AWS inspector documentation change
Summary
Added troubleshooting guidance for 'Deep inspection has no inventory' error, specifying that missing `ssm:PutInventory` and `ssm:GetParameter` permissions can cause this issue and providing instructions to check IAM instance profiles and Default Host Management Configuration roles.
Security assessment
This change adds documentation about required IAM permissions for security scanning functionality (deep inspection). It helps users troubleshoot permission issues that prevent security vulnerability scanning, but doesn't address a specific security vulnerability or incident.
Diff
diff --git a/inspector/latest/user/assessing-coverage.md b/inspector/latest/user/assessing-coverage.md index 0758a307c..c50b1f0c3 100644 --- a//inspector/latest/user/assessing-coverage.md +++ b//inspector/latest/user/assessing-coverage.md @@ -130 +130 @@ To remediate this issue, you can use the [AWSSupport-TroubleshootManagedInstance - * **Deep inspection has no inventory** – The [Amazon Inspector SSM plugin](https://docs.aws.amazon.com/inspector/latest/user/inspector-ssm-plugin.html)hasn't yet been able to collect an inventory of packages for this instance. This is usually the result of a pending scan, however, if this status persists after 6 hours, use Amazon EC2 Systems Manager to ensure that the required Amazon Inspector associations exist and are running for the instance. + * **Deep inspection has no inventory** – The [Amazon Inspector SSM plugin](https://docs.aws.amazon.com/inspector/latest/user/inspector-ssm-plugin.html) hasn't yet been able to collect an inventory of packages for this instance. This is usually the result of a pending scan, however, if this status persists after 6 hours, use Amazon EC2 Systems Manager to ensure that the required Amazon Inspector associations exist and are running for the instance. This error can also occur if the instance is missing the required `ssm:PutInventory` and `ssm:GetParameter` permissions. If the instance has an IAM instance profile, verify these permissions are included in the profile. If no instance profile is configured, verify these permissions are included in the [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html) role.