AWS inspector documentation change
Summary
Updated Windows instance scanning documentation to clarify that IAM instance profiles take precedence over Default Host Management Configuration roles and both require `ssm:PutInventory` and `ssm:GetParameter` permissions.
Security assessment
This change documents security configuration requirements for Windows instance scanning with Amazon Inspector. It clarifies IAM permission requirements but doesn't address a specific security vulnerability or incident.
Diff
diff --git a/inspector/latest/user/inspector-ssm-plugin.md b/inspector/latest/user/inspector-ssm-plugin.md index bd6b67a24..08f80d34c 100644 --- a//inspector/latest/user/inspector-ssm-plugin.md +++ b//inspector/latest/user/inspector-ssm-plugin.md @@ -50 +50 @@ By default, the Amazon Inspector SSM plugin runs at below normal priority. -You can use Windows instances with the [Default Host Management Configuration setting](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html). However, you must create or use a role that's configured with the `ssm:PutInventory` and `ssm:GetParameter` permissions. +Scanning Windows instances requires `ssm:PutInventory` and `ssm:GetParameter` permissions. If an IAM instance profile is configured on the instance, Amazon Inspector uses that profile and ignores the Default Host Management Configuration (DHMC) role. The instance profile must include these permissions. If no instance profile is set, Amazon Inspector uses the configured [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html) role, which must include these permissions.