To scan AWS EC2(Linux) instances leveraging AWS SSM, you require AWS IAM user credentials(Access key ID, Secret access key) having the following AWS permissions:
- ssm:SendCommand
- ssm:ListCommandInvocations
- ssm:DescribeInstanceInformation
You can refer to this article to create an AWS user account with the required permissions for SSM based scans:
Create SSM AWS Policy for CAM Scanning:
Sample: Minimum privileges & all resources
Sample Policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CAMSSMPrivileges",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:ListCommandInvocations",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
}
]
}
Create SSM AWS User for CAM scanning
Sample User with only ‘programmatic access’.
Attach the policy to the SSM User directly or via a group:
Create the access key & download the .csv file:
NOTE: These credentials(Access Key ID & Access key ID) are to be used while creating ‘AWS SSM keychain’.