From edca77ede428b7555b26b6f67275c7ffa78ee208 Mon Sep 17 00:00:00 2001
From: Wyatt Gill <yacht7@protonmail.com>
Date: Fri, 26 Jun 2020 17:58:09 -0500
Subject: [PATCH] Correct AMI scanning permissions

---
 .../vm_image_scanning.adoc                    | 41 ++++++++++++-------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/admin_guide/vulnerability_management/vm_image_scanning.adoc b/admin_guide/vulnerability_management/vm_image_scanning.adoc
index dd49de9a..dd5a9476 100644
--- a/admin_guide/vulnerability_management/vm_image_scanning.adoc
+++ b/admin_guide/vulnerability_management/vm_image_scanning.adoc
@@ -9,27 +9,40 @@ RHCOS uses Ignition.
 * Images that use paravirtualization.
 * Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl.
 For example, Ubuntu 12.10.
+* Encrypted images.
 
 
 === Prerequisites
 
-The service account Prisma Cloud uses to scan VM images must have the following permissions:
-
-* ec2:CreateSecurityGroup
-* ec2:DescribeSecurityGroup
-* ec2:RevokeSecurityGroupEgress
-* ec2:AuthorizeSecurityGroupIngress
-* ec2:DeleteSecurityGroup
-* ec2:RunInstances
-* ec2:DescribeInstances
-* ec2:TerminateInstances 
-
-NOTE: Prisma Cloud cannot scan encrypted AMIs.
-
+The service account Prisma Cloud uses to scan AMIs must have at least the following policy:
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeSecurityGroups",
+                "ec2:CreateSecurityGroup",
+                "ec2:RevokeSecurityGroupEgress",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DescribeImages",
+                "ec2:DescribeInstances",
+                "ec2:RunInstances",
+                "ec2:CreateTags",
+                "ec2:TerminateInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
 
 === Deployment
 
-VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a _VM instance_, which is running the VM image to be scanned.
+VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a VM instance which is running the VM image to be scanned.
 When you configure Prisma Cloud to scan VM images, you can define the number of scanners to use. Defining more than one scanner means that the Console will create a number of VM instances to scan multiple VM images simultaneously.
 For scanning large numbers of VM images, increase the number of scanners to improve throughput and reduce scan time.