AWS Security ChangesHomeSearch

AWS inspector medium security documentation change

Service: inspector · 2025-05-01 · Security-related medium

File: inspector/latest/user/slr-permissions.md

Summary

Updated Amazon Inspector service-linked role documentation to reference managed policy, added new EC2 permissions (DescribeAddresses, DescribeEgressOnlyInternetGateways), and restructured SSM DeleteAssociation permission with resource restriction

Security assessment

The change adds granular permissions (ec2:DescribeAddresses, ec2:DescribeEgressOnlyInternetGateways) and moves ssm:DeleteAssociation to a resource-restricted policy block (arn:aws:ssm:*:*:association/*), demonstrating improved least-privilege practices. This directly impacts security by reducing potential attack surface through more precise permission scoping.

Diff

diff --git a/inspector/latest/user/slr-permissions.md b/inspector/latest/user/slr-permissions.md
index 464c6b126..e80d35afd 100644
--- a//inspector/latest/user/slr-permissions.md
+++ b//inspector/latest/user/slr-permissions.md
@@ -7 +7 @@
-Amazon Inspector uses the service-linked role named `AWSServiceRoleForAmazonInspector2`. This service-linked role trusts the `inspector2.amazonaws.com` service to assume the role.
+Amazon Inspector uses the managed policy named [`AWSServiceRoleForAmazonInspector2`](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonInspector2ServiceRolePolicy.html). This service-linked role trusts the `inspector2.amazonaws.com` service to assume the role. 
@@ -9 +9 @@ Amazon Inspector uses the service-linked role named `AWSServiceRoleForAmazonInsp
-The permissions policy for the role, which is named `AmazonInspector2ServiceRolePolicy`, allows Amazon Inspector to perform tasks such as:
+The permissions policy for the role, which is named [`AmazonInspector2ServiceRolePolicy`](https://docs.aws.amazon.com/inspector/latest/user/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonInspector2ServiceRolePolicy), allows Amazon Inspector to perform tasks such as:
@@ -61,0 +62 @@ The role is configured with the following permissions policy.
+    				"ec2:DescribeAddresses",
@@ -63,0 +65 @@ The role is configured with the following permissions policy.
+    				"ec2:DescribeEgressOnlyInternetGateways",
@@ -155 +156,0 @@ The role is configured with the following permissions policy.
-    				"ssm:DeleteAssociation",
@@ -165,0 +167,10 @@ The role is configured with the following permissions policy.
+    		{
+    			"Sid": "GatherInventoryDeleteAssociation",
+    			"Effect": "Allow",
+    			"Action": [
+    				"ssm:DeleteAssociation"
+    			],
+    			"Resource": [
+    				"arn:aws:ssm:*:*:association/*"
+    			]
+    		},