Skip to content

How do I set up AWS nanitor-readonly-user and roles for Nanitor? (Deprecated)

This setup is no longer required. The collector-based EKS scanning that required these AWS IAM steps is no longer supported in Nanitor 6.8.0 and later. Kubernetes scanning now uses an API-driven model that does not require dedicated AWS users, IAM policies, or kubeconfig distribution.

For Kubernetes vulnerability scanning, see Kubernetes Inventory and Vulnerability Scanning. The new approach offers significant advantages:

  • Any Kubernetes platform — Works with EKS, GKE, AKS, and self-hosted clusters, not just AWS
  • No credentials shared with Nanitor — Scans run in your environment using your cluster's native credentials
  • No AWS IAM setup needed — No dedicated AWS users, policies, or kubeconfig distribution required
  • Better asset tracking — Deployments are tracked as persistent assets, so remediation history is preserved when you deploy patched images

Deprecated Instructions

The instructions below are preserved for reference only. This setup is no longer needed in Nanitor 6.8.0+.

In order to scan Docker images on AWS, Nanitor needs to be able to collect from EKS and read from ECR.

First, set up some environment variables to make it easier to script installation. Change the variables to suit your environment. 

export AWS_PROFILE="root"
export AWS_ACCOUNT="153144908176"
export AWS_REGION="us-east-1"
export KUBE_CONFIG_EKS_ROOT="/home/user/.kube/eks-root.yaml"
export KUBE_CLUSTER_NAME="NANITOR_CLUSTER"

Download the default nanitor-readonly-policy from https://nanitor.io/files/aws-documents/nanitor-read-only-policy.json. Edit it as required and then put it in /tmp/nanitor-read-only-policy.json and then add it to your AWS using the CLI tools.

curl -o /tmp/nanitor-read-only-policy.json https://nanitor.io/files/aws-documents/nanitor-read-only-policy.json
aws iam create-policy --profile $AWS_PROFILE --policy-name nanitor-readonly-policy --policy-document https://nanitor.io/files/aws-documents/nanitor-read-only-policy.json

From that response, save the ARN for referencing the policy.

aws iam create-user --profile $AWS_PROFILE --user-name=nanitor-readonly-user

Then use the ARN for referencing the new user.

aws iam attach-user-policy --profile $AWS_PROFILE --user-name=nanitor-readonly-user --policy-arn=arn:aws:iam::$AWS_ACCOUNT:policy/nanitor-readonly-policy
aws iam create-access-key --profile $AWS_PROFILE --user-name nanitor-readonly-user

Save the response and add it to ~/.aws/credentials (on the system running these commands and also on the Nanitor collector device):

[nanitor-readonly-user]
aws_secret_access_key = FROMRESPONSE
aws_access_key_id = FROMRESPONSE

Now we need to map the AWS nanitor-readonly-user to a kubernetes user. As a Kubernetes user with full privileges, we need to use kubectl to map the AWS nanitor-readonly-user to a Kubernetes user.

kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT -n kube-system get configmap aws-auth -o yaml  > aws-auth.yaml

Edit aws-auth.yaml and add a section for mapUsers, similarly to this:

mapUsers:
  - userarn: arn:aws:iam::$AWS_ACCOUNT:user/nanitor-readonly-user
    username: nanitor-readonly-user

Update the AWS auth binding.

kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT apply -f aws-auth.yaml

Create a cluster role nanitor-readonly-role and bind nanitor-readonly-user to it.

kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT apply -f https://nanitor.io/files/aws-documents/kube/nanitor-readonly-user-role.yaml
kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT apply -f https://nanitor.io/files/aws-documents/kube/nanitor-readonly-user-role-binding.yaml

Create kube config and copy it to the Nanitor collector.

Make sure you have put the nanitor-readonly-user into ~/.aws/credentials on this system you are running these commands on.

aws eks --profile nanitor-readonly-user --region $AWS_REGION update-kubeconfig --name $KUBE_CLUSTER_NAME --kubeconfig=/tmp/kube-nanitor-readonly-user.yaml