AWS inspector documentation change
Summary
Clarified permission requirements for deep inspection, specifying that IAM instance profiles take precedence over Default Host Management Configuration roles and both must include `ssm:PutInventory` and `ssm:GetParameter` permissions.
Security assessment
This change documents security configuration requirements for deep inspection scanning. It clarifies IAM permission precedence but doesn't address a specific security vulnerability or incident.
Diff
diff --git a/inspector/latest/user/deep-inspection.md b/inspector/latest/user/deep-inspection.md index 9500430fc..864eab234 100644 --- a//inspector/latest/user/deep-inspection.md +++ b//inspector/latest/user/deep-inspection.md @@ -13 +13 @@ Amazon Inspector expands Amazon EC2 scanning coverage to include deep inspection -You can use deep inspection with the Default Host Management Configuration setting. However, you must create or use a role that's configured with the `ssm:PutInventory` and `ssm:GetParameter` permissions. +Deep inspection requires `ssm:PutInventory` and `ssm:GetParameter` permissions. If an IAM instance profile is configured on the instance, Amazon Inspector uses that profile and ignores the DHMC role. The instance profile must include these permissions. If no instance profile is set, Amazon Inspector uses the configured [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html) role, which must include these permissions.