, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
@@ -1,3 +1,7 @@
+# 4.11.0 (May 19, 2026)
+
+- Add an EventBridge pipeline that forwards EC2 and EKS lifecycle CloudTrail events to Datadog, enabling the Datadog Agent management feature to react to resource changes in real time. Customers enable forwarding per resource type when configuring Agent management.
+
 # 4.10.0 (May 13, 2026)
 
 - Add `InstrumentationResourceTypes` parameter to `main_v2.yaml`. When set to a comma-separated list of UDM resource types (e.g. `aws:ec2:instance,aws:ecs:cluster,aws:eks:cluster`), the integration role's permission-attach Lambda calls `GET /api/unstable/instrumenter/aws/iam_permissions?resource_type=...&chunked=true` and attaches the returned IAM permissions as additional managed policies on the integration role, so customers can install the Datadog Agent on those resources without extra IAM setup. Failure to fetch or attach these extra permissions is non-blocking — the integration install proceeds with a warning. Affects `main_v2.yaml`, `datadog_integration_role.yaml`, `attach_integration_permissions.py`

@@ -0,0 +1,143 @@
+# version: <VERSION_PLACEHOLDER>
+AWSTemplateFormatVersion: 2010-09-09
+Description: Datadog AWS Integration - EventBridge forwarding of resource update events
+Parameters:
+  APIKey:
+    Description: >-
+      API key for the Datadog account (find at https://app.datadoghq.com/organization-settings/api-keys).
+    Type: String
+    AllowedPattern: "([0-9a-f]{32})?"
+    NoEcho: true
+  APPKey:
+    Description: >-
+      APP key for the Datadog account (find at https://app.datadoghq.com/organization-settings/application-keys).
+    Type: String
+    AllowedPattern: "(([0-9a-f]{40})|(ddapp_[a-zA-Z0-9]{34}))?"
+    NoEcho: true
+  DatadogSite:
+    Type: String
+    Default: datadoghq.com
+    Description: >-
+      Datadog site events are forwarded to.
+  InstrumentationResourceTypes:
+    Type: String
+    Default: ""
+    Description: >-
+      Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance,
+      aws:eks:cluster) to forward CloudTrail events for. Only rules for the listed
+      types are deployed.
+Conditions:
+  IncludeEC2:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Split [",aws:ec2:instance,", !Sub ",${InstrumentationResourceTypes},"]]
+          - !Sub ",${InstrumentationResourceTypes},"
+  IncludeEKS:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Split [",aws:eks:cluster,", !Sub ",${InstrumentationResourceTypes},"]]
+          - !Sub ",${InstrumentationResourceTypes},"
+Resources:
+  DDIntakeConnection:
+    Type: AWS::Events::Connection
+    Properties:
+      Name: datadog-agent-resource-update-intake-connection
+      Description: Credentials for the Datadog resource update intake
+      AuthorizationType: API_KEY
+      AuthParameters:
+        ApiKeyAuthParameters:
+          ApiKeyName: DD-API-KEY
+          ApiKeyValue: !Ref APIKey
+        InvocationHttpParameters:
+          HeaderParameters:
+            - Key: DD-APPLICATION-KEY
+              Value: !Ref APPKey
+              IsValueSecret: true
+  DDIntakeApiDestination:
+    Type: AWS::Events::ApiDestination
+    Properties:
+      Name: datadog-agent-resource-update-intake-destination
+      ConnectionArn: !GetAtt DDIntakeConnection.Arn
+      InvocationEndpoint: !Sub "https://api.${DatadogSite}/api/unstable/instrumenter/events"
+      HttpMethod: POST
+      InvocationRateLimitPerSecond: 10
+  DDEventBridgeInvocationRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: datadog-agent-resource-update-eventbridge-invocation-role
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+      Policies:
+        - PolicyName: datadog-eventbridge-invoke
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action: events:InvokeApiDestination
+                Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/*"
+  DDEventForwardingRuleEC2:
+    Type: AWS::Events::Rule
+    Condition: IncludeEC2
+    Properties:
+      Name: datadog-agent-resource-update-rule-ec2
+      Description: Forward EC2 CloudTrail events to the Datadog resource update intake
+      State: ENABLED
+      EventPattern:
+        source:
+          - aws.ec2
+        detail-type:
+          - "AWS API Call via CloudTrail"
+        detail:
+          errorCode:
+            - exists: false
+          $or:
+            - eventName:
+                - RunInstances
+            - eventName:
+                - CreateTags
+                - DeleteTags
+              requestParameters:
+                resourcesSet:
+                  items:
+                    resourceId:
+                      - prefix: "i-"
+      Targets:
+        - Id: datadog-intake
+          Arn: !GetAtt DDIntakeApiDestination.Arn
+          RoleArn: !GetAtt DDEventBridgeInvocationRole.Arn
+  DDEventForwardingRuleEKS:
+    Type: AWS::Events::Rule
+    Condition: IncludeEKS
+    Properties:
+      Name: datadog-agent-resource-update-rule-eks
+      Description: Forward EKS CloudTrail events to the Datadog resource update intake
+      State: ENABLED
+      EventPattern:
+        source:
+          - aws.eks
+        detail-type:
+          - "AWS API Call via CloudTrail"
+        detail:
+          errorCode:
+            - exists: false
+          $or:
+            - eventName:
+                - CreateCluster
+            - eventName:
+                - TagResource
+                - UntagResource
+              requestParameters:
+                resourceArn:
+                  - wildcard: "*:cluster/*"
+      Targets:
+        - Id: datadog-intake
+          Arn: !GetAtt DDIntakeApiDestination.Arn
+          RoleArn: !GetAtt DDEventBridgeInvocationRole.Arn
@@ -116,6 +116,13 @@ Parameters:
       For cross-account Agentless Scanning: the ARNs of Agentless Scanner roles authorized to scan this account.
     AllowedPattern: "|arn:aws:iam::[0-9]{12}:role/.+"
     Default: ""
+  InstrumentationResourceTypes:
+    Type: CommaDelimitedList
+    Description: >-
+      Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster)
+      that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog
+      Agent. Leave blank to skip granting any extra instrumentation permissions.
+    Default: ""
 Rules:
   CSPMResourceCollectionValidState:
     Assertions:
@@ -189,6 +196,11 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
+  ShouldForwardEvents:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Ref InstrumentationResourceTypes]
+          - ""
   EnableAgentlessScanning:
     Fn::And:
       - Fn::Not:
@@ -269,6 +281,8 @@ Resources:
         ExternalId: !GetAtt DatadogAPICall.Outputs.ExternalId
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+        DatadogSite: !Ref DatadogSite
         DdAWSAccountId: !If
           - IsGov
           - !If
@@ -286,6 +300,19 @@ Resources:
       Parameters:
         DdApiKey: !Ref APIKey
         DdSite: !Ref DatadogSite
+  # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update
+  # intake. Deployed only when at least one InstrumentationResourceTypes value is set;
+  # single-region (covers the region this stack is deployed in).
+  DatadogAgentResourceUpdateForwardingStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: ShouldForwardEvents
+    Properties:
+      TemplateURL: "https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agent_resource_update_forwarding.yaml"
+      Parameters:
+        APIKey: !Ref APIKey
+        APPKey: !Ref APPKey
+        DatadogSite: !Ref DatadogSite
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
 Outputs:
   IAMRoleName:
     Description: AWS IAM Role named to be used with the DataDog AWS Integration
@@ -327,6 +354,7 @@ Metadata:
         - ScannerDelegateRoleName
         - ScannerInstanceRoleARN
         - DisableMetricCollection
+        - InstrumentationResourceTypes
     ParameterLabels:
       APIKey:
         default: "DatadogApiKey *"

@@ -126,6 +126,13 @@ Parameters:
       For cross-account Agentless Scanning: the ARNs of Agentless Scanner roles authorized to scan this account.
     AllowedPattern: "|arn:aws:iam::[0-9]{12}:role/.+"
     Default: ""
+  InstrumentationResourceTypes:
+    Type: CommaDelimitedList
+    Description: >-
+      Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster)
+      that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog
+      Agent. Leave blank to skip granting any extra instrumentation permissions.
+    Default: ""
   WorkflowId:
     Description: >-
       Unique identifier for this workflow instance. This is generated by the Datadog UI and used to track
@@ -212,6 +219,11 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
+  ShouldForwardEvents:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Ref InstrumentationResourceTypes]
+          - ""
   EnableAgentlessScanning:
     Fn::And:
       - Fn::Not:
@@ -474,6 +486,8 @@ Resources:
         ExternalId: !Ref ExternalId
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+        DatadogSite: !Ref DatadogSite
         DdAWSAccountId: !If
           - IsGov
           - !If
@@ -547,6 +561,20 @@ Resources:
         stack_id: !Ref AWS::StackId
         forwarder_arn: !GetAtt ForwarderStack.Outputs.DatadogForwarderArn
 
+  # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update
+  # intake. Deployed only when at least one InstrumentationResourceTypes value is set;
+  # single-region (covers the region this stack is deployed in).
+  DatadogAgentResourceUpdateForwardingStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: ShouldForwardEvents
+    Properties:
+      TemplateURL: "https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agent_resource_update_forwarding.yaml"
+      Parameters:
+        APIKey: !Ref APIKey
+        APPKey: !Ref APPKey
+        DatadogSite: !Ref DatadogSite
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
+
   # Step 6: Notify starting agentless scanning setup (if enabling)
   NotifyAgentlessScanningStarted:
     Type: Custom::WorkflowStatus
@@ -756,6 +784,7 @@ Metadata:
         - ScannerDelegateRoleName
         - ScannerInstanceRoleARN
         - DisableMetricCollection
+        - InstrumentationResourceTypes
     ParameterLabels:
       APIKey:
         default: "DatadogApiKey *"

@@ -130,6 +130,11 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
+  ShouldForwardEvents:
+    Fn::Not:
+      - Fn::Equals:
+          - !Join ["", !Ref InstrumentationResourceTypes]
+          - ""
   IsGov:
     Fn::Or:
       - Fn::Equals:
@@ -184,6 +189,19 @@ Resources:
       Parameters:
         DdApiKey: !Ref APIKey
         DdSite: !Ref DatadogSite
+  # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update
+  # intake. Deployed only when at least one InstrumentationResourceTypes value is set;
+  # single-region (covers the region this stack is deployed in).
+  DatadogAgentResourceUpdateForwardingStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: ShouldForwardEvents
+    Properties:
+      TemplateURL: "https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agent_resource_update_forwarding.yaml"
+      Parameters:
+        APIKey: !Ref APIKey
+        APPKey: !Ref APPKey
+        DatadogSite: !Ref DatadogSite
+        InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes]
 Outputs:
   IAMRoleName:
     Description: AWS IAM Role named to be used with the DataDog AWS Integration

@@ -1 +1 @@
-v4.10.0
+v4.11.0