To perform vulnerability scanning, Alert Logic® Cloud Insight™ needs the ability to create new scanning infrastructure in your AWS environment for each protected VPC. For full details on the permissions needed for vulnerability scanning, refer to the Cloud Insight for Amazon Web Services IAM Policy and Permissions knowledge base article.
When Alert Logic scans your infrastructure, we use a scanning appliance on an EC2 instance that injects in each protected VPC, so that Alert Logic can reach all the instances we need to scan. This means that additional permissions are needed, compared to the Cloud Insight Essentials required permissions. These additional permissions include:
Write permissions to Auto Scaling
These permissions allow Alert Logic to create and delete Launch Configurations and Auto Scaling Groups. Cloud Insight deploys in an auto scaling group with a min/max/desired setting of 1 to ensure that the appliance is always running. This also allows the updating of the appliance by terminating the existing EC2 appliance instance and having auto scaling replace the instance with the update Alert Logic Cloud Insight AMI.
Write permissions to EC2
These permissions allow Cloud Insight to: discover your account during deployment, permit the allocation of base infrastructure (subnet routes, security group, NACL), allow the creation of the Alert Logic Security subnet(s) to house only appliances shared via AMI from Alert Logic's AWS account, give access to create tags on the Cloud Insight appliances, update appliances, permit the auto-removal of Cloud Insight appliances and AlertLogic:Security tagged subnets, and allow the modification of Security Groups, NACLs, and route tables that are tagged AlertLogic:Security. NACL changes are made to each in-scope VPC to allow outbound connectivity between the Cloud Insight security appliance and the Internet.
Still have questions? Check out other customers’ posts or add your own in the Cloud Insight Essentials community.