Skip to main content

Configure Vulnerability Scan for AWS

You can choose to set up vulnerability for your AWS VMs and/or EKS. Before you can set up EKS scanning, make sure your cluster is onboarded to Ocean.

  1. In the Spot console, go to Spot Security > Administration.

  2. Click Cloud Account > Configure VA.

  3. Select AWS and then click Next.

  4. Click Login to sign in to the AWS account.

    View image
    Spot Security AWS configuration screenshot

  5. You can either configure VM scanning or click Skip to configure EKS scanning.

    To configure VM scanning:

    1. Select the name of your AWS account and click Run Template.

    2. In the AWS console, enter the organization ID and click Next.

    3. You can get your organization ID in the Spot console. Click the user icon user icon > Settings and copy the Organization ID.

    4. In Run Template, click the Outputs tab and copy the key value from the Value column. e. In the Spot console, paste the key value in Role ARN.

    5. Select the subnet IDs from the list (or manually enter).

      More about subnet IDs

      By default, all the regions that have VMs are prepopulated for the account. You can delete regions if needed. For each region, select a VPC ID:Subnet ID where the Spot Security Scanner will run.

      The list includes all the public subnet IDs that allow connection using an internet gateway.

      Select Enable auto-assign public IPV4 address in the subnet settings in AWS. If it is disabled, Spot Security creates an Elastic IP for the scanner instance. There is a limit of five Elastic IPs per account per region. Spot Security creates an Elastic IP for the scanner instance. Sign in to your AWS account and increase your quota. Then select the region to check the capacity available to create a single Elastic IP address for Spot Security in that account and region.

      You can also create a new public subnet ID using internet-gateway for Spot Security and Enable auto-assign public IPV4 address in the subnet settings. To enter the recently created subnet ID, you can check Manually enter VPC ID: Subnet ID.

    6. To add a new account, click Add Account and repeat the same process starting from Step 3.

    7. Click Next.

  6. Configure EKS scanning (only public images in the EKS cluster are scanned):

    1. Select the Accounts to scan.
    2. Click Configure.