IAM
Overview
The following IAM roles and policies are deployed:
| ID | Engines | Fulfillment Options | Purpose |
|---|---|---|---|
| ScanIAMRole | all | all | Allow Scan Fleet EC2 instances to scan S3 objects. See ScanIAMRole. |
| FlowLogRole | all | dedicated-public-vpc, dedicated-private-vpc | Required for VPC Flow Logs. |
| DashboardLambdaRole + DashboardLambdaPolicy | all | all | Custom widgets in CloudWatch dashboard (S3 buckets list with possibility to enable real-time bucket scanning as well as bucketAV version check). |
| GovernanceLambdaRole + GovernanceLambdaPolicy | all | all | Governance checks to detect unprotected S3 buckets. Only deployed if the Governance configuration parameter is set to true. |
| SecurityHubIntegrationLambdaRole + SecurityHubIntegrationLambdaPolicy | clamav | all | Creates findings in Security Hub. Only deployed if the SecurityHubIntegration configuration parameter is set to true. |
| OpsCenterIntegrationLambdaRole + OpsCenterIntegrationLambdaPolicy | clamav | all | Creates findings in OpsCenter. Only deployed if the OpsCenterIntegration configuration parameter is set to true. |
ScanIAMRole
The Scan Fleet EC2 instances have access to the following AWS APIs:
- S3 access to read, delete (optional), tag (optional), and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and S3ObjectRestriction configuration parameter).
- KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
- SQS access to poll internal Scan Queue.
- SNS access to publish to internal Findings Topic.
- CloudWatch access to publish custom metrics under
bucketavnamespace. - CloudWatch access to publish logs to the internal log group.
- Optional Systems Manager Session Manager access.
You can add additional permissions via the ManagedPolicyArns configuration parameter.