Skip to main content

Agentless Workload Scanning for AWS - IAM Permissions Required for Deployment

Overview

You can use the following AWS Identity and Access Management (IAM) permissions to create custom IAM policies for the purposes of an Agentless Workload Scanning deployment.

Using the permissions provided ensures that least-privilege access is granted for the purposes of the Agentless Workload Scanning deployment.

High-Level Deployment Requirements

Single Account Requirements

  • Create ECS clusters, and create a VPC, subnets, and Internet Gateway for the ECS cluster.
  • IAM to create an ECS task execution role, task role, and an EventBridge role for starting ECS tasks.
  • IAM to create a cross-account role that has permissions to read from a newly created S3 bucket and start ECS tasks.
  • Create CloudWatch Log Groups and Streams.
  • Create a new S3 bucket.
  • Create a new secret in AWS Secrets Manager.

Organization Requirements

The access requirements for the scanning account are the same as the requirements for the Single Account integration. See Single Account Requirements.

The access requirements for the top-level AWS account are:

  • Access to the Organization APIs.
  • IAM to create a role to provide the scanning account the ability to list accounts in the organization.
  • Create an IAM role on each of the accounts mentioned above. This role will have access to create snapshots and optionally decrypt the content.

How to Use

After you have created the custom policy (or policies), you can then attach them to the identity that will be used for the integration.

Ensure that you are configured to use the relevant identity in your command line interface prior to running Terraform.

Single Account Integration

Use the following link to download these permissions in JSON format and create a custom IAM policy:

The tables below list all the required permissions.

ScopeIAM Permission
ACCOUNT_IDec2:AssociateRouteTable
ACCOUNT_IDec2:AttachInternetGateway
ACCOUNT_IDec2:AuthorizeSecurityGroupEgress
ACCOUNT_IDec2:CreateInternetGateway
ACCOUNT_IDec2:CreateRoute
ACCOUNT_IDec2:CreateRouteTable
ACCOUNT_IDec2:CreateSecurityGroup
ACCOUNT_IDec2:CreateSubnet
ACCOUNT_IDec2:CreateTags
ACCOUNT_IDec2:CreateVpc
ACCOUNT_IDec2:DeleteInternetGateway
ACCOUNT_IDec2:DeleteRoute
ACCOUNT_IDec2:DeleteRouteTable
ACCOUNT_IDec2:DeleteSecurityGroup
ACCOUNT_IDec2:DeleteSubnet
ACCOUNT_IDec2:DeleteVpc
ACCOUNT_IDec2:DescribeInternetGateways
ACCOUNT_IDec2:DescribeNetworkAcls
ACCOUNT_IDec2:DescribeNetworkInterfaces
ACCOUNT_IDec2:DescribeRouteTables
ACCOUNT_IDec2:DescribeSecurityGroupRules
ACCOUNT_IDec2:DescribeSecurityGroups
ACCOUNT_IDec2:DescribeSubnets
ACCOUNT_IDec2:DescribeVpcAttribute
ACCOUNT_IDec2:DescribeVpcClassicLink
ACCOUNT_IDec2:DescribeVpcClassicLinkDnsSupport
ACCOUNT_IDec2:DescribeVpcs
ACCOUNT_IDec2:DetachInternetGateway
ACCOUNT_IDec2:DisassociateRouteTable
ACCOUNT_IDec2:ModifyVpcAttribute
ACCOUNT_IDec2:RevokeSecurityGroupEgress
ACCOUNT_IDec2:RevokeSecurityGroupIngress

Organization Integration

Use the following links to download these permissions in JSON format and create custom IAM policies:

The tables below list all the required permissions.

ScopeIAM Permission
SCANNING_ACCOUNT_IDec2:AssociateRouteTable
SCANNING_ACCOUNT_IDec2:AttachInternetGateway
SCANNING_ACCOUNT_IDec2:AuthorizeSecurityGroupEgress
SCANNING_ACCOUNT_IDec2:CreateInternetGateway
SCANNING_ACCOUNT_IDec2:CreateRoute
SCANNING_ACCOUNT_IDec2:CreateRouteTable
SCANNING_ACCOUNT_IDec2:CreateSecurityGroup
SCANNING_ACCOUNT_IDec2:CreateSubnet
SCANNING_ACCOUNT_IDec2:CreateTags
SCANNING_ACCOUNT_IDec2:CreateVpc
SCANNING_ACCOUNT_IDec2:DeleteInternetGateway
SCANNING_ACCOUNT_IDec2:DeleteRoute
SCANNING_ACCOUNT_IDec2:DeleteRouteTable
SCANNING_ACCOUNT_IDec2:DeleteSecurityGroup
SCANNING_ACCOUNT_IDec2:DeleteSubnet
SCANNING_ACCOUNT_IDec2:DeleteVpc
SCANNING_ACCOUNT_IDec2:DescribeInternetGateways
SCANNING_ACCOUNT_IDec2:DescribeNetworkAcls
SCANNING_ACCOUNT_IDec2:DescribeNetworkInterfaces
SCANNING_ACCOUNT_IDec2:DescribeRouteTables
SCANNING_ACCOUNT_IDec2:DescribeSecurityGroupRules
SCANNING_ACCOUNT_IDec2:DescribeSecurityGroups
SCANNING_ACCOUNT_IDec2:DescribeSubnets
SCANNING_ACCOUNT_IDec2:DescribeVpcAttribute
SCANNING_ACCOUNT_IDec2:DescribeVpcClassicLink
SCANNING_ACCOUNT_IDec2:DescribeVpcClassicLinkDnsSupport
SCANNING_ACCOUNT_IDec2:DescribeVpcs
SCANNING_ACCOUNT_IDec2:DetachInternetGateway
SCANNING_ACCOUNT_IDec2:DisassociateRouteTable
SCANNING_ACCOUNT_IDec2:ModifyVpcAttribute
SCANNING_ACCOUNT_IDec2:RevokeSecurityGroupEgress
SCANNING_ACCOUNT_IDec2:RevokeSecurityGroupIngress

Next Steps

  1. (Optional) Explore the operational permissions used during an Agentless Workload Scanning integration in AWS.
  2. Ensure that you have met all Integration Requirements.
  3. Proceed with the Agentless Workload Scanning integration: