Encryption at rest - Amazon Inspector

Encryption at rest

Amazon Inspector securely stores your data at rest using AWS encryption solutions by default. Amazon Inspector encrypts data, such as resource inventory collected using AWS Systems Manager, resource inventory parsed from Amazon ECR images, and generated security findings, using AWS owned encryption keys from AWS Key Management Service (AWS KMS). You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data.. For more information see AWS owned keys.

If you disable Amazon Inspector, it permanently deletes all resources that it stores or maintains for you, such as collected inventory and security findings.

Encryption at rest for code in your findings

For Amazon Inspector Lambda code scanning, Amazon Inspector partners with CodeGuru to scan your code for vulnerabilities. When a vulnerability is detected CodeGuru extracts a snippet of your code containing the vulnerability and stores that code until Amazon Inspector requests access. By default CodeGuru uses an AWS owned key to encrypt the extracted code, however, you can configure Amazon Inspector to use your own customer managed AWS KMS key for encryption.

The following work flow explains how Amazon Inspector uses the key you configure to encrypt your code:

  1. You supply a AWS KMS key to Amazon Inspector using the Amazon Inspector UpdateEncryptionKey API.

  2. Amazon Inspector forwards the information about your AWS KMS key to CodeGuru. CodeGuru stores the information for future use.

  3. CodeGuru requests a grant from AWS KMS for the key you configured in Amazon Inspector.

  4. CodeGuru creates an encrypted data key from your AWS KMS key and stores it. This data key is used to encrypt your code data stored by CodeGuru.

  5. Whenever Amazon Inspector requests data from code scans CodeGuru uses the grant to decrypt the encrypted data key, then uses that key to decrypt the data so it can be retrieved.

When you disable Lambda code scanning CodeGuru retires the grant and deletes the associated data key.

Permissions for code encryption with a customer managed key

To use encryption you need to have a policy that allows access to AWS KMS actions, as well as a statement that grants Amazon Inspector and CodeGuru permissions to use those actions through condition keys.

If you are setting, updating, or resetting the encryption key for your account you will need to use an Amazon Inspector administrator policy, such as AWS managed policy: AmazonInspector2FullAccess. You will also need to grant the following permissions to read-only users who need to retrieve code snippets from findings or data about the key chosen for encryption.

For KMS, the policy must allow you to perform the following actions:

  • kms:CreateGrant

  • kms:Decrypt

  • kms:DescribeKey

  • kms:GenerateDataKeyWithoutPlainText

  • kms:Encrypt

  • kms:RetireGrant

Once you've verified that you have the correct AWS KMS permissions in your policy, you must attach a statement that allows Amazon Inspector and CodeGuru to use your key for encryption. Attach the following policy statement:


Replace Region with the AWS Region you have Amazon Inspector Lambda code scanning enabled in.

{ "Sid": "allow CodeGuru Security to request a grant for a AWS KMS key", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "Encrypt", "Decrypt", "RetireGrant", "DescribeKey" ] }, "StringEquals": { "kms:ViaService": [ "codeguru-security.Region.amazonaws.com" ] } } }, { "Sid": "allow Amazon Inspector and CodeGuru Security to use your AWS KMS key", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:RetireGrant", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "inspector2.Region.amazonaws.com", "codeguru-security.Region.amazonaws.com" ] } } }

When you add the statement, ensure that the syntax is valid. Policies use JSON format. This means that you need to add a comma before or after the statement, depending on where you add the statement to the policy. If you add the statement as the last statement, add a comma after the closing brace for the preceding statement. If you add it as the first statement or between two existing statements, add a comma after the closing brace for the statement.

Configuring encryption with a customer managed key

To configure encryption for your account using a customer managed key you must be an Amazon Inspector administrator with the permissions outlined in Permissions for code encryption with a customer managed key. Additionally you will need a AWS KMS key in the same AWS Region as your findings, or a multi-region key. You can use an existing symmetric key in your account or create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs. For more information see Creating symmetric encryption AWS KMS keys in the AWS KMS user guide.

Using the Amazon Inspector API to configure encryption

To set a key for encryption the UpdateEncryptionKey operation of the Amazon Inspector API while signed in as an Amazon Inspector administrator. In the API request, use the kmsKeyId field to specify the ARN of the AWS KMS key you want to use. For scanType enter CODE and for resourceType enter AWS_LAMBDA_FUNCTION.

You can use UpdateEncryptionKey API to check view which AWS KMS key Amazon Inspector is using for encryption.


If you attempt to use GetEncryptionKey when you haven't set a customer managed key the operation returns a ResourceNotFoundException error which means that an AWS owned key is being used for encryption.

If you delete or the key or change it's policy to deny access to Amazon Inspector or CodeGuru you will be unable to access your code vulnerability findings and Lambda code scanning will fail for your account.

You can use ResetEncryptionKey to resume using an AWS owned key to encrypt code extracted as part of your Amazon Inspector findings.