AWS inspector medium security documentation change
Summary
Added organization policy governance model details, including policy-managed resource restrictions and scan configuration management rules.
Security assessment
Explicitly documents security controls where organization policies override delegated administrator privileges, preventing unauthorized changes to security scanning configurations. The error enforcement for policy-managed resources directly impacts security posture by maintaining centralized control.
Diff
diff --git a/inspector/latest/user/admin-member-relationship.md b/inspector/latest/user/admin-member-relationship.md index a972c6fcd..80f0f1a54 100644 --- a//inspector/latest/user/admin-member-relationship.md +++ b//inspector/latest/user/admin-member-relationship.md @@ -5 +5 @@ -Delegated administrator actionsMember account actions +Organization policy governance modelDelegated administrator actionsMember account actions @@ -10,0 +11,21 @@ When using Amazon Inspector in a multi-account environment, the delegated admini +## Organization policy governance model + +When AWS Organizations policies are used to enable Amazon Inspector, a governance model is enforced that determines which actions are permitted: + +**Policy-managed resources** + + +Resources explicitly enabled or disabled by organization policies cannot be modified by delegated administrators or member accounts. API requests to enable or disable policy-managed scan types will fail with a clear error indicating the resource is managed by organization policy. + +**Non-policy-managed resources** + + +Resources not specified in organization policies can be managed normally by delegated administrators and member accounts using the Amazon Inspector console or API. + +**Scan configuration management** + + +Delegated administrators can always configure scan settings such as EC2 scan modes, [deep inspection paths](https://docs.aws.amazon.com/inspector/latest/user/deep-inspection.html#deep-inspection-paths), and ECR re-scan durations, regardless of whether the resource types are policy-managed. Organization policies control only whether scanning is enabled, not how it operates. + +For more information about creating and managing Amazon Inspector organization policies, see the AWS Organizations documentation for Amazon Inspector policies. + @@ -48,0 +70,2 @@ If a member account leaves the organization, the delegated administrator will no + * When organization policies are in use, configure scan settings for policy-managed resources but cannot enable or disable the policy-managed scan types themselves. + @@ -75,0 +99,2 @@ A member account can view and retrieve information about their account in Amazon + * Enable scan types that are not managed by organization policies. Policy-managed scan types cannot be enabled or disabled by member accounts. +