AWS inspector medium security documentation change
Summary
Updated Amazon Inspector service-linked role documentation to reference managed policy, added new EC2 permissions (DescribeAddresses, DescribeEgressOnlyInternetGateways), and restructured SSM DeleteAssociation permission with resource restriction
Security assessment
The change adds granular permissions (ec2:DescribeAddresses, ec2:DescribeEgressOnlyInternetGateways) and moves ssm:DeleteAssociation to a resource-restricted policy block (arn:aws:ssm:*:*:association/*), demonstrating improved least-privilege practices. This directly impacts security by reducing potential attack surface through more precise permission scoping.
Diff
diff --git a/inspector/latest/user/slr-permissions.md b/inspector/latest/user/slr-permissions.md index 464c6b126..e80d35afd 100644 --- a//inspector/latest/user/slr-permissions.md +++ b//inspector/latest/user/slr-permissions.md @@ -7 +7 @@ -Amazon Inspector uses the service-linked role named `AWSServiceRoleForAmazonInspector2`. This service-linked role trusts the `inspector2.amazonaws.com` service to assume the role. +Amazon Inspector uses the managed policy named [`AWSServiceRoleForAmazonInspector2`](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonInspector2ServiceRolePolicy.html). This service-linked role trusts the `inspector2.amazonaws.com` service to assume the role. @@ -9 +9 @@ Amazon Inspector uses the service-linked role named `AWSServiceRoleForAmazonInsp -The permissions policy for the role, which is named `AmazonInspector2ServiceRolePolicy`, allows Amazon Inspector to perform tasks such as: +The permissions policy for the role, which is named [`AmazonInspector2ServiceRolePolicy`](https://docs.aws.amazon.com/inspector/latest/user/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonInspector2ServiceRolePolicy), allows Amazon Inspector to perform tasks such as: @@ -61,0 +62 @@ The role is configured with the following permissions policy. + "ec2:DescribeAddresses", @@ -63,0 +65 @@ The role is configured with the following permissions policy. + "ec2:DescribeEgressOnlyInternetGateways", @@ -155 +156,0 @@ The role is configured with the following permissions policy. - "ssm:DeleteAssociation", @@ -165,0 +167,10 @@ The role is configured with the following permissions policy. + { + "Sid": "GatherInventoryDeleteAssociation", + "Effect": "Allow", + "Action": [ + "ssm:DeleteAssociation" + ], + "Resource": [ + "arn:aws:ssm:*:*:association/*" + ] + },