elastic · benironside · Mar 14, 2025 · Mar 14, 2025 · Mar 14, 2025 · Mar 14, 2025
@@ -20,15 +20,11 @@ CNVM currently only supports AWS EC2 Linux workloads.
 
 
 ::::{admonition} Requirements
-* CNVM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing).
-* Requires {{stack}} and {{agent}} version 8.8 or higher.
+* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing).
 * CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
-* To view vulnerability scan findings, you need at least `read` privileges for the following indices:
-
-    * `logs-cloud_security_posture.vulnerabilities-*`
-    * `logs-cloud_security_posture.vulnerabilities_latest-*`
-
-
+* CNVM can only be deployed on ARM-based VMs.
+* You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances.
+* Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md).
 ::::
 
 

@@ -0,0 +1,59 @@
+---
+applies_to:
+  stack: all
+  serverless:
+    security: all
+---
+
+# CNVM privilege requirements [cnvm-required-permissions]
+
+This page lists required privileges for {{elastic-sec}}'s CNVM features. There are three access levels: `read`, `write`, and `manage`. Each access level and its requirements are described below.
+
+## Read
+
+Users with these minimum permissions can view data on the **Findings** page.
+
+### {{es}} index privileges
+
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: Read`
+
+## Write
+
+Users with these minimum permissions can view data on the **Findings** page and create detection rules from the findings details flyout.
+
+### {{es}} index privileges
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: All`
+
+
+## Manage
+
+Users with these minimum permissions can view data on the **Findings** page, create detection rules from the findings details flyout, and install, update, or uninstall integrations and assets.
+
+### {{es}} index privileges
+
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: All`
+* `Spaces: All`
+* `Fleet: All`
+* `Integrations: All`
+
@@ -14,17 +14,11 @@ applies_to:
 This page explains how to set up Cloud Native Vulnerability Management (CNVM).
 
 ::::{admonition} Requirements
-* CNVM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing).
-* Requires {{stack}} and {{agent}} version 8.8 or higher.
-* Only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
+* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing).
+* CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
 * CNVM can only be deployed on ARM-based VMs.
-* To view vulnerability scan findings, you need at least `read` privileges for the following indices:
-
-    * `logs-cloud_security_posture.vulnerabilities-*`
-    * `logs-cloud_security_posture.vulnerabilities_latest-*`
-
 * You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances.
-
+* Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md).
 ::::
 
 

@@ -573,6 +573,7 @@ toc:
           - file: security/cloud/cloud-native-vulnerability-management.md
             children:
               - file: security/cloud/get-started-with-cnvm.md
+              - file: security/cloud/cnvm-privilege-requirements.md
               - file: security/cloud/findings-page-3.md
               - file: security/dashboards/cloud-native-vulnerability-management-dashboard.md
               - file: security/cloud/cnvm-frequently-asked-questions-faq.md