To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the
ecr:DescribeImageScanFindings, ecr:DescribeImages, and ecr:ListTagsForResource permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.

1. For each AWS account, navigate to the IAM Policies page in the AWS console.
2. Search for the VantaAdditionalPermissions IAM policy you created during AWS credential linking.
3. Click on Edit policy and click on the "JSON" tab.
4. Paste the following policy into the editor (entirely replacing the existing policy).

{

"Version": "2012-10-17",

"Statement": [

   {

       "Effect": "Allow",

       "Action": [

           "ecr:DescribeImageScanFindings",

            "ecr:DescribeImages",

            "dynamodb:ListTagsOfResource",

            "ecr:ListTagsForResource",

            "sqs:ListQueueTags"

       ],

       "Resource": "*"

   },

   {

       "Effect": "Deny",

       "Action": [

           "datapipeline:EvaluateExpression",

           "datapipeline:QueryObjects",

           "rds:DownloadDBLogFilePortion"

       ],

       "Resource": "*"

   }

]

}

1. Click Review policy and Save changes.
2. Double-check that the vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page

You should see ECR repositories populated on the Inventory page within an hour of updating this policy!

Updated September 28, 2023 15:22