API (self-hosted on AWS): IAM

Overview (#)

The following IAM roles and policies are deployed:

  • ScanIAMRole: Allow Scan Fleet EC2 instances to scan objects. See ScanIAMRole.
  • FlowLogRole: Required for VPC Flow Logs.
  • AutoScalingGroupCalculatorRole: Allows Lambda function to create a CloudWatch log group and write log messages.

ScanIAMRole (#)

The Scan Fleet EC2 instances have access to the following AWS APIs:

  • S3 access to read and list objects and versions (can be restricted to S3 buckets/objects via the S3BucketRestriction configuration parameter and the S3ObjectRestriction configuration parameter).
  • KMS access to decrypt S3 objects (can be restricted to KMS keys via the KMSKeyRestriction configuration parameter).
  • CloudWatch access to publish custom metrics under attachmentav namespace.
  • CloudWatch access to publish logs to the internal log group.
  • EC2 Auto Scaling access to handle lifecycle hooks.
  • Marketplace Metering Service access to report usage.
  • Systems Manager Session Manager access if the SystemsManagerAccess configuration parameter is set to true.

You can add additional permissions via the ManagedPolicyArns configuration parameter.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email