AWS Workload Scanning - Details


Panoptica scans the EC2 instances and ECR images in your AWS accounts for CVEs and malware. Panoptica also scans your VMs for weak passwords in the local user accounts. Neither of these scans require installation of any agent.

You can configure the scanning when you onboard your AWS accounts. In Simple Mode, workload scanning is enabled by default. Advanced Mode provides options to customize the scan, via the Workload Scanning toggle. If you disable Workload Scanning, Panoptica will not scan your EC2 instances, but ECR images will continue to be scanned.

In order to minimize impact to your environment, the scanning uses an orchestration layer that takes snapshots of the instances and scans them offline. In Advanced Mode, you also have the option of choosing where the scan takes place:

  • External scan scans the snapshots using an Panoptica account that is external to your account. This calls for less internal resources, but requires sharing (not copying) the snapshots.
  • Internal Scan scans the snapshots using a dedicated account in your environment. This improves performance, and keeps your data within your environment.
    If you select Internal Scan, you will need to provide the Account ID of the account where the scanning will take place.

Any CVEs found are then prioritized based on several parameters and sent to the graph database to enrich the risk insights. For more on Panoptica's CVE Management capabilities, see Vulnerability Management.

OS Weak Password Detection

Panoptica automatically checks for weak passwords among local users in your Linux and Windows VMs, to safeguard your environment against unauthorized access. By comparing your hashed passwords to hashes of known weak passwords, Panoptica can identify local users that do not adhere to strong password policies, either in privileged or non-privileged accounts. Weak passwords in local user accounts are reported as risk findings in the Security Posture tab.

Weak Password Detection is active for any account where workload scanning is enabled. No additional action is required.

Supported OS Versions

Panoptica's CVE scanning supports the following operating systems and versions in AWS:

Alpine3.3 and later
Ubuntu14, 16, 18, 20, 21, 22
Debian8, 9, 10, 11
RHEL5, 6, 7, 8, 9
Fedora32, 33, 34, 35
Oracle Linux5, 6, 7
CentOS6, 7, 8, stream8, stream9
AlmaLinux8, 9
Rocky Linux8
Amazon LinuxAll
FreeBSD10, 11
openSUSE Leap15.2, 15.3
SUSE Enterprise11, 12, 15
RaspbianJessie, Stretch, Buster

Scanning Process

Whether implementing Internal or External scanning, the process is similar:

  1. Panoptica creates a snapshot of the scanned machine's operating system volume.
  2. The snapshot is shared with the scanning account
  3. The scanning account launches a spot fleet based on Panoptica's CVE & Malware scanning image.
  4. One of the spot instances receives the scan request and performs these steps:
    1. Create a volume from the shared snapshot
    2. Delete the snapshot in the scanned account
    3. Attach the newly created volume and scan it for Malware and CVEs
    4. If Data Scanning is enabled, this takes place after the CVE scan.
  5. After the scanner machine finishes the scan, it deletes the scanned volume, and is available to handle a new scan.
  6. After an idle time threshold defined by the platform, the scanner spot instance will delete itself

Assets Created

The following assets are created in your environment when you enable Panoptica's scanning functionality. These assets are created in each AWS Region supported by the platform.

Internal scanning:

These assets are created in the scanning account you define at onboarding to support the internal scanning process. No assets are created in any of your other accounts.


Resource availability

Before specifying the scanning account, verify that the account has not reached its quota limits for any of these resources, particularly the VPC.

  • Role
  • Instance profile
  • VPC - There must be 1 spare Virtual Private Cloud available to support this.
  • Subnet
  • Internet gateway
  • Route table
  • Route
  • Route table association
  • Security groups
  • KMS key and alias
  • Launch template

External scanning:

  • Role


In order to create snapshots, share them, scan the volumes, etc., Panoptica requires some basic permissions in your AWS environment. These permissions are configured by policies in the CloudFormation Stack you run at onboarding.

You can view the required permissions, according to the scanning method selected, in the cloudformation script.

  • For Internal scanning, see "PolicyName": "panoptica-internal-ec2-scan"
  • For External scanning, see "PolicyName": "panoptica-external-ec2-scan-policy"


Roles and Permission

For further details regarding the roles and policies you create when onboarding your accounts, see AWS Onboarding - Roles, Policies, and Permissions.