Agentless Workload Scanning for AWS - IAM Permissions Used during Operation
Overview
This article contains the permissions used during an Agentless Workload Scanning operation in AWS.
Understand the operational roles, permissions, and trust relationships that ensure a secure scanning process.
note
This article is informational, and does not contain any required actions as part of the Agentless Workload Scanning integration.
Single Account Integration
You can use the following link to view/download all these roles and permissions in JSON format:
The tabs below lists all roles, trust relationships, and permissions.
- Scanning Cross Account Role
- Scanning Task Event Service Role
- Scanning Task Execution Role
- Scanning Task Role
Role Name
role/lacework-agentless-scanning-cross-account-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "lweid:aws:v2::<AWS_ACCOUNT_ID>:<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::434813966438:root"
},
"Sid": ""
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
{
"name": "ECSTaskManagement",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:StopTask",
"ecs:RunTask"
],
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:*:*:cluster/lacework-agentless-scanning-cluster-<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ecs:*:*:task/lacework-agentless-scanning-cluster-<UNIQUE_ID>/*",
"arn:aws:ecs:*:*:task-definition/lacework-agentless-scanning-cluster-<UNIQUE_ID>:*"
],
"Sid": "AllowEcsStopTask"
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/lacework-agentless-scanning-task-role-<UNIQUE_ID>",
"arn:aws:iam::*:role/lacework-agentless-scanning-task-execution-role-<UNIQUE_ID>"
],
"Sid": "AllowEcsTaskManagementPassRole"
},
{
"Action": "ec2:DescribeSubnets",
"Condition": {
"StringLike": {
"aws:ResourceTag/LWTAG_SIDEKICK": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:subnet/subnet-*",
"Sid": "AllowEcsTaskSubnetLookup"
}
]
}
},
{
"name": "S3WriteAllowPolicy",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutBucketTagging",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>",
"Sid": "ListAndTagBucket"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>/*",
"Sid": "PutGetDeleteObjectsInBucket"
}
]
}
}
]
Role Name
role/service-role/lacework-agentless-scanning-task-event-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
]
Role Name
role/lacework-agentless-scanning-task-execution-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
{
"name": "AllowCloudWatch",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:/ecs/lacework-agentless-scanning-*",
"Sid": "AllowLoggingToCloudWatch"
}
]
}
}
]
Role Name
role/lacework-agentless-scanning-task-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
{
"name": "lacework-agentless-scanning-task-policy-<UNIQUE_ID>",
"policy": {
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>/*",
"arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>"
],
"Sid": "AllowControlOfBucket"
},
{
"Action": [
"ecs:UntagResource",
"ecs:TagResource",
"ecs:ListTagsForResource"
],
"Condition": {
"StringLike": {
"ecs:ResourceTag/LWTAG_SIDEKICK": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowTagECSCluster"
},
{
"Action": [
"events:ListTargetsByRule",
"events:ListTagsForResource",
"events:ListRules",
"events:ListRuleNamesByTarget",
"events:DescribeRule"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowListRules"
},
{
"Action": [
"events:RemoveTargets",
"events:PutTargets",
"events:EnableRule",
"events:DisableRule"
],
"Effect": "Allow",
"Resource": "arn:aws:events:*:*:rule/lacework-agentless-scanning-periodic-trigger-<UNIQUE_ID>",
"Sid": "AllowUpdateRule"
},
{
"Action": [
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetSecretValue",
"secretsmanager:GetResourcePolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:<AWS_ACCOUNT_ID>:secret:lacework-agentless-scanning-secret-<UNIQUE_ID>",
"Sid": "AllowReadFromSecretsManager"
},
{
"Action": "ec2:Describe*",
"Effect": "Allow",
"Resource": "*",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:CreateTags",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CreateSnapshots"
},
{
"Action": [
"ec2:ResetSnapshotAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:DeleteSnapshot",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ebs:GetSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/LWTAG_SIDEKICK": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "SnapshotManagement"
},
{
"Action": [
"ecs:StopTask",
"ecs:StartTask",
"ecs:RunTask",
"ecs:ListTasks",
"ecs:Describe*"
],
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:*:*:cluster/lacework-agentless-scanning-cluster-<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "TaskManagement"
},
{
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt",
"kms:CreateGrant"
],
"Condition": {
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "SnapshotEncryption"
},
{
"Action": [
"sts:AssumeRole",
"iam:PassRole"
],
"Condition": {
"StringLike": {
"iam:ResourceTag/LWTAG_SIDEKICK": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "PassRoleToTasks"
},
{
"Action": "sts:DecodeAuthorizationMessage",
"Effect": "Allow",
"Resource": "*",
"Sid": "DecodeErrorMessages"
},
{
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:/ecs/lacework-agentless-scanning-*",
"Sid": "ReadLogs"
}
],
"Version": "2012-10-17"
}
}
]
Organization Integration
You can use the following link to view/download all these roles and permissions in JSON format:
The sections below lists all roles, trust relationships, and permissions for each type of account used.
Scanning Account
- Scanning Cross Account Role
- Scanning Task Event Role
- Scanning Task Execution Role
- Scanning Task Role
Role Name
lacework-agentless-scanning-cross-account-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "lweid:aws:v2::<AWS_ACCOUNT_ID>:<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::434813966438:root"
},
"Sid": ""
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
{
"name": "ECSTaskManagement",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:StopTask",
"ecs:RunTask"
],
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:::cluster/lacework-agentless-scanning-cluster-<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ecs:::task/lacework-agentless-scanning-cluster-<UNIQUE_ID>/",
"arn:aws:ecs:::task-definition/lacework-agentless-scanning-cluster-<UNIQUE_ID>:"
],
"Sid": "AllowEcsStopTask"
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam:::role/lacework-agentless-scanning-task-role-<UNIQUE_ID>",
"arn:aws:iam:::role/lacework-agentless-scanning-task-execution-role-<UNIQUE_ID>"
],
"Sid": "AllowEcsTaskManagementPassRole"
},
{
"Action": "ec2:DescribeSubnets",
"Condition": {
"StringLike": {
"aws:ResourceTag/LWTAG_SIDEKICK": ""
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:::subnet/subnet-",
"Sid": "AllowEcsTaskSubnetLookup"
}
]
}
},
{
"name": "S3WriteAllowPolicy",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutBucketTagging",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>",
"Sid": "ListAndTagBucket"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>/*",
"Sid": "PutGetDeleteObjectsInBucket"
}
]
}
}
]
Role Name
lacework-agentless-scanning-task-event-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
]
Role Name
lacework-agentless-scanning-task-execution-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
{
"name": "AllowCloudWatch",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:::log-group:/ecs/lacework-agentless-scanning-*",
"Sid": "AllowLoggingToCloudWatch"
}
]
}
}
]
Role Name
lacework-agentless-scanning-task-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
{
"name": "lacework-agentless-scanning-task-policy-<UNIQUE_ID>",
"policy": {
"Statement": [
{
"Action": "s3:",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>/",
"arn:aws:s3:::lacework-agentless-scanning-bucket-<UNIQUE_ID>"
],
"Sid": "AllowControlOfBucket"
},
{
"Action": [
"ecs:UntagResource",
"ecs:TagResource",
"ecs:ListTagsForResource"
],
"Condition": {
"StringLike": {
"ecs:ResourceTag/LWTAG_SIDEKICK": ""
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "AllowTagECSCluster"
},
{
"Action": [
"events:ListTargetsByRule",
"events:ListTagsForResource",
"events:ListRules",
"events:ListRuleNamesByTarget",
"events:DescribeRule"
],
"Effect": "Allow",
"Resource": "",
"Sid": "AllowListRules"
},
{
"Action": [
"events:RemoveTargets",
"events:PutTargets",
"events:EnableRule",
"events:DisableRule"
],
"Effect": "Allow",
"Resource": "arn:aws:events:::rule/lacework-agentless-scanning-periodic-trigger-<UNIQUE_ID>",
"Sid": "AllowUpdateRule"
},
{
"Action": [
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetSecretValue",
"secretsmanager:GetResourcePolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:<AWS_AWLS_SCANNING_ACCOUNT_ID>:secret:lacework-agentless-scanning-secret-<UNIQUE_ID>",
"Sid": "AllowReadFromSecretsManager"
},
{
"Action": "ec2:Describe",
"Effect": "Allow",
"Resource": "",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:CreateTags",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "",
"Sid": "CreateSnapshots"
},
{
"Action": [
"ec2:ResetSnapshotAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:DeleteSnapshot",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ebs:GetSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/LWTAG_SIDEKICK": ""
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "SnapshotManagement"
},
{
"Action": [
"ecs:StopTask",
"ecs:StartTask",
"ecs:RunTask",
"ecs:ListTasks",
"ecs:Describe*"
],
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:::cluster/lacework-agentless-scanning-cluster-<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "TaskManagement"
},
{
"Action": [
"kms:ReEncrypt",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt",
"kms:CreateGrant"
],
"Condition": {
"StringLike": {
"kms:ViaService": "ec2..amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "SnapshotEncryption"
},
{
"Action": [
"sts:AssumeRole",
"iam:PassRole"
],
"Condition": {
"StringLike": {
"iam:ResourceTag/LWTAG_SIDEKICK": ""
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "PassRoleToTasks"
},
{
"Action": "sts:DecodeAuthorizationMessage",
"Effect": "Allow",
"Resource": "",
"Sid": "DecodeErrorMessages"
},
{
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:::log-group:/ecs/lacework-agentless-scanning-",
"Sid": "ReadLogs"
}
],
"Version": "2012-10-17"
}
}
]
Monitored Account(s)
- Scanning Snapshot Role
Role Name
lacework-agentless-scanning-snapshot-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "lweid:aws:v2::<AWS_ACCOUNT_ID>:<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS_AWLS_SCANNING_ACCOUNT_ID>:role/lacework-agentless-scanning-task-role-<UNIQUE_ID>"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
{
"name": "LaceworkAgentlessWorkloadSnapshots",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:CreateTags",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "",
"Sid": "CreateSnapshots"
},
{
"Action": [
"ec2:DeleteSnapshot",
"ec2:ModifySnapshotAttribute",
"ec2:ResetSnapshotAttribute",
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/LWTAG_SIDEKICK": ""
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "SnapshotManagement"
},
{
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant"
],
"Condition": {
"StringLike": {
"kms:ViaService": "ec2..amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "SnapshotEncryption"
},
{
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "OrgPermissions"
}
]
}
}
]
Management Account
- Scanning Snapshot Role
Role Name
lacework-agentless-scanning-snapshot-role-<UNIQUE_ID>
Trust Relationship
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "lweid:aws:v2::<AWS_ACCOUNT_ID>:<UNIQUE_ID>"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS_AWLS_SCANNING_ACCOUNT_ID>:role/lacework-agentless-scanning-task-role-<UNIQUE_ID>"
}
}
],
"Version": "2012-10-17"
}
IAM Permissions
[
{
"name": "LaceworkAgentlessWorkloadSnapshots",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:CreateTags",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "",
"Sid": "CreateSnapshots"
},
{
"Action": [
"ec2:DeleteSnapshot",
"ec2:ModifySnapshotAttribute",
"ec2:ResetSnapshotAttribute",
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/LWTAG_SIDEKICK": ""
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "SnapshotManagement"
},
{
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant"
],
"Condition": {
"StringLike": {
"kms:ViaService": "ec2..amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "",
"Sid": "SnapshotEncryption"
},
{
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "OrgPermissions"
}
]
}
}
]
Next Steps
- Ensure that you have met all Integration Requirements.
- Proceed with the Agentless Workload Scanning integration: