Understanding the relationship between administrator and member accounts in Amazon Inspector - Amazon Inspector

Understanding the relationship between administrator and member accounts in Amazon Inspector

When you use Amazon Inspector in a multiple-account environment, the Amazon Inspector delegated administrator account has access to certain metadata. This metadata includes Amazon EC2 and Amazon ECR configuration data and security finding results for member accounts. The administrator account can also create finding suppression filters that are applied to member accounts. For more information about suppression filters, see Suppressing Amazon Inspector findings with suppression rules.

An Amazon Inspector delegated administrator account performs the following tasks for member accounts:

  • View and manage the status of Amazon Inspector for associated accounts, including enabling and disabling Amazon Inspector

  • Enable or disable scanning types for all member accounts in the organization

  • View aggregated finding data across the organization and finding details for all member accounts within the organization

  • Create and manage suppression rules that apply to findings for all accounts in the organization

  • Enable Amazon ECR enhanced scanning for all members of the organization

  • View resource coverage for the entire organization

  • Defines the duration for automated re-scans of ECR container images for all member accounts in the organization. The delegated administrator’s scan duration setting overrides any setting the member account had set previously. All accounts in the organization share the ECR automated re-scan duration of the delegated administrators and different re-scan durations cannot be set for individual accounts.

Member accounts within an organization can also perform the following tasks in Amazon Inspector:

  • Enable Amazon Inspector for their own account

  • View resource coverage for their own account

  • View findings details for their own account

  • View the ECR container image automated re-scan duration setting for their own account.

Note

Once enabled, Amazon Inspector can only be disabled by a delegated administrator account.