AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-11-22 · Documentation low

File: inspector/latest/user/managing-multiple-accounts.md

Summary

Added documentation about two multi-account management approaches (AWS Organizations policy-based and non-policy-based) and their interaction. Clarified policy enforcement precedence over scan type enablement.

Security assessment

The change clarifies security governance models for multi-account management but does not address a specific vulnerability. It enhances documentation about security feature configuration (scan type enforcement through policies).

Diff

diff --git a/inspector/latest/user/managing-multiple-accounts.md b/inspector/latest/user/managing-multiple-accounts.md
index 34dcac9a9..a6cd36ca7 100644
--- a//inspector/latest/user/managing-multiple-accounts.md
+++ b//inspector/latest/user/managing-multiple-accounts.md
@@ -7 +7,10 @@
-You can use Amazon Inspector to manage multiple accounts in [an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). To do this, you must activate Amazon Inspector with the AWS Organizations management account and specify a delegated administrator. The delegated administrator manages Amazon Inspector for an organization and can perform [tasks](https://docs.aws.amazon.com/inspector/latest/user/admin-member-relationship.html) on behalf of the organization. The following topics describe the difference between a delegated administrator account and member account, how to designate and remove a delegated administrator, and how to manage member accounts. 
+You can use Amazon Inspector to manage multiple accounts in [an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). Amazon Inspector supports two approaches for multi-account management: 
+
+  * **Delegated administrator for AWS Organizations policies** \- Provides centralized governance to delegated administrator with automatic enablement of Amazon Inspector across organization accounts across regions. Organization policies enforce which scan types are enabled and take precedence over non policy managed delegated administrator and member account enablements. 
+
+  * **Delegated administrator for non AWS Organizations policy** \- An account designated to manage Amazon Inspector for the organization without using organization policies. The delegated administrator can enable Amazon Inspector for member accounts and configure scan settings. 
+
+
+
+
+These approaches can be used together. When organization policies are in place, they control resource type enablement (which scan types are enabled), while delegated administrators retain control over scan configuration settings such as scan modes and deep inspection paths. The following topics describe these management approaches, how to designate a delegated administrator, and how to manage member accounts.