Workload Scanner PDF | Wiz Docs

Summary

This document describes the Workload Scanner from Wiz, which is responsible for scanning cloud workloads, such as VM disks and serverless functions. It provides instructions on how to enable and configure features like non-OS disk scanning, shared CMKs for AWS VMs, and AWS Lightsail scanning. The guide also covers defining custom scanner tags and excluding workloads from scanning.

Full Transcript

01/04/2025, 18:17 Workload Scanner | Wiz Docs

Workload Scanner
Scanners extract data from your environment, analyze it, and save the insights to the Explorer and Reports
pages. The Workload Scanner is responsible for scanning cloud workloads, such as VM disks and serverless
functions. Learn about agentless scanning.

From the Settings > Scanners > Workload Scanner ↗ page, you can:
Enable and configure non-OS disk scanning
Share CMKs for AWS VMs
Enable AWS workload scanning concurrent snapshot copy
Enable and configure temporary volumes for scanning AWS encrypted VMs
Enable AWS Lightsail scanning
Configure AWS Lambda scanning
Define custom scanner tags to add to resources created by the Workload Scanner
Turn off tag inheritance for the resources created by the Workload Scanner, or exclude specific tags
Exclude workloads from scanning using custom tags
Configure Compute Instance Group sampling
Define custom Compute Instance Groups
Enable and configure non-OS disk scanning
Enabling non-OS disk scanning can impact the number of billable units Wiz scans in your environment.
You can extend Wiz's workload scanning capabilities to include scanning non-OS disks attached to VMs (i.e.
volumes actively in use). Detecting malware, secrets, and vulnerabilities on all your attached VM disks enables
Wiz to provide a complete picture of your VMs, more context, and better prioritization of your security issues.

https://docs.wiz.io/docs/workload-scanner-settings 1/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

Non-OS disk scanning is an extension of Wiz's workload scanning, using the same Connectors and set of
permissions. Wiz identifies non-OS disks and scans each disk separately to detect secrets, malware, library
vulnerabilities, file-path vulnerabilities, container images, and package libraries.
With the addition of non-OS disk scanning, Wiz can scan the package manager installation folder
whether the var folder is located on the OS disk or on the non-OS disk, resolving the problem of
potentially scanning an old folder version. Learn more about this problem.
To enable and configure non-OS disk scanning:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, and toggle on Enable Non-OS disk
Scanning.
2. (Optional) Select the scope. By default, Wiz scans all resources.
3. (Optional) Change the scan frequency. By default, Wiz scans non-OS disks every 7 days.
4. Click Save.
Shared CMKs
CMK (Customer-Managed Key) sharing is only supported in AWS.
One of the most time-consuming parts of scanning encrypted AWS disks is copying encrypted snapshots and
re-encrypting them with a Wiz key, for further sharing the copied snapshot with the Workload Scanner's account
(either Wiz-managed or Outpost), so that a volume can be created from it for scanning. This process is required
since by default, encrypted snapshots can’t be shared with an external account unless allowed by the CMK
policy.
CMK sharing allows for a much faster and cheaper scanning process. When scanning a volume whose key was
shared with Wiz, the initial snapshot can be used to create a volume in the scanning account, eliminating the
need to re-encrypt it for another snapshot.
To share your CMKs with Wiz:
1. Identify keys to be shared. You can use this query ↗ to identify keys that encrypt a large number of
volumes.
2. Copy the **External ID ** (ARN) property of the CMKs you wish to share and keep it in a safe place. You will
need it later.
3. Add the following policy statement to each CMK:
Sharing CMKs with Wiz

https://docs.wiz.io/docs/workload-scanner-settings 2/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

1 {
2 "Sid": "Allow use of the key by Wiz for scanning",
3 "Effect": "Allow",
4 "Principal": { "AWS": ["arn:aws:iam:::role/",
"arn:aws:iam:::root"] },
5 "Action": ["kms:Decrypt", "kms:ReEncrypt*", "kms:DescribeKey"],
6 "Resource": "*",
7 "Condition": {
8 "StringEquals": {
9 "kms:ViaService": "ec2.eu-central-1.amazonaws.com"
10 }
11 }
12 }

4. Customize the JSON:
i. In line 5:
i. Replace with the CMK's account number
ii. Replace with the name of the Wiz role in the account. For Outpost
Deployments, this is the name of the scanner role.
ii. In line 6 - "arn:aws:iam::935122746343:root" is the principal of the external account:
i. For SaaS Deployments in AWS commercial - leave the default value
( 935122746343 ).
ii. For SaaS Deployments in AWS GovCloud - replace the default value with
419232110379.

iii. For Outpost Deployments - replace with the Outpost account ID.
iv. (Optional) Restrict sharing by replacing root with role/WizOrchestratorNodePoolRole , which
is the default role name used by Wiz to access the key. This way, if Wiz changes this role name,
you will need to update the policy. This step and process are the same for SaaS or Outpost
deployment.
v. See the AWS account IDs Wiz uses to connect to your cloud environment.
iii. (For forensics copy volume) Add a new principal in a new line beneath line 6 with the forensics
account's principal.
iv. In line 16 - replace eu-central-1 with the region of the CMK.
5. (If the key and the volumes it encrypts are** not in the same account**) Add the following statement to the
Wiz role. For Outpost Deployments, this is the scanner role.
Role policies for cross account
1 {
2 "Sid": "Allow cross account key access to allow snapshot property modification",
3 "Effect": "Allow",
4 "Action": ["kms:ReEncrypt*"],
5 "Resource": ""
6 }

https://docs.wiz.io/docs/workload-scanner-settings 3/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

6. Navigate to the Settings > Scanner > Workload Scanner ↗ page, and click Add to add the external IDs
you've collected in Step 2 in the Shared CMKs section.
7. Click Save.
These permissions on the key are used to allow Wiz to create the volume in the scanning account.
They restrict Wiz only to operations originating from the EC2 service (volume creation in this scenario)
and required operations. They do not allow any direct calls to the key.

Enable AWS workload scanning concurrent snapshot copy
When configuring the number of Wiz allocated concurrent snapshots, make sure not to set a
number higher than your regional quota. To view your quota, refer to your regional EC2 quotas ↗.
Since other services might also use this quota, we recommend not setting the Wiz allocated
concurrent snapshots to a number higher than 90% of the quota. To view users or roles using this
quota, you can check the Explorer > Cloud Events ↗ page for the CopySnapshot event (requires
connecting AWS cloud events to Wiz).

During workload scanning, Wiz creates snapshots of VMs in your environment in order to scan them. This
process applies to both encrypted and non-encrypted VMs. AWS has a limit of 20 snapshot copy operations in
AWS Commercial (10 in AWS China and Gov) that can occur in parallel for any given region+account. By default,
Wiz utilizes 10 of these slots, but if you have in your environment a large number of VMs or large VMs, and also:
VMs with a PMK (platform-managed key), whose key cannot be shared by their nature
VMs with a CMK (customer-managed key) that you wish not to share or cannot share due to multiple keys,
regulatory reasons, or other considerations
this limitation can cause timeouts, due to the time it takes to copy a snapshot from the original key to the Wiz
key. Use this query ↗ to identify impacted regions
You can configure how many concurrent snapshots can be used for agentless scanning in every account+region.
To do that:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page and scroll down to the AWS Workload
Scanning concurrent snapshot copy section.
2. Set a global configuration (for AWS commercial, China, and Gov).
3. (Optional) Configure the number of concurrent snapshot copies for a given account and region; this
overrides the global configuration.
4. Click Save.
Enable AWS workload scanning using temporary volumes
Enabling temporary volumes may result in additional AWS costs.
As Wiz will be creating multiple volumes in the scanned account, you should take into consideration
your quota for GP3 volumes and evaluate if it should be increased.

https://docs.wiz.io/docs/workload-scanner-settings 4/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

As part of workload scanning, Wiz creates snapshots of VMs in your environment in order to scan them. This
process applies both to encrypted and non-encrypted VMs. In AWS, there is a limit of 20 snapshot copy
operations that can take place in parallel for any given region+account. By default, Wiz utilizes 10 of these slots,
but if you have in your environment a large number of VMs or large VMs, and also:
VMs with a PMK (platform-managed key), whose key cannot be shared by their nature
VMs with a CMK (customer-managed key) that you wish not to share or cannot share due to multiple keys,
regulatory reasons, or other considerations
this limitation can cause timeouts, due to the time it takes to copy a snapshot from the original key to the Wiz
key.
To overcome this limitation, Wiz can create temporary volumes for encrypted VMs whose key was not shared,
but only if there are no available snapshot copy slots. The following table summarizes the different scenarios for
scanning AWS VMs:

VM Type Process
Encrypted VMs - If there are available snapshot copy slots: same process - If there are no available
(key not shared snapshot copy slots:Original volume → snapshot (with original key) in the scanned
with Wiz) account → volume (with Wiz key) in the scanned account → snapshot (with Wiz key)
in the scanned account → share snapshot→ volume in scanning account
Encrypted VMs Original volume → snapshot (with original key) → share snapshot → volume in
(key shared with scanning account
Wiz)
Non-encrypted Original volume → snapshot → share snapshot → volume in scanning account
VMs

To enable and configure temporary volumes:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, and toggle on Enable AWS workload
scanning using temporary volumes.
2. Set the global configuration (the default is one).
3. (Optional) Configure the number of concurrent temporary volumes for a given account and region.
4. Click Save.
Enable AWS Lightsail scanning
You can extend Wiz's workload and data scanning capabilities to include the scanning of AWS Lightsail
instances and disks (if non-OS disk scanning is enabled). Detecting malware, secrets, and vulnerabilities on all
your AWS Lightsail instances and disks enables Wiz to provide a better picture of your environment, more
context, and better prioritization of your security issues.
As Lightsail instances are not regular EC2 resources, they first need to be exported to EC2 for Wiz to be able to
scan them. The high-level flow is: Lightsail snapshot > EBS snapshot > volume in scanning account
To enable AWS Lightsail scanning:
https://docs.wiz.io/docs/workload-scanner-settings 5/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, scroll down, and then toggle on
Enable AWS Lightsail workload scanning.
2. Click Save.
Make sure to update the permissions of your AWS Connector for SaaS or Outpost Deployments.

Configure AWS Lambda scanning
AWS Lambda scanning generates billable units.
By default, Wiz scans the latest version of AWS Lambda functions. You can extend workload scanning to include
versions of Lambda functions. Detecting security risks (misconfigurations, sensitive data, vulnerabilities, and
more) across your AWS Lambda versions helps to provide a better picture of your environment, more context,
and better prioritization of Issues.
Wiz can scan up to 10 AWS Lambda function versions. Aliased versions (if exist) are scanned first, followed by
active non-aliased versions.
To enable AWS Lambda function version scanning and set the maximum number of scanned versions per
Lambda function:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page and scroll down to the AWS Lambda
Workload Scanning section.
2. Adjust the Number of versions to scan per Lambda function. A 0 value means this feature is disabled so
that only the latest version of Lambda functions is scanned.
3. Click Save.
Define custom scanner tags
Custom scanner tags are currently supported in AWS, Azure, and GCP only. If you would like to see
them added for other environments, let us know.
During the scanning process, Wiz creates temporary resources in the deployed accounts. By default, these
resources are tagged with wiz: auto-gen-. Enabling custom scanner tags lets you define
additional tags for Wiz to add to these temporary resources. When enabled, the following resource types will be
created with custom tags:

https://docs.wiz.io/docs/workload-scanner-settings 6/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

Resource Type Cloud Platform
Encryption Keys AWS
Alibaba
Snapshots AWS
Azure (ADE - Scans and forensics)
GCP (CMEK - forensics)
Volumes AWS (Workload scanning with temporary volumes)
Images GCP (Legacy flow)
Resource shares Alibaba

Each cloud provider supports a specific format of custom tags. If the pattern of your custom tag does
not follow the cloud provider's supported pattern, Wiz will not assign this tag to the created resources.
To enable custom scanner tags:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, and toggle on Enable custom
scanner tags.
2. Define the custom tags by using or : formatting, separating tags with commas.
3. Click Save.
Newly defined custom tags are added to temporary resources created by future scans only; existing resources
are not retroactively tagged.
Tag inheritance
Tag inheritence is currently supported in AWS, Azure, and GCP only. If you would like to see it added for
other environments, let us know.
During the scanning process, Wiz creates temporary resources in the deployed accounts (e.g. volume
snapshots) and inherits the tags from the original resources by default. You can choose whether such resources
don't inherit the tags of the original resource. Moreover, you can exclude specific tags from inheritance–with the
exception of Wiz-generated tags.
To configure tag inheritance:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, and toggle off Enable Tag
inheritance.
2. Alternatively, define tag keys that will be excluded from inheritance.
3. Click Save.

https://docs.wiz.io/docs/workload-scanner-settings 7/10
 Exclude workloads from scanning
01/04/2025, 18:17 Workload Scanner | Wiz Docs

This feature is available from July 11th, 2023. Any VM tags that were created before this date will also
affect the scanning of serverless functions with the same tags.
By default, Wiz performs workload scanning on workloads in your cloud estate except those tagged with the key
WizExclude (or a key named wizexclude in GCP). The tag's value does not matter, so {"WizExclude":
(empty)} , {"WizExclude":"noScan"} , and {"WizExclude":"exclude"} are all valid ways to prevent a
workload from being scanned by the Workload Scanner.
When a workload is excluded:
It is still scanned for misconfigurations (and therefore is counted for billable units)
Any existing findings generated by the Workload Scanner (e.g., vulnerabilities, secrets) still appear on the
Security Graph for 30 days.
If you would like to exclude workloads from workload scanning by using a tag other than WizExclude , you can
define custom tags.
To define a custom tag for excluding workloads from scanning:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, and toggle on Enable excluding
workloads from scanning.
2. Enter one or more custom tag keys.
Both tag keys and tag values are case-sensitive, so WizExclude is different from wizexclude. The
former is correct; the latter is wrong (unless in GCP).
3. Click Save.
4. Add the custom tag key to all workloads (VMs, serverless functions, etc.) in your environment that Wiz
should not scan.
Compute Instance Group sampling
By default, Wiz scans only a single instance from a set of identical VMs that are managed by a compute instance
group (see the complete list of CSP native types). Wiz samples only VMs that are generated from an identical
VM image (e.g., AMI), do not host any containers, and selects the instances to sample by creation date (oldest
VMs are sampled). In an event where these criteria are not conclusive, the selection will be by alphabetic order.
Compute instance group sampling is never applied to VMs running containers; such VMs are fully
scanned in order to generate complete results about their containers.
Consider increasing the number of VMs scanned if you have compute instance groups with long-lived VMs
whose states may have changed in substantive ways (updated software, added secrets, etc.). For instance, a
compute instance group whose VMs auto-scale up and down on a daily or even hourly basis does not need to be
sampled more heavily. However, if a compute instance group keeps VMs up and running for weeks or months,
then it should be sampled more heavily in order to add more complete results to the Security Graph. Learn how
Wiz defines compute instance groups.
https://docs.wiz.io/docs/workload-scanner-settings 8/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

To configure compute instance group sampling:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page and scroll down to the Compute
Instance Group Sampling section.
2. (Optional) Check the option Prioritize active hosts scanning to ensure that the sampled VMs are active ↗,
if available.
3. Enter the number of VMs to scan per compute instance group. We recommend sampling 10% of the
average number of VMs in a compute instance group. You can use this query to see how many VMs there
are in each compute instance group ↗ in your environment.
Non-sampled instances are still counted for billable units.

Custom Compute Instance Groups
On the Security Graph, a Compute Instance Group represents multiple VMs that were instantiated from the same
image, e.g. an AWS Auto-Scaling group or an Azure Databricks cluster (query for VMs per Compute Instance
Group in your environment ↗). Issues that would be associated with individual VMs in a Compute Instance
Group are instead associated with the Compute Instance Group in order to avoid needless duplication.
You can define custom tag keys to force VMs that are not automatically grouped to be represented as a
Compute Instance Group on the Security Graph. All VMs with the same tag value join the same Compute
Instance Group.
Tag requirements & options
Tags must have both a key and a value. Tags with only keys do not generate custom Compute Instance
Group.
In GCP environments, use labels ↗, not tags.
In OCI environments, you may use either free tags or predefined tags, but predefined tags require the
format..
If multiple tag keys are defined, then VMs with identical sets of corresponding tag values are assigned
to the same custom Compute Instance Group. See tag example 2 (below).
If multiple tag keys are defined, order matters. VMs are associated with the first matching group, and
can only be associated with one group.

To define a custom Compute Instance Group:
1. Navigate to the Settings > Scanners > Workload Scanner ↗ page, and scroll down to the Custom
Compute Instance Groups section.
2. Click Add Custom Group. In the drawer that opens on the right side:
i. For Name, give the custom Compute Instance Group a meaningful name.
This name is not related to the key:value tag nor the resulting Custom Compute Instance Group name
generated.
ii. For Tags, enter key(s).
https://docs.wiz.io/docs/workload-scanner-settings 9/10
01/04/2025, 18:17 Workload Scanner | Wiz Docs

iii. At the bottom, click Add Custom Group
3. In your cloud environment, tag your VMs with the same tag(s) defined in Wiz. VMs are grouped by tag keys,
and the resulting custom Compute Instance Group is named according to tag values.
Tag example 1
If you saved the tag key application_uid as a custom Compute Instance Group in Wiz, and 10 VMs were
tagged with application_uid:webApp key:value pairs while 5 others were tagged
application_uid:payments , then Wiz would create 2 custom Compute Instance Group—webApp and
payments—with 10 VMs in the former and 5 in the latter.
Tag example 2
If you save two different tag keys—e.g. application_uid and role —as a custom Compute Instance Group in
Wiz, then all VMs with identical sets of tag values are assigned to the same custom Compute Instance Group.
For instance, 5 VMs tagged application_uid:0123456789 and role:staging would be assigned to one
custom Compute Instance Group (named: application_uid:0123456789_role:staging ), while 7 VMs tagged
application_uid:0123456789 and role:production would be assigned to a second custom Compute
Instance Group (named: application_uid:0123456789_role:production ).

https://docs.wiz.io/docs/workload-scanner-settings 10/10