AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-07-04 · Documentation medium

File: inspector/latest/user/security-iam-awsmanpol.md

Summary

Added new AWS managed policy AmazonInspector2FullAccess_v2 with detailed IAM permissions for Inspector, CodeGuru Security, and Organizations integration

Security assessment

The change documents a new security-focused IAM policy with granular permissions for Amazon Inspector operations, including service-linked role creation and organization access controls. While this enhances security documentation, there's no indication it addresses a specific existing vulnerability.

Diff

diff --git a/inspector/latest/user/security-iam-awsmanpol.md b/inspector/latest/user/security-iam-awsmanpol.md
index 6598eb9fe..e93457322 100644
--- a//inspector/latest/user/security-iam-awsmanpol.md
+++ b//inspector/latest/user/security-iam-awsmanpol.md
@@ -5 +5 @@
-AmazonInspector2FullAccessAmazonInspector2ReadOnlyAccessAmazonInspector2ManagedCisPolicyAmazonInspector2ServiceRolePolicyAmazonInspector2AgentlessServiceRolePolicyPolicy updates
+AmazonInspector2FullAccess_v2AmazonInspector2FullAccessAmazonInspector2ReadOnlyAccessAmazonInspector2ManagedCisPolicyAmazonInspector2ServiceRolePolicyAmazonInspector2AgentlessServiceRolePolicyPolicy updates
@@ -16,0 +17,100 @@ For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM
+## AWS managed policy: AmazonInspector2FullAccess_v2
+
+You can attach the `AmazonInspector2FullAccess` policy to your IAM identities. 
+
+This policy grants full access to Amazon Inspector and access to other related services. 
+
+**Permissions details**
+
+This policy includes the following permissions. 
+
+  * `inspector2` – Allows complete access to Amazon Inspector APIs.
+
+  * `codeguru-security` – Allows administrators to retrieve security findings and configuration settings for an account. 
+
+  * `iam` – Allows Amazon Inspector to create the service-linked roles `AWSServiceRoleForAmazonInspector2` and `AWSServiceRoleForAmazonInspector2Agentless`. `AWSServiceRoleForAmazonInspector2` is required for Amazon Inspector to perform operations like retrieving information about Amazon EC2 instances, Amazon ECR repositories, and Amazon ECR container images. It's also required to decrypt Amazon EBS snapshots encrypted with AWS KMS keys. For more information, see [Using service-linked roles for Amazon Inspector](./using-service-linked-roles.html). 
+
+  * `organizations` – `AllowServicePrincipalBasedAccessToOrganizationApis` allows only service principals to create service-linked roles for AWS accounts, register an AWS account as a delegated administrator for an organization, and list delegated administrators in an organization. `AllowOrganizationalBasedAccessToOrganizationApis` allows the policy holder to retrieve information, specifically resource-level ARNs, about an organizational unit. `AllowAccountsBasedAccessToOrganizationApis` allows the policy holder to retrieve information, specifically resource-level ARNs, about an AWS account. `AllowAccessToOrganizationApis` allows the policy holder to view AWS services integrated with an organization and organization information. 
+
+
+
+    
+    
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "AllowFullAccessToInspectorApis",
+          "Effect" : "Allow",
+          "Action" : "inspector2:*",
+          "Resource" : "*"
+        },
+        {
+          "Sid" : "AllowAccessToCodeGuruApis",
+          "Effect" : "Allow",
+          "Action" : [
+            "codeguru-security:BatchGetFindings",
+            "codeguru-security:GetAccountConfiguration"
+          ],
+          "Resource" : "*"
+        },
+        {
+          "Sid" : "AllowAccessToCreateSlr",
+          "Effect" : "Allow",
+          "Action" : "iam:CreateServiceLinkedRole",
+          "Resource" : "*",
+          "Condition" : {
+            "StringEquals" : {
+              "iam:AWSServiceName" : [
+                "agentless.inspector2.amazonaws.com",
+                "inspector2.amazonaws.com"
+              ]
+            }
+          }
+        },
+        {
+          "Sid" : "AllowServicePrincipalBasedAccessToOrganizationApis",
+          "Effect" : "Allow",
+          "Action" : [
+            "organizations:EnableAWSServiceAccess",
+            "organizations:RegisterDelegatedAdministrator",
+            "organizations:ListDelegatedAdministrators"
+          ],
+          "Resource" : "*",
+          "Condition": {
+            "StringEquals": {
+              "organizations:ServicePrincipal": [
+                "inspector2.amazonaws.com",
+                "agentless.inspector2.amazonaws.com"
+              ]
+            }
+          }
+        },
+        {
+          "Sid" : "AllowOrganizationalBasedAccessToOrganizationApis",
+          "Effect" : "Allow",
+          "Action" : [
+            "organizations:DescribeOrganizationalUnit"
+          ],
+          "Resource" : "arn:*:organizations::*:ou/o-*/ou-*"
+        },
+        {
+          "Sid" : "AllowAccountsBasedAccessToOrganizationApis",
+          "Effect" : "Allow",
+          "Action" : [
+            "organizations:DescribeAccount"
+          ],
+          "Resource" : "arn:*:organizations::*:account/o-*/*"
+        },
+        {
+          "Sid" : "AllowAccessToOrganizationApis",
+          "Effect" : "Allow",
+          "Action" : [
+            "organizations:ListAWSServiceAccessForOrganization",
+            "organizations:DescribeOrganization"
+          ],
+          "Resource" : "*"
+        }
+      ]
+    }
+
@@ -175,0 +276 @@ Change | Description | Date
+AmazonInspector2FullAccess_v2 – New policy  |  Amazon Inspector has added a new managed policy that provides full access to Amazon Inspector and access to other related services.  | July 03, 2025