Understanding the relationship between administrator and member accounts in Amazon Inspector - Amazon Inspector

Understanding the relationship between administrator and member accounts in Amazon Inspector

When you use Amazon Inspector in a multiple-account environment, the Amazon Inspector delegated administrator account has access to certain metadata. This metadata includes Amazon EC2 and Amazon ECR configuration data and security finding results for member accounts. The administrator account can also create finding suppression rules that are applied to member accounts. For more information, see Suppressing Amazon Inspector findings with suppression rules.

An Amazon Inspector delegated administrator account can perform the following tasks for member accounts:

  • View and manage the status of Amazon Inspector for associated accounts, including activating and deactivating Amazon Inspector

  • Activate or deactivate scanning types for all member accounts in the organization

  • View aggregated finding data across the organization and finding details for all member accounts within the organization

  • Create and manage suppression rules that apply to findings for all accounts in the organization

  • Activate Amazon ECR enhanced scanning for all members of the organization

  • View resource coverage for the entire organization

  • Define the duration for automated re-scans of ECR container images for all member accounts in the organization. The delegated administrator’s scan duration setting overrides any setting the member account previously set. All accounts in the organization share the ECR automated re-scan duration of the delegated administrators and different re-scan durations cannot be set for individual accounts.

Member accounts within an organization can also perform the following tasks in Amazon Inspector:

  • Activate Amazon Inspector for their own account

  • View resource coverage for their own account

  • View findings details for their own account

  • View the ECR container image automated re-scan duration setting for their own account

Note

Once activated, Amazon Inspector can be deactivated only by a delegated administrator account.