To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the
ecr:DescribeImageScanFindings, ecr:DescribeImages, and ecr:ListTagsForResource
 permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.

  1. For each AWS account, navigate to the IAM Policies page in the AWS console.
  2. Search for the VantaAdditionalPermissions IAM policy you created during AWS credential linking.
  3. Click on Edit policy and click on the "JSON" tab.
  4. Paste the following policy into the editor (entirely replacing the existing policy).
{

"Version": "2012-10-17",

"Statement": [

   {

       "Effect": "Allow",

       "Action": [

           "ecr:DescribeImageScanFindings",

            "ecr:DescribeImages",

            "dynamodb:ListTagsOfResource",

            "ecr:ListTagsForResource",

            "sqs:ListQueueTags"

       ],

       "Resource": "*"

   },

   {

       "Effect": "Deny",

       "Action": [

           "datapipeline:EvaluateExpression",

           "datapipeline:QueryObjects",

           "rds:DownloadDBLogFilePortion"

       ],

       "Resource": "*"

   }

]

}
  1. Click Review policy and Save changes.
  2. Double-check that the vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page.

 

Within an hour of updating this policy, you should see ECR repositories populated on the Inventory page!