Vulnerability Scanning IAM Policies
Create IAM policies to control who has access to Oracle Cloud Infrastructure Vulnerability Scanning Service resources, and to control the type of access for each group of users.
By default, only users in the Administrators
group have access to all Vulnerability Scanning resources. If you’re new to IAM policies, see Getting Started with Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.
In addition to granting users access to Vulnerability Scanning resources, the Vulnerability Scanning service itself must be granted access to your target resources. See Policy Examples.
Resource Types
The following resource types are related to Vulnerability Scanning.
To assign permissions to all Vulnerability Scanning resources, use the aggregate type:
vss-family
To assign permissions to individual resource types:
container-scan-recipes
container-scan-results
container-scan-targets
host-agent-scan-results
host-cis-benchmark-scan-results
host-port-scan-results
host-scan-recipes
host-scan-targets
host-vulnerabilities
vss-vulnerabilities
vss-work-requests
In Vulnerability Scanning, an instance (Compute) is also called a host
.
A policy that uses <verb> vss-family
is equivalent
to writing a policy with a separate <verb>
<resource-type>
statement for each of the individual
resource types.
Supported Variables
Vulnerability Scanning IAM policies support all the general policy variables.
Details for Verb + Resource-Type Combinations
Identify the permissions and API operations covered by each verb for Vulnerability Scanning resources.
The level of access is cumulative as you go from inspect
to
read
to use
to manage
.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell, whereas no extra
indicates no
incremental access.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_CONTAINERSCANRECIPE_INSPECT |
ListContainerScanRecipes |
none |
read |
|
GetContainerScanRecipe |
none |
use |
|
UpdateContainerScanRecipe |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_CONTAINERSCAN_INSPECT |
ListContainerScanResults |
none |
read |
|
GetContainerScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_CONTAINERSCANTARGET_INSPECT |
ListContainerScanTargets |
none |
read |
|
GetContainerScanTarget |
none |
use |
|
UpdateContainerScanTarget |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTAGENTSCAN_INSPECT |
ListHostAgentScanResults |
none |
read |
|
GetHostAgentScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTCISBENCHMARKSCAN_INSPECT |
ListHostCisBenchmarkScanResults |
none |
read |
|
GetHostCisBenchmarkScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTPORTSCAN_INSPECT |
ListHostPortScanResults |
none |
read |
|
GetHostPortScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTSCANRECIPE_INSPECT |
ListHostScanRecipes |
none |
read |
|
GetHostScanRecipe |
none |
use |
|
UpdateHostScanRecipe |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTSCANTARGET_INSPECT |
ListHostScanTargets |
none |
read |
|
GetHostScanTarget |
none |
use |
|
UpdateHostScanTarget |
none |
manage |
|
|
none |
Alternatively, use
vss-vulnerabilities
to manage access to both host and container vulnerabilities.The export operation is available for the host-vulnerabilities
resource type, not the vss-vulnerabilities
resource type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
|
GetHostVulnerability |
none |
use |
read+ |
none | none |
manage |
|
ExportHostVulnerabilityCsv |
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
|
GetVulnerability |
none |
use |
read+ |
none | none |
manage |
|
none | none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_WR_INSPECT |
ListWorkRequests |
none |
read |
|
|
none |
use |
read+ |
none | none |
manage |
use+ |
none | none |
Permissions Required for Each API Operation
The following table lists the Vulnerability Scanning API operations in a logical order, grouped by resource type.
For more information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ChangeContainerScanRecipeCompartment |
VSS_CONTAINERSCANRECIPE_MOVE |
ChangeContainerScanResultCompartment |
VSS_CONTAINERSCAN_MOVE |
ChangeContainerScanTargetCompartment |
VSS_CONTAINERSCANTARGET_MOVE |
ChangeHostAgentScanResultCompartment |
VSS_HOSTAGENTSCAN_MOVE |
ChangeHostCisBenchmarkScanResultCompartment |
VSS_HOSTCISBENCHMARKSCAN_MOVE |
ChangeHostPortScanResultCompartment |
VSS_HOSTPORTSCAN_MOVE |
ChangeHostScanRecipeCompartment |
VSS_HOSTSCANRECIPE_MOVE |
ChangeHostScanTargetCompartment |
VSS_HOSTSCANTARGET_MOVE |
CreateContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_CREATE |
CreateContainerScanTarget |
VSS_CONTAINERSCANTARGET_CREATE |
CreateHostScanRecipe |
VSS_HOSTSCANRECIPE_CREATE |
CreateHostScanTarget |
VSS_HOSTSCANTARGET_CREATE |
DeleteContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_DELETE |
DeleteContainerScanResult |
VSS_CONTAINERSCAN_DELETE |
DeleteContainerScanTarget |
VSS_CONTAINERSCANTARGET_DELETE |
DeleteHostAgentScanResult |
VSS_HOSTAGENTSCAN_DELETE |
DeleteHostCisBenchmarkScanResult |
VSS_HOSTCISBENCHMARKSCAN_DELETE |
DeleteHostPortScanResult |
VSS_HOSTPORTSCAN_DELETE |
DeleteHostScanRecipe |
VSS_HOSTSCANRECIPE_DELETE |
DeleteHostScanTarget |
VSS_HOSTSCANTARGET_DELETE |
ExportHostAgentScanResultCsv |
VSS_HOSTAGENTSCAN_EXPORT |
ExportHostVulnerabilityCsv |
VSS_VULN_EXPORT |
GetContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_READ |
GetContainerScanResult |
VSS_CONTAINERSCAN_READ |
GetContainerScanTarget |
VSS_CONTAINERSCANTARGET_READ |
GetHostAgentScanResult |
VSS_HOSTAGENTSCAN_READ |
GetHostCisBenchmarkScanResult |
VSS_HOSTCISBENCHMARKSCAN_READ |
GetHostPortScanResult |
VSS_HOSTPORTSCAN_READ |
GetHostScanRecipe |
VSS_HOSTSCANRECIPE_READ |
GetHostScanTarget |
VSS_HOSTSCANTARGET_READ |
GetHostVulnerability |
VSS_VULN_READ |
GetVulnerability |
VSS_VULN_READ |
GetWorkRequest |
VSS_WR_READ |
ListContainerScanRecipes |
VSS_CONTAINERSCANRECIPE_INSPECT |
ListContainerScanResults |
VSS_CONTAINERSCAN_INSPECT |
ListContainerScanTargets |
VSS_CONTAINERSCANTARGET_INSPECT |
ListHostAgentScanResults |
VSS_HOSTAGENTSCAN_INSPECT |
ListHostCisBenchmarkScanResults |
VSS_HOSTCISBENCHMARKSCAN_INSPECT |
ListHostPortScanResults |
VSS_HOSTPORTSCAN_INSPECT |
ListHostScanRecipes |
VSS_HOSTSCANRECIPE_INSPECT |
ListHostScanTargets |
VSS_HOSTSCANTARGET_INSPECT |
ListHostVulnerabilities |
VSS_VULN_INSPECT |
ListHostVulnerabilityImpactedHosts |
VSS_VULN_HOST_INSPECT |
ListVulnerabilities |
VSS_VULN_INSPECT |
ListVulnerabilityImpactedContainers |
VSS_VULN_CONTAINER_INSPECT |
ListVulnerabilityImpactedHosts |
VSS_VULN_HOST_INSPECT |
ListWorkRequests |
VSS_WR_INSPECT |
ListWorkRequestErrors |
VSS_WR_ERR_READ |
ListWorkRequestLogs |
VSS_WR_LOG_READ |
UpdateContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_UPDATE |
UpdateContainerScanTarget |
VSS_CONTAINERSCANTARGET_UPDATE |
UpdateHostScanRecipe |
VSS_HOSTSCANRECIPE_UPDATE |
UpdateHostScanTarget |
VSS_HOSTSCANTARGET_UPDATE |
Policy Examples
Learn about Vulnerability Scanning IAM policies using examples.
-
Allow users in the group
SecurityAdmins
to create, update, and delete all Vulnerability Scanning resources in the entire tenancy:Allow group SecurityAdmins to manage vss-family in tenancy
-
Allow users in the group
SecurityAdmins
to create, update, and delete all Vulnerability Scanning resources in the compartmentSalesApps
:Allow group SecurityAdmins to manage vss-family in compartment SalesApps
-
Allow users in the group
SecurityAuditors
to view all Vulnerability Scanning resources in the compartmentSalesApps
:Allow group SecurityAuditors to read vss-family in compartment SalesApps
-
Allow users in the group
SecurityAuditors
to view all Vulnerability Scanning resources in the compartmentSalesApps
and to export the results:Allow group SecurityAuditors to read vss-family in compartment SalesApps Allow group SecurityAuditors to manage host-agent-scan-results in compartment SalesApps where request.operation = 'ExportHostAgentScanResultCsv' Allow group SecurityAuditors to manage host-vulnerabilities in compartment SalesApps where request.operation = 'ExportHostVulnerabilityCsv'
Note
The export operation is available for thehost-vulnerabilities
resource type, not thevss-vulnerabilities
resource type. -
Allow users in the group
SecurityAdmins
to create, update, and delete Compute (host) scan recipes in the entire tenancy:Allow group SecurityAdmins to manage host-scan-recipes in tenancy
-
Allow users in the group
SecurityAuditors
to view all Compute (host) scanning results in the compartmentSalesApps
:Allow group SecurityAuditors to read host-agent-scan-results in compartment SalesApps Allow group SecurityAuditors to read host-port-scan-results in compartment SalesApps Allow group SecurityAuditors to read host-cis-benchmark-scan-results in compartment SalesApps Allow group SecurityAuditors to read container-scan-results in compartment SalesApps Allow group SecurityAuditors to read vss-vulnerabilities in compartment SalesApps
To use agent-based scanning of Compute instances, then you must also:
- Grant the Vulnerability Scanning service permission to deploy the Oracle Cloud Agent to your target Compute instances.
- Grant the Vulnerability Scanning service permission to read the VNIC (virtual network interface card) on your target Compute instances.
Examples:
-
Allow the Vulnerability Scanning service and users in the group
SecurityAdmins
to perform agent-based scanning in the entire tenancy:Allow group SecurityAdmins to manage vss-family in tenancy Allow service vulnerability-scanning-service to manage instances in tenancy Allow service vulnerability-scanning-service to read compartments in tenancy Allow service vulnerability-scanning-service to read vnics in tenancy Allow service vulnerability-scanning-service to read vnic-attachments in tenancy
-
Allow the Vulnerability Scanning service and users in the group
SecurityAdmins
to perform agent-based scanning on instances in the compartmentSalesApps
:Allow group SecurityAdmins to manage vss-family in compartment SalesApps Allow service vulnerability-scanning-service to manage instances in compartment SalesApps Allow service vulnerability-scanning-service to read compartments in compartment SalesApps Allow service vulnerability-scanning-service to read vnics in compartment SalesApps Allow service vulnerability-scanning-service to read vnic-attachments in compartment SalesApps
- Allow the Vulnerability Scanning service and users in the group
SecurityAdmins
to perform agent-based scanning on instances in the compartmentSalesApps
. The VNICs of these instances are in the compartmentSalesNetwork
:Allow group SecurityAdmins to manage vss-family in compartment SalesApps Allow service vulnerability-scanning-service to manage instances in compartment SalesApps Allow service vulnerability-scanning-service to read compartments in compartment SalesApps Allow service vulnerability-scanning-service to read vnics in compartment SalesNetwork Allow service vulnerability-scanning-service to read vnic-attachments in compartment SalesNetwork
For more information about Compute and network policies, see Policy Reference for Core Services.
To scan images in Container Registry, then you must also grant the Vulnerability Scanning service permission to pull images from Container Registry.
Examples:
-
Allow the Vulnerability Scanning service and users in the group
SecurityAdmins
to scan all container images in the entire tenancy:Allow group SecurityAdmins to manage vss-family in tenancy Allow service vulnerability-scanning-service to read repos in tenancy Allow service vulnerability-scanning-service to read compartments in tenancy
-
Allow the Vulnerability Scanning service and users in the group
SecurityAdmins
to scan container images in the compartmentSalesApps
:Allow group SecurityAdmins to manage vss-family in compartment SalesApps Allow service vulnerability-scanning-service to read repos in compartment SalesApps Allow service vulnerability-scanning-service to read compartments in compartment SalesApps
For more information, see Policy Reference for Container Registry.