The following IAM roles and policies are deployed:

IDEnginesFulfillment OptionsPurpose
ScanIAMRoleallallAllow Scan Fleet EC2 instances to scan S3 objects. See ScanIAMRole.
FlowLogRolealldedicated-public-vpc, dedicated-private-vpcRequired for VPC Flow Logs.
DashboardLambdaRole + DashboardLambdaPolicyallallCustom widgets in CloudWatch dashboard (S3 buckets list with possibility to enable real-time bucket scanning as well as bucketAV version check).
GovernanceLambdaRole + GovernanceLambdaPolicyallallGovernance checks to detect unprotected S3 buckets. Only deployed if the Governance configuration parameter is set to true.
SecurityHubIntegrationLambdaRole + SecurityHubIntegrationLambdaPolicyclamavallCreates findings in Security Hub. Only deployed if the SecurityHubIntegration configuration parameter is set to true.
OpsCenterIntegrationLambdaRole + OpsCenterIntegrationLambdaPolicyclamavallCreates findings in OpsCenter. Only deployed if the OpsCenterIntegration configuration parameter is set to true.


The Scan Fleet EC2 instances have access to the following AWS APIs:

  • S3 access to read, delete (optional), tag (optional), and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and S3ObjectRestriction configuration parameter).
  • KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
  • SQS access to poll internal Scan Queue.
  • SNS access to publish to internal Findings Topic.
  • CloudWatch access to publish custom metrics under bucketav namespace.
  • CloudWatch access to publish logs to the internal log group.
  • Optional Systems Manager Session Manager access.

You can add additional permissions via the ManagedPolicyArns configuration parameter.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email