How to Validate SentinelOne CNAPP IAM Role Permissions in AWS
Validate the SentinelOne CNS/CNAP IAM Role Permissions
Sign in to the AWS Management Console.
Navigate to IAM → Roles.
Search for the SentinelOne cross-account role SentinelOne.
Select the role and open the Permissions tab.
Review all attached IAM policies and verify that the required permissions for Cloud Native Security (CNS/CNAPP) are present.
Minimum Permissions Required for Full Asset Discovery and Vulnerability Assessment
EC2:
ec2:DescribeAmazon S3:
s3:GetBucketPolicy,s3:GetBucketAcl,s3:ListAllMyBucketsIAM:
iam:Get*,iam:ListAWS Lambda:
lambda:List,lambda:GetPolicyAmazon RDS:
rds:DescribeAmazon EKS:
eks:Describe,eks:ListAmazon ECS:
ecs:Describe,ecs:ListAmazon ECR:
ecr:DescribeRepositories,ecr:GetRepositoryPolicyAWS CloudTrail:
cloudtrail:GetTrailStatus,cloudtrail:DescribeTrailsAWS Config:
config:Describe,config:GetAWS KMS:
kms:ListKeys,kms:DescribeKeyAmazon GuardDuty:
guardduty:ListDetectorsAWS Secrets Manager:
secretsmanager:ListSecrets,secretsmanager:DescribeSecret
After updating permissions, return to the SentinelOne console and perform:
Refresh Synchronization/Rescan
Allow approximately 15–30 minutes for asset discovery and vulnerability findings to synchronize and appear in the CNAPP dashboard.
