AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-11-22 · Documentation medium

File: inspector/latest/user/getting_started_tutorial.md

Summary

Expanded multi-account activation documentation with AWS Organizations policy integration, added prerequisites, detailed policy enforcement steps, and clarified delegated administrator requirements

Security assessment

The changes enhance documentation about centralized security governance through AWS Organizations policies, enforcing scan types and preventing member accounts from disabling security scanning. While this improves security posture management, there's no evidence of addressing a specific existing vulnerability.

Diff

diff --git a/inspector/latest/user/getting_started_tutorial.md b/inspector/latest/user/getting_started_tutorial.md
index 3e861a605..2be49df0e 100644
--- a//inspector/latest/user/getting_started_tutorial.md
+++ b//inspector/latest/user/getting_started_tutorial.md
@@ -25 +25 @@ When you activate Amazon Inspector for a standalone account, [all scan types](ht
-Multi-account environment
+Multi-account (with AWS Organizations policy)
@@ -28 +28,58 @@ Multi-account environment
-The following procedure describes how to activate Amazon Inspector in the console for a delegated administrator account. To programatically activate Amazon Inspector for multiple accounts, use the Amazon Inspector [inspector2-enablement-with-cli](https://github.com/aws-samples/inspector2-enablement-with-cli) shell script. 
+AWS Organizations policies provide centralized governance for enabling Amazon Inspector across your organization. When you use an organization policy, Amazon Inspector enablement is automatically managed for all accounts covered by the policy, and member accounts cannot modify policy-managed scanning using Amazon Inspector API. 
+
+**Prerequisites**
+
+  * Your account must be part of an AWS Organizations organization. 
+
+  * You must have permissions to create and manage organization policies in AWS Organizations. 
+
+  * Trusted access for Amazon Inspector must be enabled in AWS Organizations. For instructions, see [Enabling trusted access for Amazon Inspector](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-inspector2.html#integrate-enable-ta-inspector2) in the _AWS Organizations User Guide_. 
+
+  * The Amazon Inspector service-linked roles should exist in the management account. To create them, enable Amazon Inspector in the management account or run the following commands from the management account: 
+
+    * `aws iam create-service-linked-role --aws-service-name inspector2.amazonaws.com`
+
+    * `aws iam create-service-linked-role --aws-service-name agentless.inspector2.amazonaws.com`
+
+  * An Amazon Inspector delegated administrator should be designated. 
+
+
+
+
+###### Note
+
+Without the service-linked Amazon Inspector roles of management account and delegated administrator, organization policies will enforce Amazon Inspector enablement, but member accounts will not be associated with the Amazon Inspector organization for centralized findings and account management. 
+
+###### To enable Amazon Inspector using AWS Organizations policies
+
+  1. Designate a delegated administrator for Amazon Inspector before creating organization policies to ensure member accounts are associated with the Amazon Inspector organization for centralized findings visibility. Sign in to the AWS Organizations management account, open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home), and follow the steps in [Designating a delegated administrator for your AWS organization](./designating-admin.html#delegated-admin-proc). 
+
+###### Note
+
+We strongly recommend keeping your AWS Organizations Amazon Inspector delegated administrator account ID and Amazon Inspector designated delegated administrator account ID the same. If the AWS Organizations delegated administrator account ID differs from the Amazon Inspector delegated administrator account ID, Amazon Inspector prioritizes the Inspector-designated account ID. When the Amazon Inspector delegated administrator is not set but the AWS Organizations delegated administrator is set and the management account has the Amazon Inspector service-linked roles, Amazon Inspector automatically assigns the AWS Organizations delegated administrator account ID as the Amazon Inspector delegated administrator. 
+
+  2. In the Amazon Inspector console, navigate to **General settings** from the management account. Under **Delegation policy** , choose **Attach statement**. In the **Attach policy statement** dialog, review the policy, select **I acknowledge that I have reviewed the policy and understand the permissions it grants** , and then choose **Attach statement**. 
+
+###### Important
+
+The management account must have the following permissions to attach the delegation policy statement: 
+
+     * Amazon Inspector permissions from the [AmazonInspector2FullAccess_v2](https://docs.aws.amazon.com/inspector/latest/user/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonInspector2FullAccessV2) managed policy 
+
+     * AWS Organizations `organizations:PutResourcePolicy` permission from the [AWSOrganizationsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html) managed policy 
+
+If the `organizations:PutResourcePolicy` permission is missing, the operation fails with the error: `Failed to attach statement to the delegation policy`. 
+
+  3. Create an Amazon Inspector policy in AWS Organizations that specifies which scan types to enable and in which regions. For detailed instructions on creating Amazon Inspector policies, including policy syntax and examples, see the AWS Organizations documentation for Amazon Inspector policies. 
+
+  4. Attach the Amazon Inspector policy to your organization root, organizational units, or specific accounts based on your governance requirements. 
+
+  5. (Optional) Verify that the policy has been applied. Policy application is asynchronous and may take from a few seconds to several hours depending on your organization size. In the delegated administrator's Amazon Inspector console, navigate to **Account management**. Under **Organization** , view each member account and their enablement status. For accounts enabled through AWS Organizations policies, the **Activated** indicator for each scan type will show whether it is policy-managed. 
+
+
+
+
+When Amazon Inspector is enabled through organization policies, accounts covered by the policy cannot disable the policy-managed scan types through the Amazon Inspector API or console. For detailed information about what delegated administrators and member accounts can and cannot do under organization policies, see [Managing multiple accounts in Amazon Inspector with AWS Organizations](./managing-multiple-accounts.html). 
+
+Multi-account (without AWS Organizations policy)
+