Host Vulnerability Management - Configuration & Workflows

Getting Started with Host Vulnerability Management

Before getting started with Host Vulnerability Management (HVM) you will need to have the following:

  • An InsightCloudSec installation (v. 23.2.28) (SaaS-Only)
  • The AWS, Azure, and/or GCP permissions outlined below


Permission Requirements

These permissions are not part of a default Read-Only AWS deployment and must be explicitly configured to enable operation of the Host Vulnerability Management feature.

As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform HVM configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.

AWS PermissionRequirement Details
ec2:CreateSnapshotRequired to take a snapshot of the EBS volume that can be analyzed by InsightCloudSec.
ec2:CreateTagsRequired to create tags in the source account.
ec2:CopySnapshotRequired to copy snapshots that are encrypted using the default AWS-managed key.
ec2:DeleteSnapshotRequired to clean up the snapshot in the source account after the analysis has been completed.
ec2:ModifySnapshotAttributeRequired to grant permission to the InsightCloudSec backend to download the snapshot.
kms:DescribeKeyRequired to determine what key is being used to encrypt the volume that is being analyzed.
kms:CreateGrantRequired to create a grant to the KMS key that can be used to decrypt the EBS volume.
kms:DecryptRequired to decrypt the generated data key so that it can be used to encrypt the copied snapshot.
kms:EncryptRequired to encrypt the copied snapshot with a Rapid7-managed Key Management Service (KMS) key.
kms:GenerateDataKeyWithoutPlaintextRequired to generate a data key that is encrypted under the symmetric encryption Rapid7 KMS key. The data key is used to encrypt the snapshot.
kms:RetireGrantRequired to delete the Rapid7 KMS key grant after the assessment has completed.

HVM User Policy

The AWS HVM User Policy can be obtained from our public S3 bucket and used to create a custom policy within AWS that contains all the permissions necessary for HVM configuration and assessment. Review the AWS IAM documentation for more information.

Role Attachment

This policy will need to be attached to your existing InsightCloudSec Harvesting role.


In the table below are the minimum required permissions for your InsightCloudSec Azure role (this should already exist as part of Azure - Onboarding).

Azure PermissionRequirement Details
Microsoft.Compute/snapshots/writeRequired to create a new snapshot.
Microsoft.Compute/snapshots/readRequired to read the properties of a snapshot.
Microsoft.Compute/disks/readRequired to read the properties of a disk.
Microsoft.Compute/snapshots/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
Microsoft.Compute/disks/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
Microsoft.Compute/snapshots/endGetAccess/actionRequired to disable an SAS URL.
Microsoft.Compute/snapshots/deleteRequired to delete a snapshot.

HVM User Role

The Azure HVM User Role below can be copied and used to create a custom role within Azure that contains all the permissions necessary for HVM configuration and assessment. Ensure you replace the placeholder Subscription ID value.

"properties": {
"roleName": "Disk Access for Host Vulnerability Assessment",
"description": "Read Disk Properties, Revoke and Generate SAS URLs, Create and Delete Snapshots",
"assignableScopes": [
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []


Azure HVM support is limited by the following:

  • The current Implementation doesn’t support VMWare vSphere VMs or Azure Classic VMs
  • Doesn’t support disks with data access authentication mode enabled


In the table below are most of the minimum required permissions for your InsightCloudSec service account (this should already exist as part of GCP - Onboarding).

GCP PermissionRequirement Details
compute.disks.createSnapshotRequired to create a disk snapshot.
compute.snapshots.createRequired to create a disk snapshot.
compute.snapshots.setLabelsRequired to create a disk snapshot.
storage.buckets.createRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
storage.buckets.listRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
cloudbuild.builds.createRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
cloudbuild.builds.getRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
storage.objects.getRequired to download the snapshot.
storage.objects.listRequired to download the snapshot.

To enable the full scope of the feature, we also require a couple delete permissions:

GCP PermissionRequirement Details
storage.objects.deleteRequired to delete the snapshot.
compute.snapshots.deleteRequired to delete the snapshot.

For customers concerned about giving InsightCloudSec permissions to delete snapshots or cloud storage objects, we highly recommend creating a separate role containing only the delete permissions (see table above) and applying IAM conditions to the role to restrict what objects/snapshots can be deleted:

  • For storage objects, the deletion permission can be restricted to only the export bucket used by InsightCloudSec for storing exported snapshots by using a startsWith condition as follows:
  • For snapshots, since the resource name is composed of different attributes, we need to extract the snapshot name from the resource name before matching on it. GCP allows you to extract parts of a resource name as follows:"snapshots/{end}").startsWith("rapid7")

Here's a JSON condition block that you can copy/paste for convenience:

"expression": "\"projects/_/buckets/r7-cloudsec-hva-snapshots\") ||\"snapshots/{end}\").startsWith(\"rapid7\")",
"title": "Rapid7 cleanup condition",
"description": ""

Full resource name formats for GCP can be found here.

Cloud Build Service Account

GCP's method of snapshot export uses a Cloud Build job, which runs under a Service Account like most GCP services. To do this successfully, GCP must have the Cloud Build API enabled and the service account must also have the following permissions. Once the Cloud Build API is enabled, the service account is created automatically and is separate from your normal InsightCloudSec harvesting service account.

The Compute Admin (roles/compute.admin) and Service Account User (roles/iam.serviceAccountUser) built-in roles already have these permissions.

Multiple GCP Project Users

If you authenticate with a service account from a separate GCP project, you will need to enable the Cloud Build API for the project with the service account and for any projects you want to scan with HVM.

  • compute.disks.create
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.setLabels
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setServiceAccount
  • compute.machineTypes.list
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.snapshots.list
  • compute.snapshots.useReadOnly
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.list
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get


GCP HVM support is limited by the following:

  • Cannot assess instances with disks encrypted by a Customer Supplied Encryption Key
  • Cannot assess Local SSDs

Configuring HVM Assessments

Before hosts can be regularly assessed for vulnerabilities, you must enable the HVM feature and properly scope the hosts that should be assessed. These configuration settings (and others) can be found on the Vulnerability Settings page, which is accessed from the Vulnerabilities page.

Enabling HVM Assessments

Settings are Per InsightCloudSec Organization

The Vulnerability Settings below are unique to the particular InsightCloudSec Organization you are logged in to. For more information on InsightCloudSec Organizations (not to be confused with Cloud Organizations), see Organizations.

  1. Login to InsightCloudSec and navigate to the Vulnerabilities page.
  2. In the top right corner, click Settings.
  3. Click the Enable Host Vulnerability Assessment toggle. The Assessment Scope section appears.

Scoping HVM Assessments

After enabling the feature, you must scope your environment to the hosts that should be assessed. Scoping relies on the Advanced Filtering mechanism seen throughout InsightCloudSec.

Scope Required

Assessments will not be queued until at least one filter exists.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.


Once the feature has been enabled and a scope has been applied, InsightCloudSec will begin reporting on the assessment coverage for the scoped cloud accounts. Click the Coverage graph to open the Assessment Coverage window, which shows a detailed report, including progress summary and assessment errors for the InsightCloudSec organization grouped by cloud account.

Additional Settings

These additional settings are for GCP only. By default, the GCP snapshot export job will use the default Compute Engine service account and the default VPC network to run the export. If the defaults are not sufficient, you can configure each of these from the Vulnerability Settings page.

To edit GCP Snapshot Export settings:

  1. Login to InsightCloudSec and navigate to the Vulnerabilities page.
  2. In the top right corner, click Settings.
  3. Next to the relevant GCP cloud account, click Edit.
  4. Update the export_network and export_service_account fields as desired.
  5. Click Apply.

Downloading Assessment History

Click the Download Assessment History button to download all Host-related assessment history.

Collection & Assessment Workflows

The following workflows gather and store the inventory from the host instances harvested by InsightCloudSec and assess them for vulnerabilities. They also continuously monitor and refresh the inventory and vulnerability data based on changes to the instances and for newly disclosed vulnerabilities.

Collection & Assessment Workflow (New Instance)

As InsightCloudSec harvesting discovers new host instances, HVM triggers the collection step, which creates and downloads a snapshot of the instance from a customer's cloud account to InsightCloudSec. When HVM is initialized, all host instances already harvested are treated as new, triggering the first collection.

EBS root volume

If the EBS root volume is >= 100 Gb (AWS default is 8 Gb), InsightCloudSec will not download or assess it due to size limitations.

The snapshot is then assessed for vulnerabilities in InsightCloudSec and its inventory (versions of the operating system and software packages, OSS dependencies, and other select file types) is saved. InsightCloudSec discards the snapshot once the assessment is complete.

Recollection & Reassessment Workflow (Existing Instance)

Host instances are reassessed and potentially recollected based on the following triggers.

  • Automated recollection - a proprietary algorithm determines the need to collect a new snapshot using environmental events indicating the instance changed since the last collection

  • Automated reassessment - when new vulnerabilities are reported, InsightCloudSec reviews the host instance inventory and reassesses those with the imaged packages.

  • Manual recollection and reassessment - you can trigger a recollection and reassessment of a specific host instance using an action in the InsightCloudSec console or an API call

Workflow Diagram (Trigger-Based Collection & Assessment)

Trigger-Based Collection and Assessment Workflow

Triggering a collection starts the snapshot and is immediately followed by an assessment. This process can be tracked on the Host Assessment progress page.

  • The timing to complete the process depends on the size of the image and can take from 5 minutes to 20 minutes.
  • Once the Assessment is complete, results are immediately available.