AWS managed policies for Amazon Inspector
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AmazonInspector2FullAccess
You can attach the AmazonInspector2FullAccess policy to your IAM identities.
This policy grants administrative permissions that allow full access to Amazon Inspector.
Permissions details
This policy includes the following permissions.
-
inspector2– Allows full access to Amazon Inspector functionality. -
iam– Allows Amazon Inspector to create the service-linked role,AmazonInspector2AgentlessServiceRole. This is required so that Amazon Inspector can perform operations such as retrieve information about your Amazon EC2 instances and Amazon ECR repositories and container images, analyze your VPC network, and describe accounts associated with your organization. For more information, see Using service-linked roles for Amazon Inspector. -
organizations– Allows administrators to use Amazon Inspector for an organization in AWS Organizations. After activating trusted access for Amazon Inspector in AWS Organizations, members of the delegated administrator account can manage settings and view findings across their organization. -
codeguru-security– Allows administrators to use Amazon Inspector to retrieve information code snippets and change encryption settings for code stored by CodeGuru Security. For more information, see Encryption at rest for code in your findings.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "inspector2:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "codeguru-security:BatchGetFindings", "codeguru-security:GetAccountConfiguration", "codeguru-security:UpdateAccountConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "inspector2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" } ] }
AWS managed policy: AmazonInspector2ReadOnlyAccess
You can attach the AmazonInspector2ReadOnlyAccess policy to your IAM identities.
This policy grants permissions that allow read-only access to Amazon Inspector.
Permissions details
This policy includes the following permissions.
-
inspector2– Allows read-only access to Amazon Inspector functionality. -
organizations– Allows details about Amazon Inspector coverage for an organization in AWS Organizations to be viewed. -
codeguru-security– Allows code snippets to be retrieved from CodeGuru Security. Also allows encryption settings for your code stored in CodeGuru Security to be viewed.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization", "inspector2:BatchGet*", "inspector2:List*", "inspector2:Describe*", "inspector2:Get*", "inspector2:Search*", "codeguru-security:BatchGetFindings", "codeguru-security:GetAccountConfiguration" ], "Resource": "*" } ] }
AWS managed policy: AmazonInspector2ManagedCisPolicy
You can attach the AmazonInspector2ManagedCisPolicy policy to your IAM entities. This policy should be attached to a role that grants permissions to your Amazon EC2 instances to run CIS scans of the instance.
You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests.
This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it
available to all of its applications, you create an instance profile that is attached to the
instance. An instance profile contains the role and enables programs that are running on the EC2 instance to
get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the
IAM User Guide.
Permissions details
This policy includes the following permissions.
-
inspector2– Allows access to actions used to run CIS scans.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector2:StartCisSession", "inspector2:StopCisSession", "inspector2:SendCisSessionTelemetry", "inspector2:SendCisSessionHealth" ], "Resource": "*", } ] }
AWS managed policy: AmazonInspector2ServiceRolePolicy
You can't attach the AmazonInspector2ServiceRolePolicy policy to your
IAM entities. This policy is attached to a service-linked role that allows Amazon Inspector to
perform actions on your behalf. For more information, see Using service-linked roles for
Amazon Inspector.
AWS managed policy: AmazonInspector2AgentlessServiceRolePolicy
You can't attach the AmazonInspector2AgentlessServiceRolePolicy policy to your
IAM entities. This policy is attached to a service-linked role that allows Amazon Inspector to
perform actions on your behalf. For more information, see Using service-linked roles for
Amazon Inspector.
Amazon Inspector updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Inspector since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Inspector Document history page.
| Change | Description | Date |
|---|---|---|
|
AmazonInspector2ManagedCisPolicy – New policy |
Amazon Inspector has added a new managed policy that you can use as part of an instance profile to allow CIS scans on an instance. |
January 23, 2024 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added new permissions that allow Amazon Inspector to start CIS scans on target instances. |
January 23, 2024 |
|
AmazonInspector2AgentlessServiceRolePolicy – New policy |
Amazon Inspector has added a new service-linked role policy to allow agentless scanning of EC2 instance. |
November 27, 2023 |
|
AmazonInspector2ReadOnlyAccess – Updates to an existing policy |
Amazon Inspector has added new permissions that allow read-only users to retrieve vulnerability intelligence details for package vulnerability findings. |
September 22, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added new permissions that allow Amazon Inspector to scan network configurations of Amazon EC2 instances that are part of Elastic Load Balancing target groups. |
August 31, 2023 |
|
AmazonInspector2ReadOnlyAccess – Updates to an existing policy |
Amazon Inspector has added new permissions that allow read-only users to export Software Bill of Materials (SBOM) for their resources. |
June 29, 2023 |
|
AmazonInspector2ReadOnlyAccess – Updates to an existing policy |
Amazon Inspector has added new permissions that allow read-only users to retrieve details of encryption settings for Lambda code scanning findings for their account. |
June 13, 2023 |
|
AmazonInspector2FullAccess – Updates to an existing policy |
Amazon Inspector has added new permissions that allow users configure a customer managed KMS key to encrypt code in findings from Lambda code scanning. |
June 13, 2023 |
|
AmazonInspector2ReadOnlyAccess – Updates to an existing policy |
Amazon Inspector has added new permissions that allow read-only users to retrieve details of Lambda code scanning status and findings for their account. |
May 02, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added new permissions that allow Amazon Inspector to create AWS CloudTrail service-linked channels in your account when you activate Lambda scanning. This allows Amazon Inspector to monitor CloudTrail events in your account. |
April 30, 2023 |
|
AmazonInspector2FullAccess – Updates to an existing policy |
Amazon Inspector has added new permissions that allow users to retrieve details of code vulnerability findings from Lambda code scanning. |
April 21, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added new permissions that allow Amazon Inspector to send information to Amazon EC2 Systems Manager about the custom paths a customer has defined for Amazon EC2 deep inspection. |
April 17, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added new permissions that allow Amazon Inspector to create AWS CloudTrail service-linked channels in your account when you activate Lambda scanning. This allows Amazon Inspector to monitor CloudTrail events in your account. |
April 30, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added new permissions that allow Amazon Inspector to request scans of the developer code in AWS Lambda functions, and receive scan data from Amazon CodeGuru Security. Additionally, Amazon Inspector has added permissions to review IAM policies. Amazon Inspector uses this information to scan Lambda functions for code vulnerabilities. |
February 28, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added a new statement that allows Amazon Inspector to retrieve information from CloudWatch about when an AWS Lambda function was last invoked. Amazon Inspector uses this information to focus scans on the Lambda functions in your environment that have been active in the last 90 days. |
February 20, 2023 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added a new statement that allows Amazon Inspector to retrieve information about AWS Lambda functions, including each layer version that is associated with each function. Amazon Inspector uses this information to scan Lambda functions for security vulnerabilities. |
November 28, 2022 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has added a new action to allow Amazon Inspector to describe SSM
association executions. Additionally, Amazon Inspector has added additional
resource scoping to allow Amazon Inspector to create, update, delete, and
start SSM associations with |
August 31, 2022 |
|
AmazonInspector2ServiceRolePolicy Updates to an existing policy |
Amazon Inspector has updated the resource scoping of the policy to allow Amazon Inspector to collect software inventory in other AWS partitions. |
August 12, 2022 |
|
AmazonInspector2ServiceRolePolicy – Updates to an existing policy |
Amazon Inspector has restructured the resource scoping of the actions allowing Amazon Inspector to create, delete, and update SSM associations. |
August 10, 2022 |
|
AmazonInspector2ReadOnlyAccess – New policy |
Amazon Inspector added a new policy to allow read-only access to Amazon Inspector functionality. |
January 21, 2022 |
|
AmazonInspector2FullAccess – New policy |
Amazon Inspector added a new policy to allow full access to Amazon Inspector functionality. |
November 29, 2021 |
|
AmazonInspector2ServiceRolePolicy – New policy |
Amazon Inspector added a new policy to allow Amazon Inspector to perform actions in other services on your behalf. |
November 29, 2021 |
|
Amazon Inspector started tracking changes |
Amazon Inspector started tracking changes for its AWS managed policies. |
November 29, 2021 |
