AWS inspector documentation change
Summary
Reorganized service-linked role permissions documentation by moving CodeGuru deprecation note, adding AWS Organizations and cross-account management permissions, and replacing inline JSON policy with a reference to AWS Managed Policy Guide.
Security assessment
The changes add documentation for cross-account security management capabilities (AWS Organizations integration, delegated administrators) which are security features. While CodeGuru permissions were removed due to deprecation, there is no evidence this addresses an active security vulnerability. The update improves security documentation clarity but doesn't directly resolve a disclosed security issue.
Diff
diff --git a/inspector/latest/user/slr-permissions.md b/inspector/latest/user/slr-permissions.md index 720e88d9f..bd76178c1 100644 --- a//inspector/latest/user/slr-permissions.md +++ b//inspector/latest/user/slr-permissions.md @@ -42,0 +43 @@ The permissions policy for the role, which is named [`AmazonInspector2ServiceRol + * Use AWS Organizations actions to list delegated administrators for Amazon Inspector across organizations. @@ -43,0 +45 @@ The permissions policy for the role, which is named [`AmazonInspector2ServiceRol + * Use Amazon Inspector actions to enable and disable Amazon Inspector across organizations. @@ -44,0 +47 @@ The permissions policy for the role, which is named [`AmazonInspector2ServiceRol + * Use Amazon Inspector actions to designate delegated administrator accounts and associate member accounts across organizations. @@ -46 +48,0 @@ The permissions policy for the role, which is named [`AmazonInspector2ServiceRol -###### Note @@ -48 +49,0 @@ The permissions policy for the role, which is named [`AmazonInspector2ServiceRol -Amazon Inspector no longer uses CodeGuru to perform Lambda scans. AWS will discontinue support for CodeGuru on November 20, 2025. For more information, see [End of support for CodeGuru Security](https://docs.aws.amazon.com/codeguru/latest/security-ug/end-of-support.html). Amazon Inspector now uses Amazon Q to perform Lambda scans and does not require the permissions described in this section. @@ -50,325 +50,0 @@ Amazon Inspector no longer uses CodeGuru to perform Lambda scans. AWS will disco -The role is configured with the following permissions policy. - -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Sid": "TirosPolicy", - "Effect": "Allow", - "Action": [ - "directconnect:DescribeConnections", - "directconnect:DescribeDirectConnectGatewayAssociations", - "directconnect:DescribeDirectConnectGatewayAttachments", - "directconnect:DescribeDirectConnectGateways", - "directconnect:DescribeVirtualGateways", - "directconnect:DescribeVirtualInterfaces", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeCustomerGateways", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeManagedPrefixLists", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTransitGatewayAttachments", - "ec2:DescribeTransitGatewayConnects", - "ec2:DescribeTransitGatewayPeeringAttachments", - "ec2:DescribeTransitGatewayRouteTables", - "ec2:DescribeTransitGatewayVpcAttachments", - "ec2:DescribeTransitGateways", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribeVpnConnections", - "ec2:DescribeVpnGateways", - "ec2:GetManagedPrefixListEntries", - "ec2:GetTransitGatewayRouteTablePropagations", - "ec2:SearchTransitGatewayRoutes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "network-firewall:DescribeFirewall", - "network-firewall:DescribeFirewallPolicy", - "network-firewall:DescribeResourcePolicy", - "network-firewall:DescribeRuleGroup", - "network-firewall:ListFirewallPolicies", - "network-firewall:ListFirewalls", - "network-firewall:ListRuleGroups", - "tiros:CreateQuery", - "tiros:GetQueryAnswer" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "PackageVulnerabilityScanning", - "Effect": "Allow", - "Action": [ - "ecr:BatchGetImage", - "ecr:BatchGetRepositoryScanningConfiguration", - "ecr:DescribeImages", - "ecr:DescribeRegistry", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRegistryScanningConfiguration", - "ecr:ListImages", - "ecr:PutRegistryScanningConfiguration", - "organizations:DescribeAccount", - "organizations:DescribeOrganization", - "organizations:ListAccounts", - "ssm:DescribeAssociation", - "ssm:DescribeAssociationExecutions", - "ssm:DescribeInstanceInformation", - "ssm:ListAssociations", - "ssm:ListResourceDataSync" - ], - "Resource": "*" - }, - { - "Sid": "LambdaPackageVulnerabilityScanning", - "Effect": "Allow", - "Action": [ - "lambda:ListFunctions", - "lambda:GetFunction", - "lambda:GetLayerVersion", - "lambda:ListTags", - "cloudwatch:GetMetricData" - ], - "Resource": "*" - }, - { - "Sid": "GatherInventory", - "Effect": "Allow", - "Action": [ - "ssm:CreateAssociation", - "ssm:StartAssociationsOnce", - "ssm:UpdateAssociation" - ], - "Resource": [ - "arn:aws:ec2:*:*:instance/*", - "arn:aws:ssm:*:*:document/AmazonInspector2-*", - "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", - "arn:aws:ssm:*:*:managed-instance/*", - "arn:aws:ssm:*:*:association/*" - ] - }, - { - "Sid": "GatherInventoryDeleteAssociation", - "Effect": "Allow", - "Action": [ - "ssm:DeleteAssociation" - ], - "Resource": [ - "arn:aws:ssm:*:*:association/*" - ] - }, - { - "Sid": "DataSyncCleanup", - "Effect": "Allow", - "Action": [ - "ssm:CreateResourceDataSync", - "ssm:DeleteResourceDataSync" - ], - "Resource": [ - "arn:aws:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete" - ] - }, - { - "Sid": "ManagedRules", - "Effect": "Allow", - "Action": [ - "events:PutRule", - "events:DeleteRule", - "events:DescribeRule", - "events:ListTargetsByRule", - "events:PutTargets", - "events:RemoveTargets" - ], - "Resource": [ - "arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule" - ] - }, - { - "Sid": "LambdaCodeVulnerabilityScanning", - "Effect": "Allow", - "Action": [ - "codeguru-security:CreateScan", - "codeguru-security:GetAccountConfiguration", - "codeguru-security:GetFindings", - "codeguru-security:GetScan", - "codeguru-security:ListFindings", - "codeguru-security:BatchGetFindings", - "codeguru-security:DeleteScansByCategory" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "CodeGuruCodeVulnerabilityScanning", - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:GetRolePolicy",