Hello @dlafleur,
With the Sites cloud scanner, some resource types may be scanned even though they were not selected when creating the cloud action. This is due to the fact that the current scanner core was designed this way for a different purpose.
This behavior will be corrected in the coming weeks.
In the meantime, a way to prevent this in AWS is by adding a Deny action on these types of resources in the Reading policy. The following policy, for example, would ensure that only EC2s, VPCs and S3s are scanned (they must also be selected in the cloud action):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Describe*",
"s3:Get*",
"s3:List*",
"ec2:Get*",
"ec2:List*",
"ec2:Search*",
"ec2:Describe*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"rds:DescribeDBInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInternetGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeNetworkAcls"
],
"Resource": "*"
}
]
}
If you still see unwanted asset types after a scan with this new policy, you may want to check the LAST SUCCESSFUL SCAN time of these assets and make sure it relates to the latest scan.
If it is the result of a previous scan, you can now bulk-delete the unsolicited cloud assets.
If it is the result of that scan, check the type of the unsolicited assets that were returned and determine which Action are necessary to be added to the Deny block (tip: ChatGPT can help you on this one, there really are a lot of granular permissions).