Creates CNVM permissions page (#791)

benironside · nastasha-solomon · web-flow · commit b8409b108ac2 · 2025-03-14T20:28:09.000Z
Fixes #420 by creating the cloud native vulnerability management privilege requirements page. In addition to creating the CNVM privileges page, updates the requirements sections of the CNVM landing page and Get started with CNVM page. --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
diff --git a/solutions/security/cloud/cloud-native-vulnerability-management.md b/solutions/security/cloud/cloud-native-vulnerability-management.md
@@ -20,15 +20,11 @@ CNVM currently only supports AWS EC2 Linux workloads.
 
 
 ::::{admonition} Requirements
-* CNVM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing).
-* Requires {{stack}} and {{agent}} version 8.8 or higher.
+* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing).
 * CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
-* To view vulnerability scan findings, you need at least `read` privileges for the following indices:
-
-    * `logs-cloud_security_posture.vulnerabilities-*`
-    * `logs-cloud_security_posture.vulnerabilities_latest-*`
-
-
+* CNVM can only be deployed on ARM-based VMs.
+* You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances.
+* Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md).
 ::::
 
 
diff --git a/solutions/security/cloud/cnvm-privilege-requirements.md b/solutions/security/cloud/cnvm-privilege-requirements.md
@@ -0,0 +1,59 @@
+---
+applies_to:
+  stack: all
+  serverless:
+    security: all
+---
+
+# CNVM privilege requirements [cnvm-required-permissions]
+
+This page lists required privileges for {{elastic-sec}}'s CNVM features. There are three access levels: `read`, `write`, and `manage`. Each access level and its requirements are described below.
+
+## Read
+
+Users with these minimum permissions can view data on the **Findings** page.
+
+### {{es}} index privileges
+
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: Read`
+
+## Write
+
+Users with these minimum permissions can view data on the **Findings** page and create detection rules from the findings details flyout.
+
+### {{es}} index privileges
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: All`
+
+
+## Manage
+
+Users with these minimum permissions can view data on the **Findings** page, create detection rules from the findings details flyout, and install, update, or uninstall integrations and assets.
+
+### {{es}} index privileges
+
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: All`
+* `Spaces: All`
+* `Fleet: All`
+* `Integrations: All`
+
diff --git a/solutions/security/cloud/get-started-with-cnvm.md b/solutions/security/cloud/get-started-with-cnvm.md
@@ -14,17 +14,11 @@ applies_to:
 This page explains how to set up Cloud Native Vulnerability Management (CNVM).
 
 ::::{admonition} Requirements
-* CNVM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing).
-* Requires {{stack}} and {{agent}} version 8.8 or higher.
-* Only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
+* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing).
+* CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
 * CNVM can only be deployed on ARM-based VMs.
-* To view vulnerability scan findings, you need at least `read` privileges for the following indices:
-
-    * `logs-cloud_security_posture.vulnerabilities-*`
-    * `logs-cloud_security_posture.vulnerabilities_latest-*`
-
 * You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances.
-
+* Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md).
 ::::
 
 
diff --git a/solutions/toc.yml b/solutions/toc.yml
@@ -573,6 +573,7 @@ toc:
           - file: security/cloud/cloud-native-vulnerability-management.md
             children:
               - file: security/cloud/get-started-with-cnvm.md
+              - file: security/cloud/cnvm-privilege-requirements.md
               - file: security/cloud/findings-page-3.md
               - file: security/dashboards/cloud-native-vulnerability-management-dashboard.md
               - file: security/cloud/cnvm-frequently-asked-questions-faq.md
