AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2026-07-13 · Documentation low

File: inspector/latest/user/security-iam-awsmanpol.md

Summary

Added new service-linked role 'AWSServiceRoleForAmazonInspector2ThirdParty' for multi-cloud scanning, updated IAM permissions to include creation of third-party roles, added Config and SSM permissions for multi-cloud resource discovery, and documented new managed policy 'AmazonInspector2ThirdPartyServiceRolePolicy'.

Security assessment

Changes introduce new permissions and roles for multi-cloud resource scanning capabilities without addressing any specific vulnerability. The updates expand security documentation by detailing permissions required for new Inspector features.

Diff

diff --git a/inspector/latest/user/security-iam-awsmanpol.md b/inspector/latest/user/security-iam-awsmanpol.md
index 59b341a97..fcc8dff10 100644
--- a//inspector/latest/user/security-iam-awsmanpol.md
+++ b//inspector/latest/user/security-iam-awsmanpol.md
@@ -7 +7 @@
-AmazonInspector2FullAccess_v2AWSInspector2OrganizationsAccessAmazonInspector2FullAccessAmazonInspector2ReadOnlyAccessAmazonInspector2ManagedCisPolicyAmazonInspector2ServiceRolePolicyAmazonInspector2AgentlessServiceRolePolicyAmazonInspector2ManagedTelemetryPolicyPolicy updates
+AmazonInspector2FullAccess_v2AWSInspector2OrganizationsAccessAmazonInspector2FullAccessAmazonInspector2ReadOnlyAccessAmazonInspector2ManagedCisPolicyAmazonInspector2ServiceRolePolicyAmazonInspector2AgentlessServiceRolePolicyAmazonInspector2ThirdPartyServiceRolePolicyAmazonInspector2ManagedTelemetryPolicyPolicy updates
@@ -33 +33,3 @@ This policy includes the following permissions.
-  * `iam` – Allows Amazon Inspector to create the service-linked roles `AWSServiceRoleForAmazonInspector2` and `AWSServiceRoleForAmazonInspector2Agentless`. `AWSServiceRoleForAmazonInspector2` is required for Amazon Inspector to perform operations like retrieving information about Amazon EC2 instances, Amazon ECR repositories, and Amazon ECR container images. It's also required to decrypt Amazon EBS snapshots encrypted with AWS KMS keys. For more information, see [Using service-linked roles for Amazon Inspector](./using-service-linked-roles.html). 
+  * `iam` – Allows Amazon Inspector to create the service-linked roles `AWSServiceRoleForAmazonInspector2`, `AWSServiceRoleForAmazonInspector2Agentless`, and `AWSServiceRoleForAmazonInspector2ThirdParty`. `AWSServiceRoleForAmazonInspector2` is required for Amazon Inspector to perform operations like retrieving information about Amazon EC2 instances, Amazon ECR repositories, and Amazon ECR container images. It's also required to decrypt Amazon EBS snapshots encrypted with AWS KMS keys. Additionally, allows creation of the `AWSServiceRoleForConfigThirdParty` service-linked role, which is required by to record multi-cloud resources. For more information, see [Using service-linked roles for Amazon Inspector](./using-service-linked-roles.html). 
+
+  * `config` – Allows Amazon Inspector to create, read, and list connectors in for multi-cloud resource discovery. 
@@ -137 +139,3 @@ This policy includes the following permissions.
-  * `iam` – Allows Amazon Inspector to create the service-linked roles `AWSServiceRoleForAmazonInspector2` and `AWSServiceRoleForAmazonInspector2Agentless`. `AWSServiceRoleForAmazonInspector2` is required for Amazon Inspector to perform operations such as retrieve information about your Amazon EC2 instances, Amazon ECR repositories, and container images. It's also required for Amazon Inspector to analyze your VPC network and describe accounts that are associated with your organization. `AWSServiceRoleForAmazonInspector2Agentless` is required for Amazon Inspector to perform operations, such as retrieve information about your Amazon EC2 instances and Amazon EBS snapshots. It's also required to decrypt Amazon EBS snapshots that are encrypted with AWS KMS keys. For more information, see [Using service-linked roles for Amazon Inspector](./using-service-linked-roles.html). 
+  * `iam` – Allows Amazon Inspector to create the service-linked roles `AWSServiceRoleForAmazonInspector2`, `AWSServiceRoleForAmazonInspector2Agentless`, and `AWSServiceRoleForAmazonInspector2ThirdParty`. `AWSServiceRoleForAmazonInspector2` is required for Amazon Inspector to perform operations such as retrieve information about your Amazon EC2 instances, Amazon ECR repositories, and container images. It's also required for Amazon Inspector to analyze your VPC network and describe accounts that are associated with your organization. `AWSServiceRoleForAmazonInspector2Agentless` is required for Amazon Inspector to perform operations, such as retrieve information about your Amazon EC2 instances and Amazon EBS snapshots. It's also required to decrypt Amazon EBS snapshots that are encrypted with AWS KMS keys. `AWSServiceRoleForAmazonInspector2ThirdParty` is required for Amazon Inspector to perform multi-cloud scanning operations, such as managing cloud connectors and configuration recorders. Additionally, allows creation of the `AWSServiceRoleForConfigThirdParty` service-linked role, which is required by to record multi-cloud resources. For more information, see [Using service-linked roles for Amazon Inspector](./using-service-linked-roles.html). 
+
+  * `config` – Allows Amazon Inspector to create, read, and list connectors in for multi-cloud resource discovery. 
@@ -163,0 +168,4 @@ This policy includes the following permissions.
+  * `config` – Allows the details and health status of all Amazon Inspector multi-cloud connectors to be viewed. This includes listing and describing any configuration recorders that are associated with the connectors.
+
+  * `ssm` – Allows the details and health status of all Amazon Inspector multi-cloud connectors to be viewed.
+
@@ -191,0 +200,4 @@ You can't attach the `AmazonInspector2AgentlessServiceRolePolicy` policy to your
+## AWS managed policy: AmazonInspector2ThirdPartyServiceRolePolicy
+
+You can't attach the `AmazonInspector2ThirdPartyServiceRolePolicy` policy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Inspector to perform actions on your behalf for multi-cloud resource scanning. For more information, see [Using service-linked roles for Amazon Inspector](./using-service-linked-roles.html).
+
@@ -212,0 +225,2 @@ Change | Description | Date
+AmazonInspector2FullAccess_v2 – Updates to an existing policy  |  Amazon Inspector added `iam` permissions that allow Amazon Inspector to create the service-linked role for multi-cloud connectors (`AWSServiceRoleForAmazonInspector2ThirdParty`) and the third-party service-linked role (`AWSServiceRoleForConfigThirdParty`). Amazon Inspector also added the multi-cloud service principal (`multicloud.inspector2.amazonaws.com`) to the conditions for `organizations` actions, and added connector permissions for multi-cloud resource discovery.  | July 7, 2026  
+AmazonInspector2ReadOnlyAccess – Updates to an existing policy  |  Amazon Inspector added read-only and AWS Systems Manager permissions for viewing multi-cloud connector health status.  | July 7, 2026