Scanning IAM Policies

Create IAM policies to control who has access to Oracle Vulnerability Scanning Service resources, and to control the type of access for each group of users.

By default, only users in the Administrators group have access to all Scanning resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.

Note

In addition to granting users access to Scanning resources, the Scanning service itself must be granted access to your target resources. See Policy Examples.

Resource Types

The following resource types are related to Vulnerability Scanning.

To assign permissions to all Scanning resources, use the aggregate type:

  • vss-family

To assign permissions to individual resource types:

  • container-scan-recipes
  • container-scan-results
  • container-scan-targets
  • host-agent-scan-results
  • host-cis-benchmark-scan-results
  • host-port-scan-results
  • host-scan-recipes
  • host-scan-targets
  • host-vulnerabilities
  • vss-vulnerabilities
  • vss-work-requests

In Vulnerability Scanning, an instance (Compute)  is also called a host.

A policy that uses <verb> vss-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Details for Verb + Resource-Type Combinations

Identify the permissions and API operations covered by each verb for Scanning resources.

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

container-scan-recipes
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_CONTAINERSCANRECIPE_INSPECT ListContainerScanRecipes none
read

inspect+

VSS_CONTAINERSCANRECIPE_READ

GetContainerScanRecipe none
use

read+

VSS_CONTAINERSCANRECIPE_UPDATE

UpdateContainerScanRecipe none
manage

use+

VSS_CONTAINERSCANRECIPE_CREATE

VSS_CONTAINERSCANRECIPE_DELETE

VSS_CONTAINERSCANRECIPE_MOVE

CreateContainerScanRecipe

DeleteContainerScanRecipe

ChangeContainerScanRecipeCompartment

none
container-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_CONTAINERSCAN_INSPECT ListContainerScanResults none
read

inspect+

VSS_CONTAINERSCAN_READ

GetContainerScanResult none
use read+ none none
manage

use+

VSS_CONTAINERSCAN_DELETE

VSS_CONTAINERSCAN_MOVE

DeleteContainerScanResult

ChangeContainerScanResultCompartment

none
container-scan-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_CONTAINERSCANTARGET_INSPECT ListContainerScanTargets none
read

inspect+

VSS_CONTAINERSCANTARGET_READ

GetContainerScanTarget none
use

read+

VSS_CONTAINERSCANTARGET_UPDATE

UpdateContainerScanTarget none
manage

use+

VSS_CONTAINERSCANTARGET_CREATE

VSS_CONTAINERSCANTARGET_DELETE

VSS_CONTAINERSCANTARGET_MOVE

CreateContainerScanTarget

DeleteContainerScanTarget

ChangeContainerScanTargetCompartment

none
host-agent-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTAGENTSCAN_INSPECT ListHostAgentScanResults none
read

inspect+

VSS_HOSTAGENTSCAN_READ

GetHostAgentScanResult none
use read+ none none
manage

use+

VSS_HOSTAGENTSCAN_DELETE

VSS_HOSTAGENTSCAN_EXPORT

VSS_HOSTAGENTSCAN_MOVE

DeleteHostAgentScanResult

ExportHostAgentScanResultCsv

ChangeHostAgentScanResultCompartment

none
host-cis-benchmark-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTCISBENCHMARKSCAN_INSPECT ListHostCisBenchmarkScanResults none
read

inspect+

VSS_HOSTCISBENCHMARKSCAN_READ

GetHostCisBenchmarkScanResult none
use read+ none none
manage

use+

VSS_HOSTCISBENCHMARKSCAN_DELETE

VSS_HOSTCISBENCHMARKSCAN_MOVE

DeleteHostCisBenchmarkScanResult

ChangeHostCisBenchmarkScanResultCompartment

none
host-port-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTPORTSCAN_INSPECT ListHostPortScanResults none
read

inspect+

VSS_HOSTPORTSCAN_READ

GetHostPortScanResult none
use read+ none none
manage

use+

VSS_HOSTPORTSCAN_DELETE

VSS_HOSTPORTSCAN_MOVE

DeleteHostPortScanResult

ChangeHostPortScanResultCompartment

none
host-scan-recipes
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTSCANRECIPE_INSPECT ListHostScanRecipes none
read

inspect+

VSS_HOSTSCANRECIPE_READ

GetHostScanRecipe none
use

read+

VSS_HOSTSCANRECIPE_UPDATE

UpdateHostScanRecipe none
manage

use+

VSS_HOSTSCANRECIPE_CREATE

VSS_HOSTSCANRECIPE_DELETE

VSS_HOSTSCANRECIPE_MOVE

CreateHostScanRecipe

DeleteHostScanRecipe

ChangeHostScanRecipeCompartment

none
host-scan-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTSCANTARGET_INSPECT ListHostScanTargets none
read

inspect+

VSS_HOSTSCANTARGET_READ

GetHostScanTarget none
use

read+

VSS_HOSTSCANTARGET_UPDATE

UpdateHostScanTarget none
manage

use+

VSS_HOSTSCANTARGET_CREATE

VSS_HOSTSCANTARGET_DELETE

VSS_HOSTSCANTARGET_MOVE

CreateHostScanTarget

DeleteHostScanTarget

ChangeHostScanTargetCompartment

none
host-vulnerabilities
Note

Alternatively, use vss-vulnerabilities to manage access to both host and container vulnerabilities.

The export operation is available for the host-vulnerabilities resource type, not the vss-vulnerabilities resource type.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

VSS_VULN_INSPECT

VSS_VULN_HOST_INSPECT

ListHostVulnerabilities

ListHostVulnerabilityImpactedHosts

none
read

inspect+

VSS_VULN_READ

GetHostVulnerability none
use read+ none none
manage

use+

VSS_VULN_EXPORT

ExportHostVulnerabilityCsv none
vss-vulnerabilities
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

VSS_VULN_INSPECT

VSS_VULN_HOST_INSPECT

VSS_VULN_CONTAINER_INSPECT

ListVulnerabilities

ListVulnerabilityImpactedHosts

ListVulnerabilityImpactedContainers

none
read

inspect+

VSS_VULN_READ

GetVulnerability none
use read+ none none
manage

use+

none none
vss-work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_WR_INSPECT ListWorkRequests none
read

inspect+

VSS_WR_READ

VSS_WR_ERR_READ

VSS_WR_LOG_READ

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

none
use read+ none none
manage use+ none none

Permissions Required for Each API Operation

The following table lists the Scanning API operations in a logical order, grouped by resource type.

For more information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ChangeContainerScanRecipeCompartment VSS_CONTAINERSCANRECIPE_MOVE
ChangeContainerScanResultCompartment VSS_CONTAINERSCAN_MOVE
ChangeContainerScanTargetCompartment VSS_CONTAINERSCANTARGET_MOVE
ChangeHostAgentScanResultCompartment VSS_HOSTAGENTSCAN_MOVE
ChangeHostCisBenchmarkScanResultCompartment VSS_HOSTCISBENCHMARKSCAN_MOVE
ChangeHostPortScanResultCompartment VSS_HOSTPORTSCAN_MOVE
ChangeHostScanRecipeCompartment VSS_HOSTSCANRECIPE_MOVE
ChangeHostScanTargetCompartment VSS_HOSTSCANTARGET_MOVE
CreateContainerScanRecipe VSS_CONTAINERSCANRECIPE_CREATE
CreateContainerScanTarget VSS_CONTAINERSCANTARGET_CREATE
CreateHostScanRecipe VSS_HOSTSCANRECIPE_CREATE
CreateHostScanTarget VSS_HOSTSCANTARGET_CREATE
DeleteContainerScanRecipe VSS_CONTAINERSCANRECIPE_DELETE
DeleteContainerScanResult VSS_CONTAINERSCAN_DELETE
DeleteContainerScanTarget VSS_CONTAINERSCANTARGET_DELETE
DeleteHostAgentScanResult VSS_HOSTAGENTSCAN_DELETE
DeleteHostCisBenchmarkScanResult VSS_HOSTCISBENCHMARKSCAN_DELETE
DeleteHostPortScanResult VSS_HOSTPORTSCAN_DELETE
DeleteHostScanRecipe VSS_HOSTSCANRECIPE_DELETE
DeleteHostScanTarget VSS_HOSTSCANTARGET_DELETE
ExportHostAgentScanResultCsv VSS_HOSTAGENTSCAN_EXPORT
ExportHostVulnerabilityCsv VSS_VULN_EXPORT
GetContainerScanRecipe VSS_CONTAINERSCANRECIPE_READ
GetContainerScanResult VSS_CONTAINERSCAN_READ
GetContainerScanTarget VSS_CONTAINERSCANTARGET_READ
GetHostAgentScanResult VSS_HOSTAGENTSCAN_READ
GetHostCisBenchmarkScanResult VSS_HOSTCISBENCHMARKSCAN_READ
GetHostPortScanResult VSS_HOSTPORTSCAN_READ
GetHostScanRecipe VSS_HOSTSCANRECIPE_READ
GetHostScanTarget VSS_HOSTSCANTARGET_READ
GetHostVulnerability VSS_VULN_READ
GetVulnerability VSS_VULN_READ
GetWorkRequest VSS_WR_READ
ListContainerScanRecipes VSS_CONTAINERSCANRECIPE_INSPECT
ListContainerScanResults VSS_CONTAINERSCAN_INSPECT
ListContainerScanTargets VSS_CONTAINERSCANTARGET_INSPECT
ListHostAgentScanResults VSS_HOSTAGENTSCAN_INSPECT
ListHostCisBenchmarkScanResults VSS_HOSTCISBENCHMARKSCAN_INSPECT
ListHostPortScanResults VSS_HOSTPORTSCAN_INSPECT
ListHostScanRecipes VSS_HOSTSCANRECIPE_INSPECT
ListHostScanTargets VSS_HOSTSCANTARGET_INSPECT
ListHostVulnerabilities VSS_VULN_INSPECT
ListHostVulnerabilityImpactedHosts VSS_VULN_HOST_INSPECT
ListVulnerabilities VSS_VULN_INSPECT
ListVulnerabilityImpactedContainers VSS_VULN_CONTAINER_INSPECT
ListVulnerabilityImpactedHosts VSS_VULN_HOST_INSPECT
ListWorkRequests VSS_WR_INSPECT
ListWorkRequestErrors VSS_WR_ERR_READ
ListWorkRequestLogs VSS_WR_LOG_READ
UpdateContainerScanRecipe VSS_CONTAINERSCANRECIPE_UPDATE
UpdateContainerScanTarget VSS_CONTAINERSCANTARGET_UPDATE
UpdateHostScanRecipe VSS_HOSTSCANRECIPE_UPDATE
UpdateHostScanTarget VSS_HOSTSCANTARGET_UPDATE

Policy Examples

Learn about Scanning IAM policies using examples.

Basic Policy Examples
  • Allow users in the group SecurityAdmins to create, update, and delete all Scanning resources in the entire tenancy:

    Allow group SecurityAdmins to manage vss-family in tenancy
  • Allow users in the group SecurityAdmins to create, update, and delete all Scanning resources in the compartment SalesApps:

    Allow group SecurityAdmins to manage vss-family in compartment SalesApps
  • Allow users in the group SecurityAuditors to view all Scanning resources in the compartment SalesApps:

    Allow group SecurityAuditors to read vss-family in compartment SalesApps
  • Allow users in the group SecurityAuditors to view all Scanning resources in the compartment SalesApps and to export the results:

    Allow group SecurityAuditors to read vss-family in compartment SalesApps
    Allow group SecurityAuditors to manage host-agent-scan-results in compartment SalesApps where request.operation = 'ExportHostAgentScanResultCsv'
    Allow group SecurityAuditors to manage host-vulnerabilities in compartment SalesApps where request.operation = 'ExportHostVulnerabilityCsv'
    Note

    The export operation is available for the host-vulnerabilities resource type, not the vss-vulnerabilities resource type.
  • Allow users in the group SecurityAdmins to create, update, and delete Compute (host) scan recipes in the entire tenancy:

    Allow group SecurityAdmins to manage host-scan-recipes in tenancy
  • Allow users in the group SecurityAuditors to view all Compute (host) scanning results in the compartment SalesApps:

    Allow group SecurityAuditors to read host-agent-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read host-port-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read host-cis-benchmark-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read container-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read vss-vulnerabilities in compartment SalesApps
Compute (Host) Scanning Policy Examples

To use agent-based scanning of compute instances, then you must also:

  • Grant the Scanning service permission to deploy the Oracle Cloud Agent to your target compute instances.
  • Grant the Scanning service permission to read the VNIC (virtual network interface card)  on your target compute instances.

Examples:

  • Allow the Scanning service and users in the group SecurityAdmins to perform agent-based scanning in the entire tenancy:

    Allow group SecurityAdmins to manage vss-family in tenancy
    Allow service vulnerability-scanning-service to manage instances in tenancy
    Allow service vulnerability-scanning-service to read compartments in tenancy
    Allow service vulnerability-scanning-service to read vnics in tenancy
    Allow service vulnerability-scanning-service to read vnic-attachments in tenancy
  • Allow the Scanning service and users in the group SecurityAdmins to perform agent-based scanning on instances in the compartment SalesApps:

    Allow group SecurityAdmins to manage vss-family in compartment SalesApps
    Allow service vulnerability-scanning-service to manage instances in compartment SalesApps
    Allow service vulnerability-scanning-service to read compartments in compartment SalesApps
    Allow service vulnerability-scanning-service to read vnics in compartment SalesApps
    Allow service vulnerability-scanning-service to read vnic-attachments in compartment SalesApps
  • Allow the Scanning service and users in the group SecurityAdmins to perform agent-based scanning on instances in the compartment SalesApps. The VNICs of these instances are in the compartment SalesNetwork:
    Allow group SecurityAdmins to manage vss-family in compartment SalesApps
    Allow service vulnerability-scanning-service to manage instances in compartment SalesApps
    Allow service vulnerability-scanning-service to read compartments in compartment SalesApps
    Allow service vulnerability-scanning-service to read vnics in compartment SalesNetwork
    Allow service vulnerability-scanning-service to read vnic-attachments in compartment SalesNetwork

For more information about Compute and network policies, see Policy Reference for Core Services.

Container Image Scanning Policy Examples

To scan images in Container Registry, then you must also grant the Scanning service permission to pull images from Container Registry.

Examples:

  • Allow the Scanning service and users in the group SecurityAdmins to scan all container images in the entire tenancy:

    Allow group SecurityAdmins to manage vss-family in tenancy
    Allow service vulnerability-scanning-service to read repos in tenancy
    Allow service vulnerability-scanning-service to read compartments in tenancy
  • Allow the Scanning service and users in the group SecurityAdmins to scan container images in the compartment SalesApps:

    Allow group SecurityAdmins to manage vss-family in compartment SalesApps
    Allow service vulnerability-scanning-service to read repos in compartment SalesApps
    Allow service vulnerability-scanning-service to read compartments in compartment SalesApps

For more information, see Policy Reference for Container Registry.