diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md
index 6170240c..bd658364 100644
--- a/aws_quickstart/CHANGELOG.md
+++ b/aws_quickstart/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 4.8.0 (April 7, 2026)
+
+- Add `InstallAgentOnCloudResources` parameter to enable automated Datadog Agent installation on EKS clusters, EC2 instances, and ECS clusters via EventBridge. When enabled, grants Datadog's backend IAM permissions to create and manage EventBridge rules in each active AWS region using the existing cross-account integration role.
+
 # 4.7.3 (March 23, 2026)
 
 - Send Lambda log forwarder ARN back in the `stack_complete` workflow status payload so Datadog can register the deployed forwarder with the AWS integration automatically
diff --git a/aws_quickstart/datadog_integration_role.yaml b/aws_quickstart/datadog_integration_role.yaml
index 821aff84..75f1157f 100644
--- a/aws_quickstart/datadog_integration_role.yaml
+++ b/aws_quickstart/datadog_integration_role.yaml
@@ -23,11 +23,21 @@ Parameters:
       Datadog AWS account ID allowed to assume the integration IAM role. DO NOT CHANGE!
     Type: String
     Default: "464622532012"
+  InstallAgentOnCloudResources:
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
 Conditions:
   ShouldInstallSecurityAuditPolicy:
     Fn::Equals:
       - Ref: ResourceCollectionPermissions
       - true
+  AgentOnCloudResources:
+    Fn::Equals:
+      - !Ref InstallAgentOnCloudResources
+      - "true"
 Resources:
   DatadogIntegrationRole:
     Type: "AWS::IAM::Role"
@@ -61,6 +71,67 @@ Resources:
           [!Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit"],
           !Ref AWS::NoValue,
         ]
+  DatadogEventBridgeInvocationRole:
+    Type: AWS::IAM::Role
+    Condition: AgentOnCloudResources
+    Properties:
+      RoleName: datadog-eventbridge-invocation-role
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: InvokeDatadogApiDestination
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: events:InvokeApiDestination
+                Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/datadog-*"
+
+  DatadogAgentInstallEventBridgePolicy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    DependsOn: DatadogEventBridgeInvocationRole
+    Properties:
+      PolicyName: DatadogAgentInstallEventBridgePolicy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - events:PutRule
+              - events:PutTargets
+              - events:DeleteRule
+              - events:RemoveTargets
+              - events:DescribeRule
+              - events:ListTargetsByRule
+              - events:CreateConnection
+              - events:UpdateConnection
+              - events:DeleteConnection
+              - events:DescribeConnection
+              - events:CreateApiDestination
+              - events:UpdateApiDestination
+              - events:DeleteApiDestination
+              - events:DescribeApiDestination
+            Resource:
+              - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:rule/datadog-*"
+              - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:connection/datadog-*"
+              - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/datadog-*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !GetAtt DatadogEventBridgeInvocationRole.Arn
+            Condition:
+              StringEquals:
+                iam:PassedToService: events.amazonaws.com
+
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:
diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml
index 1778dec0..8cc159b8 100644
--- a/aws_quickstart/main_extended_workflow.yaml
+++ b/aws_quickstart/main_extended_workflow.yaml
@@ -62,6 +62,16 @@ Parameters:
       or send logs using AWS PrivateLink should select "no" and install this independently
       (https://docs.datadoghq.com/serverless/libraries_integrations/forwarder/#installation).
     Default: true
+  InstallAgentOnCloudResources:
+    Type: String
+    AllowedValues:
+      - true
+      - false
+    Description: >-
+      Automatically install and manage the Datadog Agent on EKS clusters,
+      EC2 instances, and ECS clusters. Datadog will monitor CloudTrail events
+      and install the Agent on resources matching rules configured in Datadog.
+    Default: false
   DisableMetricCollection:
     Type: String
     AllowedValues:
@@ -460,6 +470,7 @@ Resources:
             - !FindInMap [DdAccountIdBySite, "ddog-gov.com", AccountIdGovCloud]
             - !FindInMap [DdAccountIdBySite, "ddog-gov.com", AccountId]
           - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
+        InstallAgentOnCloudResources: !Ref InstallAgentOnCloudResources
 
   # Step 3: Notify IAM role creation finished
   NotifyIAMRoleCreationFinished:
diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt
index ece1b3d5..ba50f2da 100644
--- a/aws_quickstart/version.txt
+++ b/aws_quickstart/version.txt
@@ -1 +1 @@
-v4.7.4
+v4.8.0