Which AWS Permissions are needed to see ECR Enhanced Image Scan Findings

Question

I recently enabled Enhanced Image Scanning for one of my ECR repositories on AWS.

My user can see the images in the repository and next to each image there is a "See findings" link. When I click on the link, another page opens that shows all the findings of that image.

I am trying to give permission to another IAM user to see these findings. That user already can see the repository and the images. The user can even see the "See findings" link for each image. Clicking on that link opens the new page as expected but the page is empty. It says "No scan Findings"

I gave the user all ECR List and Read permissions as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:GetRegistryPolicy",
                "ecr:DescribeImageScanFindings",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:GetDownloadUrlForLayer",
                "ecr:DescribeRegistry",
                "ecr:DescribePullThroughCacheRules",
                "ecr:DescribeImageReplicationStatus",
                "ecr:GetAuthorizationToken",
                "ecr:ListTagsForResource",
                "ecr:ListImages",
                "ecr:BatchGetRepositoryScanningConfiguration",
                "ecr:GetRegistryScanningConfiguration",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetRepositoryPolicy",
                "ecr:GetLifecyclePolicy"
            ],
            "Resource": "*"
        }
    ]
}

Please note that these permissions already include "ecr:DescribeImageScanFindings" yet the user still can't see the findings.

Which IAM permissions should I give this user to make these findings visible?

Answer 1

Solved it by trial and error. Turns out some permissions from inspector and inspector2 services were also needed. Adding the following as an inline policy made the findings visible:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "inspector2:ListCoverageStatistics",
                "inspector2:ListFindings",
                "inspector2:ListFindingAggregations",
                "inspector2:ListCoverage",
                "inspector2:GetFindingsReportStatus",
                "inspector:ListFindings",
                "inspector:DescribeFindings"
            ],
            "Resource": "*"
        }
    ]
}

Please note that my IAM user already had read and list permissions on ECR.