NetNXT Logo

How to Validate SentinelOne CNAPP IAM Role Permissions in AWS

June 22, 2026
1 min read
ByVed Sharma

Validate the SentinelOne CNS/CNAP IAM Role Permissions

  1. Sign in to the AWS Management Console.

  2. Navigate to IAMRoles.

  3. Search for the SentinelOne cross-account role SentinelOne.

  4. Select the role and open the Permissions tab.

  5. Review all attached IAM policies and verify that the required permissions for Cloud Native Security (CNS/CNAPP) are present.

Minimum Permissions Required for Full Asset Discovery and Vulnerability Assessment

  • EC2: ec2:Describe

  • Amazon S3: s3:GetBucketPolicy, s3:GetBucketAcl, s3:ListAllMyBuckets

  • IAM: iam:Get*, iam:List

  • AWS Lambda: lambda:List, lambda:GetPolicy

  • Amazon RDS: rds:Describe

  • Amazon EKS: eks:Describe, eks:List

  • Amazon ECS: ecs:Describe, ecs:List

  • Amazon ECR: ecr:DescribeRepositories, ecr:GetRepositoryPolicy

  • AWS CloudTrail: cloudtrail:GetTrailStatus, cloudtrail:DescribeTrails

  • AWS Config: config:Describe, config:Get

  • AWS KMS: kms:ListKeys, kms:DescribeKey

  • Amazon GuardDuty: guardduty:ListDetectors

  • AWS Secrets Manager: secretsmanager:ListSecrets, secretsmanager:DescribeSecret

After updating permissions, return to the SentinelOne console and perform:

  • Refresh Synchronization/Rescan

Allow approximately 15–30 minutes for asset discovery and vulnerability findings to synchronize and appear in the CNAPP dashboard.

Was this article helpful?