AWS inspector documentation change
Summary
Added documentation for new AWS managed policy AWSInspector2OrganizationsAccess which handles organizational permissions for Amazon Inspector
Security assessment
The change introduces documentation for a new IAM policy that manages organizational access controls for Amazon Inspector. While this relates to security permissions management, there is no evidence of addressing an existing security vulnerability or incident. The policy focuses on enabling proper organizational delegation and access management as a security best practice.
Diff
diff --git a/inspector/latest/user/security-iam-awsmanpol.md b/inspector/latest/user/security-iam-awsmanpol.md index 1a81946e1..09bcc2b3a 100644 --- a//inspector/latest/user/security-iam-awsmanpol.md +++ b//inspector/latest/user/security-iam-awsmanpol.md @@ -5 +5 @@ -AmazonInspector2FullAccess_v2AmazonInspector2FullAccessAmazonInspector2ReadOnlyAccessAmazonInspector2ManagedCisPolicyAmazonInspector2ServiceRolePolicyAmazonInspector2AgentlessServiceRolePolicyAmazonInspector2ManagedTelemetryPolicyPolicy updates +AmazonInspector2FullAccess_v2AWSInspector2OrganizationsAccessAmazonInspector2FullAccessAmazonInspector2ReadOnlyAccessAmazonInspector2ManagedCisPolicyAmazonInspector2ServiceRolePolicyAmazonInspector2AgentlessServiceRolePolicyAmazonInspector2ManagedTelemetryPolicyPolicy updates @@ -43,0 +44,75 @@ To review the permissions for this policy, see [AmazonInspector2FullAccess_v2](h +## AWS managed policy: AWSInspector2OrganizationsAccess + +You can attach the `AWSInspector2OrganizationsAccess` policy to your IAM identities. + +This policy grants administrative permissions to enable and manage Amazon Inspector for an organization in AWS Organizations. The permissions for this policy allow the organization management account to designate the delegated administrator account for Amazon Inspector. They also allow the delegated administrator account to enable organization accounts as member accounts. + +This policy only provides permissions for AWS Organizations. The organization management account and delegated administrator account also require permissions for associated actions. These permissions can be granted using the `AmazonInspector2FullAccess_v2` managed policy. + +**Permissions details** + +This policy includes the following permissions. + + * `organizations:ListAccounts` – Allows principals to retrieve the list of accounts that are part of an organization. + + * `organizations:DescribeOrganization` – Allows principals to retrieve information about the organization. + + * `organizations:ListRoots` – Allows principals to list the root of an organization. + + * `organizations:ListDelegatedAdministrators` – Allows principals to list the delegated administrator of an organization. + + * `organizations:ListAWSServiceAccessForOrganization` – Allows principals to list the AWS services that an organization uses. + + * `organizations:ListOrganizationalUnitsForParent` – Allows principals to list the child organizational units (OU) of a parent OU. + + * `organizations:ListAccountsForParent` – Allows principals to list the child accounts of a parent OU. + + * `organizations:ListParents` – Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. + + * `organizations:DescribeAccount` – Allows principals to retrieve information about an account in the organization. + + * `organizations:DescribeOrganizationalUnit` – Allows principals to retrieve information about an OU in the organization. + + * `organizations:ListPolicies` – Retrieves the list of all policies in an organization of a specified type. + + * `organizations:ListPoliciesForTarget` – Lists the policies that are directly attached to the specified target root, organizational unit (OU), or account. + + * `organizations:ListTargetsForPolicy` – Lists all the roots, organizational units (OUs), and accounts that the specified policy is attached to. + + * `organizations:DescribeResourcePolicy` – Retrieves information about a resource policy. + + * `organizations:EnableAWSServiceAccess` – Allows principals to enable the integration with Organizations. + + * `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account. + + * `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account. + + * `organizations:DescribePolicy` – Retrieves information about a policy. + + * `organizations:DescribeEffectivePolicy` – Returns the contents of the effective policy for specified policy type and account. + + * `organizations:CreatePolicy` – Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account. + + * `organizations:UpdatePolicy` – Updates an existing policy with a new name, description, or content. + + * `organizations:DeletePolicy` – Deletes the specified policy from your organization. + + * `organizations:AttachPolicy` – Attaches a policy to a root, an organizational unit (OU), or an individual account. + + * `organizations:DetachPolicy` – Detaches a policy from a target root, organizational unit (OU), or account. + + * `organizations:EnablePolicyType` – Enables a policy type in a root. + + * `organizations:DisablePolicyType` – Disables an organizational policy type in a root. + + * `organizations:TagResource` – Adds one or more tags to a specified resource. + + * `organizations:UntagResource` – Removes any tags with the specified keys from a specified resource. + + * `organizations:ListTagsForResource` – Lists tags that are attached to a specified resource. + + + + +To review the permissions for this policy, see [AWSInspector2OrganizationsAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSInspector2OrganizationsAccess.html) in the _AWS Managed Policy Reference Guide_. + @@ -135,0 +211 @@ Change | Description | Date +AWSInspector2OrganizationsAccess – New policy | Amazon Inspector has added a new managed policy that grants permissions needed to enable and manage Amazon Inspector via AWS Organizations policy. | March 3, 2026