AWS CVE Scanning - Details


When deployed in Advanced Mode, Panoptica supports scanning EC2 instances and ECR images for CVEs and malware. The scan does not require installation of an agent. Just make sure Workload Scanning is enabled.

In order to minimize impact to your environment, the scanning takes place using an orchestration layer, that takes snapshots of the instances and scans them offline. There are two methods available to perform the scan:

  • External scan scans the snapshots in an external Panoptica account. This calls for less internal resources, but requires more data mobility.
  • Internal Scan scans the snapshots using a dedicated account in your environment. This improves performance, and keeps your data within your environment.
    If you select Internal Scan, you will need to provide the Scanner Account ID.

Any CVEs found are then prioritized based on several parameters and sent to the graph database to enrich the risk insights. For more on Panoptica's CVE Management capabilities, see Vulnerability Management.

Supported OS Versions

Panoptica's CVE scanning supports the following operating systems and versions in AWS:

Alpine3.3 and later
Ubuntu14, 16, 18, 20, 21, 22
Debian8, 9, 10, 11
RHEL5, 6, 7, 8, 9
Fedora32, 33, 34, 35
Oracle Linux5, 6, 7
CentOS6, 7, 8, stream8, stream9
AlmaLinux8, 9
Rocky Linux8
Amazon LinuxAll
FreeBSD10, 11
openSUSE Leap15.2, 15.3
SUSE Enterprise11, 12, 15
RaspbianJessie, Stretch, Buster

Scanning Process

Whether implementing Internal or External scanning, the process is similar:

  1. The platform creates a snapshot of the scanned machine's operating system volume.
  2. The snapshot is shared with the scanning account—either Internal or External
  3. The scanning account launches a spot fleet based on Panoptica's CVE & Malware scanning image.
  4. One of the spot instances receives the scan request and performs these steps:
    1. Create a volume from the shared snapshot
    2. Delete the snapshot in the scanned account
    3. Attach the newly created volume and scan it for Malwares and CVEs
  5. After the scanner machine finishes the scan, it deletes the scanned volume, and is available to handle a new scan.
  6. After an idle time threshold defined by the platform, the scanner spot instance will delete itself

Assets Created

The following assets are created in your environment when you enable Panoptica's scanning functionality.

Internal scanning:

These assets are created in the scanning account you define at onboarding. No assets are created in your other accounts. Before specifying the scanning account, verify that the account has not reached its quota limits for any of these resources, particularly the VPC.

  • Role
  • Instance profile
  • VPC - There must be 1 spare Virtual Private Cloud available to support this.
  • Subnet
  • Internet gateway
  • Route table
  • Route
  • Route table association
  • Security groups
  • KMS key and alias
  • Launch template

External scanning:

  • Role

The above assets are created in each region supported by the platform.


In order to create snapshots, share them, scan the volumes, etc., Panoptica requires some basic permissions in your AWS environment. To view the required permissions, view the cloud formation script here.

The permissions vary according to the scanning method you select.

  • For Internal scanning, see "PolicyName": "panoptica-internal-ec2-scan"
  • For External scanning, see "PolicyName": "panoptica-external-ec2-scan-policy"