AWS inspector documentation change
Summary
Added new IAM policy statements for ECS ListClusters/ListTasks and EKS ListClusters access
Security assessment
Expands documentation for security permissions but does not indicate resolution of a security flaw.
Diff
diff --git a/inspector/latest/user/slr-permissions.md b/inspector/latest/user/slr-permissions.md index 76fe7b216..cce7f7b3e 100644 --- a/inspector/latest/user/slr-permissions.md +++ b/inspector/latest/user/slr-permissions.md @@ -40,0 +41,2 @@ The permissions policy for the role, which is named `AmazonInspector2ServiceRole + * Use Amazon ECS and Amazon EKS actions to allow read-only access to view clusters and tasks and describe tasks. + @@ -318,0 +321,30 @@ The role is configured with the following permissions policy. + }, + { + "Sid": "AllowListAccessToECSAndEKS", + "Effect": "Allow", + "Action": [ + "ecs:ListClusters", + "ecs:ListTasks", + "eks:ListClusters" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "AllowAccessToECSTasks", + "Effect": "Allow", + "Action": [ + "ecs:DescribeTasks" + ], + "Resource": "arn:aws:ecs:*:*:cluster/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }