Knowledge Base

IAM

Overview

The following IAM users, access keys, roles and policies are deployed:

ID	Fulfillment Options	Purpose
ScanIAMRole	all	Allow Scan Fleet EC2 instances to scan objects. See ScanIAMRole.
FlowLogRole	dedicated-public-vpc, dedicated-private-vpc	Required for VPC Flow Logs.
DashboardLambdaRole + DashboardLambdaPolicy	all	Custom widgets in CloudWatch dashboard (S3 buckets list with possibility to enable real-time bucket scanning as well as bucketAV version check).
GovernanceLambdaRole + GovernanceLambdaPolicy	all	Governance checks to detect unprotected S3 buckets. Only deployed if the Governance configuration parameter is set to true.

ID	Fulfillment Options	Purpose
ScanIAMRole	all	Allow Scan Fleet EC2 instances to scan objects. See ScanIAMRole.
FlowLogRole	dedicated-public-vpc, dedicated-private-vpc	Required for VPC Flow Logs.
DashboardLambdaRole + DashboardLambdaPolicy	all	Custom widgets in CloudWatch dashboard (S3 buckets list with possibility to enable real-time bucket scanning as well as bucketAV version check).
GovernanceLambdaRole + GovernanceLambdaPolicy	all	Governance checks to detect unprotected S3 buckets. Only deployed if the Governance configuration parameter is set to true.
SecurityHubIntegrationLambdaRole + SecurityHubIntegrationLambdaPolicy	all	Creates findings in Security Hub. Only deployed if the SecurityHubIntegration configuration parameter is set to true.
OpsCenterIntegrationLambdaRole + OpsCenterIntegrationLambdaPolicy	all	Creates findings in OpsCenter. Only deployed if the OpsCenterIntegration configuration parameter is set to true.

ID	Fulfillment Options	Purpose
ScanIAMRole	all	Allow Scan Fleet EC2 instances to scan objects. See ScanIAMRole.
FlowLogRole	dedicated-public-vpc, dedicated-private-vpc	Required for VPC Flow Logs.
DashboardLambdaRole + DashboardLambdaPolicy	all	Custom widgets in CloudWatch dashboard (bucketAV version check).
CloudflareQueueRole + CloudflareQueuePolicy	all	A CloudFormation custom resource is used to create the Cloudflare Queue.
CloudflareUser + CloudflareAccessKey	all	IAM user access key is used inside Cloudflare Worker to publish nely uploaded files to the SQS Scan Queue.

ID	Fulfillment Options	Purpose
ScanIAMRole	all	Allow Scan Fleet EC2 instances to scan objects. See ScanIAMRole.
FlowLogRole	dedicated-public-vpc, dedicated-private-vpc	Required for VPC Flow Logs.
DashboardLambdaRole + DashboardLambdaPolicy	all	Custom widgets in CloudWatch dashboard (bucketAV version check).
CloudflareQueueRole + CloudflareQueuePolicy	all	A CloudFormation custom resource is used to create the Cloudflare Queue.
CloudflareUser + CloudflareAccessKey	all	IAM user access key is used inside Cloudflare Worker to publish nely uploaded files to the SQS Scan Queue.

The Scan Fleet EC2 instances have access to the following AWS APIs:

S3 access to read, delete (optional), tag (optional), and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and S3ObjectRestriction configuration parameter).
KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
SQS access to poll internal Scan Queue.
SNS access to publish to internal Findings Topic.
EventBridge access to publish events under source com.bucketav (optional).
CloudWatch access to publish custom metrics under bucketav namespace.
CloudWatch access to publish logs to the internal log group.
EC2 Auto Scaling access to handle lifecycle hooks.
Marketplace Metering Service access to report usage.
Systems Manager Session Manager access (only deployed if the SystemsManagerAccess configuration parameter is set to true.

S3 access to read, delete (optional), tag (optional), and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and S3ObjectRestriction configuration parameter).
KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
SQS access to poll internal Scan Queue.
SNS access to publish to internal Findings Topic.
EventBridge access to publish events under source com.bucketav (optional).
CloudWatch access to publish custom metrics under bucketav namespace.
CloudWatch access to publish logs to the internal log group.
EC2 Auto Scaling access to handle lifecycle hooks.
Systems Manager Session Manager access (only deployed if the SystemsManagerAccess configuration parameter is set to true.

SQS access to poll internal Scan Queue.
SNS access to publish to internal Findings Topic.
EventBridge access to publish events under source com.bucketav (optional).
CloudWatch access to publish custom metrics under bucketav namespace.
CloudWatch access to publish logs to the internal log group.
EC2 Auto Scaling access to handle lifecycle hooks.
Secrets Manager access to read Cloudflare secrets.
Marketplace Metering Service access to report usage.
Systems Manager Session Manager access (only deployed if the SystemsManagerAccess configuration parameter is set to true.

SQS access to poll internal Scan Queue.
SNS access to publish to internal Findings Topic.
EventBridge access to publish events under source com.bucketav (optional).
CloudWatch access to publish custom metrics under bucketav namespace.
CloudWatch access to publish logs to the internal log group.
EC2 Auto Scaling access to handle lifecycle hooks.
Secrets Manager access to read Cloudflare secrets.
Systems Manager Session Manager access (only deployed if the SystemsManagerAccess configuration parameter is set to true.

You can add additional permissions via the ManagedPolicyArns configuration parameter.

Need more help?

Write us, and we'll get back to you as soon as we can.