Skip to content

Commit bb80c84

Browse files
authored
Update faq-permissions.yml
Added permissions for agentless scanning CMK support
1 parent b49e113 commit bb80c84

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

articles/defender-for-cloud/faq-permissions.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,12 +40,19 @@ sections:
4040
4141
- `Microsoft.Compute/disks/read`
4242
- `Microsoft.Compute/disks/beginGetAccess/action`
43+
- `Microsoft.Compute/disks/diskEncryptionSets/read`
4344
- `Microsoft.Compute/virtualMachines/instanceView/read`
4445
- `Microsoft.Compute/virtualMachines/read`
4546
- `Microsoft.Compute/virtualMachineScaleSets/instanceView/read`
4647
- `Microsoft.Compute/virtualMachineScaleSets/read`
4748
- `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read`
4849
- `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read`
50+
51+
When coverage for CMK encrypted disks is enabled, these additional permissions are used:
52+
- `Microsoft.KeyVault/vaults/keys/read`
53+
- `Microsoft.KeyVault/vaults/keys/wrap/action`
54+
- `Microsoft.KeyVault/vaults/keys/unwrap/action`
55+
4956
5057
- AWS permissions - The role “VmScanner” is assigned to the scanner when you enable agentless scanning. This role has the minimal permission set to create and clean up snapshots (scoped by tag) and to verify the current state of the VM. The detailed permissions are:
5158
@@ -104,4 +111,4 @@ sections:
104111
- question: |
105112
What is the minimum SAS policy permissions required when exporting data to Azure Event Hubs?
106113
answer: |
107-
**Send** is the minimum SAS policy permissions required. For step-by-step instructions, see **Step 1: Create an Event Hubs namespace and event hub with send permissions** in [this article](./export-to-splunk-or-qradar.md#step-1-create-an-event-hubs-namespace-and-event-hub-with-send-permissions).
114+
**Send** is the minimum SAS policy permissions required. For step-by-step instructions, see **Step 1: Create an Event Hubs namespace and event hub with send permissions** in [this article](./export-to-splunk-or-qradar.md#step-1-create-an-event-hubs-namespace-and-event-hub-with-send-permissions).

0 commit comments

Comments
 (0)