Permissions required:
- ec2:DescribeImages
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
Why we require these permissions and how our AMI scanner works:
When scanning an Amazon Machine Image (AMI) for vulnerabilities, the permissions `ec2:DescribeImages`, `ebs:ListSnapshotBlocks`, and `ebs:GetSnapshotBlock` are used to facilitate access to the AMI's underlying data. Here's how each permission contributes to the process:
1. ec2:DescribeImages:
Role in Scanning:
This permission is used to retrieve metadata about the AMIs that need to be scanned. It allows the scanning process to list the AMIs available within a specific AWS account or region.
By accessing the details of an AMI, the scanning tool can identify the AMI's associated EBS snapshots, which contain the actual data that needs to be scanned for vulnerabilities.
Detailed Steps:
The scanning tool invokes `DescribeImages` to obtain a list of AMIs, including details such as AMI ID, snapshot IDs, creation date, and other metadata.
The tool identifies which EBS snapshots are linked to the AMI by examining the information returned.
2. ebs:ListSnapshotBlocks:
Role in Scanning:
Once the associated EBS snapshots are identified, this permission is used to list the blocks within those snapshots. It helps the scanning tool understand the structure of the data within the snapshot.
This step is crucial for efficiently scanning large volumes, as it allows the tool to focus on specific blocks that contain data, rather than scanning the entire snapshot.
Detailed Steps:
The scanning tool calls `ListSnapshotBlocks` for each snapshot associated with the AMI.
It retrieves the list of block addresses (offsets) that represent the data stored in the snapshot.
This list of blocks helps the tool determine which parts of the snapshot to retrieve and analyze.
3. ebs:GetSnapshotBlock:
Role in Scanning:
This permission allows the scanning tool to fetch the actual data within each block of the snapshot. The data retrieved from these blocks is then scanned for vulnerabilities or compliance issues.
By using this permission, the scanning tool can analyze the content of the EBS volumes that make up the AMI.
Detailed Steps:
After determining which blocks need to be examined using `ListSnapshotBlocks`, the tool invokes `GetSnapshotBlock` to retrieve the content of each block.
The data from each block is then processed, with the scanning tool inspecting the file system, binaries, libraries, and other content within the blocks for known vulnerabilities, misconfigurations, or compliance violations.
Overall Scanning Workflow:
Identify AMI Details: Using `ec2:DescribeImages`, the scanning tool gathers information about the AMIs and their associated EBS snapshots.
List Snapshot Blocks: With `ebs:ListSnapshotBlocks`, the tool maps out the blocks in each snapshot, identifying which blocks contain data that needs to be examined.
Retrieve and Scan Data: Finally, using `ebs:GetSnapshotBlock`, the tool retrieves the actual data from each block and scans it for vulnerabilities or compliance issues.
By using these permissions together, a scanning tool can efficiently and effectively analyze the content of AMIs, ensuring that they are free from vulnerabilities or misconfigurations before being deployed in production environments.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article
