Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Configuring Container Vulnerability Assessment (CVA)

Before you can begin assessing container images and workloads in your environment for vulnerabilities, some configuration is required within the relevant cloud service provider (CSP).

Support

InsightCloudSec supports assessing images inside the following container types and locations:

Amazon Web Services (AWS), Elastic Container Service (ECS), and Elastic Kubernetes Service (EKS)
Azure or Azure Kubernetes Service (AKS)
Google Cloud Platform (GCP) or Google Kubernetes Engine (GKE)

InsightCloudSec also supports assessing images in the following registries:

Authenticated
- AWS Elastic Container Registry (ECR)
- Azure Container Registry (ACR)
- GCP Artifact Registry or Google Container Registry (GCR)
Unauthenticated (publicly-accessible)
- Docker Hub
- Google Cloud Platform (GCP) Artifact Registry (gcr.io)
- Kubernetes container image registry (registry.k8s.io)
- Upbound registry (xpkg.upbound.io)

ECR Image Name Affects Assessment

InsightCloudSec currently can only support assessing images in private ECR repositories when a container refers to them by the default ECR naming convention (<account-number>.dkr.ecr.<region-name>.amazonaws.com)

Prerequisites

InsightCloudSec Admin permissions (Domain or Org Admin)
Appropriate permissions in AWS, Azure, and/or GCP:
- For you to create roles or policies
- For InsightCloudSec to execute container assessments (outlined in the following sections)
Optional - Kubernetes Security Guardrails enabled if you want to have the workloads deployed into a Kubernetes cluster scanned for vulnerabilities using CVA

AWS

The permissions included in this section are required to enable container assessments within AWS environments.

You have two options for enabling CVA for AWS:

Navigate to the IAM policy associated with InsightCloudSec and manually add the AWS CVA Permissions to it
Attach the AWS CVA Policy to the role associated with InsightCloudSec

For instructions on configuring AWS EKS clusters, see Kubernetes Remote Scanner for EKS.

Default Permissions

If you used the universal AWS onboarding experience, the AWS CVA policy is included by default. This means it is easiest to perform CVA configuration while onboarding an account/organization. If you onboarded AWS accounts prior to the release of the universal onboarding experience (before InsightCloudSec v. 23.4.11) or did not enable CVA within the onboarding experience, you will most likely need to add the permissions or attach the policy manually.

AWS CVA Permissions

The following table contains the minimum required permissions to enable CVA for the policies associated with InsightCloudSec:

Permission	Description
`ecr:Batch*`	Required for batch operations, including getting images and repository configurations
`ecr:Describe*`	Required for describing images, registries, repositories, and other configuration information
`ecr:Get*`	Required for retrieving necessary image information
`ecr:List*`	Required for listing images and tags

AWS CVA Policy

The AWS CVA User Policy can be used to create a custom policy within AWS that contains all the permissions necessary for CVA. Review the AWS IAM documentation for more information.

Role Attachment

This policy should be attached to your existing InsightCloudSec harvesting role (created during AWS Onboarding).


json
1
{
2
  "Statement": [
3
    {
4
      "Action": [
5
        "ecr:Get*",
6
        "ecr:List*",
7
        "ecr:Describe*",
8
        "ecr:Batch*"
9
      ],
10
      "Effect": "Allow",
11
      "Resource": "*",
12
      "Sid": "AllowEcrReadOnlyAccessForVulnerabilityScanning"
13
    }
14
  ],
15
  "Version": "2012-10-17"
16
}

Azure

The permissions included in this section are required to enable container assessments within Azure environments.

To enable CVA for Azure:

Navigate to the role associated with InsightCloudSec and manually add the Azure CVA Permissions to it

For instructions on configuring AKS clusters, see Kubernetes Remote Scanner for AKS.

Default Permissions

If you used the universal Azure onboarding experience, the Azure CVA permissions are included with all default recommended roles. This means you most likely will not need to manually update the permissions for or attach the Azure CVA role to the role associated with InsightCloudSec.

Azure CVA Permissions

The following table contains the minimum required permissions to enable CVA for the role associated with InsightCloudSec:

Permission	Description
`Microsoft.ContainerRegistry/registries/pull/read`	Required to read from Azure Container Registries

GCP

The permissions included in this section are required to enable container assessments within GCP environments.

To enable CVA for GCP:

Navigate to the service account associated with InsightCloudSec and manually add the GCP CVA Permissions to it

For instructions on configuring GKE clusters, see Kubernetes Remote Scanner for GKE.

Default Permissions

If you used the universal GCP onboarding experience, some of the GCP CVA permissions are not included with the default onboarding permissions. This means you most likely will need to manually update the permissions for the service account associated with InsightCloudSec.

GCP CVA Permissions

The following table contains the minimum required permissions to enable CVA for the service account associated with InsightCloudSec:

Permission	Description
`storage.buckets.get`	Required for retrieving information from storage buckets
`artifactregistry.dockerimages.get`	Required for retrieving images from the Artifact Registry

Enabling CVA

Before container images can be regularly assessed for vulnerabilities, you must enable the feature. These configuration settings can be found on the Vulnerability Settings page, which is accessed from the Vulnerabilities page.

To enable CVA:

Login to InsightCloudSec and navigate to the Vulnerabilities page.
Click Settings.
Navigate to the Container Assessment tab.
Click the Enable Container Vulnerability Assessment toggle.

Troubleshooting

If you're experiencing issues harvesting and assessing images and container workloads, review the Cloud VM CVA FAQ (particularly this question) or contact support.

Using Cloud VM

Once cloud and Kubernetes onboarding & CVA configuration is complete, images will begin being harvested and assessed for vulnerabilities automatically. Cloud VM is available from the main navigation in InsightCloudSec under Security > Vulnerabilities. Review Reviewing and Managing Vulnerabilities for more information.

Did this page help you?

Vulnerability Management

Configuring Host Vulnerability Assessment (HVA)

Vulnerability Management

Reviewing and Managing Vulnerabilities