To scan AWS EC2(Linux) instances leveraging AWS SSM, you require AWS IAM user credentials(Access key ID, Secret access key) having the following AWS permissions:
You can refer to this article to create an AWS user account with the required permissions for SSM based scans:
Create SSM AWS Policy for CAM Scanning:
Sample: Minimum privileges & all resources
Sample Policy JSON:
Create SSM AWS User for CAM scanning
Sample User with only ‘programmatic access’.
Attach the policy to the SSM User directly or via a group:
Create the access key & download the .csv file:
NOTE: These credentials(Access Key ID & Access key ID) are to be used while creating ‘AWS SSM keychain’.