The Scan Fleet EC2 instances have access to the following AWS APIs:
- S3 access to read, delete (optional), tag (optional), and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and S3ObjectRestriction configuration parameter).
- KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
- SQS access to poll internal Scan Queue.
- SNS access to publish to internal Findings Topic.
- CloudWatch access to publish custom metrics under
- CloudWatch access to publish logs to the internal log group.
- Optional Systems Manager Session Manager access.
You can add additional permissions via the ManagedPolicyArns configuration parameter.