AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2026-03-31 · Documentation low

File: inspector/latest/user/deep-inspection.md

Summary

Clarified permission requirements for deep inspection, specifying that IAM instance profiles take precedence over Default Host Management Configuration roles and both must include `ssm:PutInventory` and `ssm:GetParameter` permissions.

Security assessment

This change documents security configuration requirements for deep inspection scanning. It clarifies IAM permission precedence but doesn't address a specific security vulnerability or incident.

Diff

diff --git a/inspector/latest/user/deep-inspection.md b/inspector/latest/user/deep-inspection.md
index 9500430fc..864eab234 100644
--- a//inspector/latest/user/deep-inspection.md
+++ b//inspector/latest/user/deep-inspection.md
@@ -13 +13 @@ Amazon Inspector expands Amazon EC2 scanning coverage to include deep inspection
-You can use deep inspection with the Default Host Management Configuration setting. However, you must create or use a role that's configured with the `ssm:PutInventory` and `ssm:GetParameter` permissions. 
+Deep inspection requires `ssm:PutInventory` and `ssm:GetParameter` permissions. If an IAM instance profile is configured on the instance, Amazon Inspector uses that profile and ignores the DHMC role. The instance profile must include these permissions. If no instance profile is set, Amazon Inspector uses the configured [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html) role, which must include these permissions.