The Scan Fleet EC2 instances have access to the following AWS APIs:

  • S3 access to read, delete (optional), tag (optional), and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and S3ObjectRestriction configuration parameter).
  • KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
  • SQS access to poll internal Scan Queue.
  • SNS access to publish to internal Findings Topic.
  • CloudWatch access to publish custom metrics under bucketav namespace.
  • CloudWatch access to publish logs to the internal log group.
  • Optional Systems Manager Session Manager access.

You can add additional permissions via the ManagedPolicyArns configuration parameter.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email