To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the
permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.
- For each AWS account, navigate to the IAM Policies page in the AWS console.
- Search for the VantaAdditionalPermissions IAM policy you created during AWS credential linking.
- Click on Edit policy and click on the "JSON" tab.
- Paste the following policy into the editor (entirely replacing the existing policy).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"dynamodb:ListTagsOfResource",
"ecr:ListTagsForResource",
"sqs:ListQueueTags"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"datapipeline:EvaluateExpression",
"datapipeline:QueryObjects",
"rds:DownloadDBLogFilePortion"
],
"Resource": "*"
}
]
}
- Click Review policy and Save changes.
- Double-check that the vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page.
Within an hour of updating this policy, you should see ECR repositories populated on the Inventory page!