Service-linked role permissions for Amazon Inspector

Amazon Inspector uses the managed policy named AWSServiceRoleForAmazonInspector2. This service-linked role trusts the inspector2.amazonaws.com service to assume the role.

The permissions policy for the role, which is named AmazonInspector2ServiceRolePolicy, allows Amazon Inspector to perform tasks such as:

Use Amazon Elastic Compute Cloud (Amazon EC2) actions to retrieve information about your instances and network paths.
Use Amazon Systems Manager actions to retrieve inventory from your Amazon EC2 instances, and to retrieve information about third-party packages from custom paths.
Use the Amazon Systems Manager SendCommand action to invoke CIS scans for target instances.
Use Amazon Elastic Container Registry actions to retrieve information about your container images.
Use Amazon Lambda actions to retrieve information about your Lambda functions.
Use Amazon Organizations actions to describe associated accounts.
Use CloudWatch actions to retrieve information about the last time your Lambda functions were invoked.
Use select IAM actions to retrieve information about your IAM policies that could create security vulnerabilities in your Lambda code.
Use Amazon Q actions to perform scans of the code in your Lambda functions. Amazon Inspector uses the following Amazon Q actions:
- codeguru-security:CreateScan – Grants permission to create Amazon Q; scan.
- codeguru-security:GetScan – Grants permission to retrieve Amazon Q scan metadata.
- codeguru-security:ListFindings – Grants permission to retrieve findings generated by Amazon Q.
- codeguru-security:DeleteScansByCategory – Grants permission for Amazon Q to delete scans initiated by Amazon Inspector.
- codeguru-security:BatchGetFindings – Grants permission to retrieve a batch of specific findings generated by Amazon Q.
Use select Elastic Load Balancing actions to preform network scans of EC2 instances that are part of Elastic Load Balancing target groups.
Use Amazon ECS and Amazon EKS actions to allow read-only access to view clusters and tasks and describe tasks.

Note

Amazon Inspector no longer uses CodeGuru to perform Lambda scans. Amazon will discontinue support for CodeGuru on November 20, 2025. For more information, see End of support for CodeGuru Security. Amazon Inspector now uses Amazon Q to perform Lambda scans and does not require the permissions described in this section.

The role is configured with the following permissions policy.

JSON



     {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "TirosPolicy",
			"Effect": "Allow",
			"Action": [
				"directconnect:DescribeConnections",
				"directconnect:DescribeDirectConnectGatewayAssociations",
				"directconnect:DescribeDirectConnectGatewayAttachments",
				"directconnect:DescribeDirectConnectGateways",
				"directconnect:DescribeVirtualGateways",
				"directconnect:DescribeVirtualInterfaces",
				"ec2:DescribeAddresses",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeCustomerGateways",
				"ec2:DescribeEgressOnlyInternetGateways",
				"ec2:DescribeInstances",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeManagedPrefixLists",
				"ec2:DescribeNatGateways",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribePrefixLists",
				"ec2:DescribeRegions",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSubnets",
				"ec2:DescribeTransitGatewayAttachments",
				"ec2:DescribeTransitGatewayConnects",
				"ec2:DescribeTransitGatewayPeeringAttachments",
				"ec2:DescribeTransitGatewayRouteTables",
				"ec2:DescribeTransitGatewayVpcAttachments",
				"ec2:DescribeTransitGateways",
				"ec2:DescribeVpcEndpointServiceConfigurations",
				"ec2:DescribeVpcEndpoints",
				"ec2:DescribeVpcPeeringConnections",
				"ec2:DescribeVpcs",
				"ec2:DescribeVpnConnections",
				"ec2:DescribeVpnGateways",
				"ec2:GetManagedPrefixListEntries",
				"ec2:GetTransitGatewayRouteTablePropagations",
				"ec2:SearchTransitGatewayRoutes",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeRules",
				"elasticloadbalancing:DescribeTags",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:DescribeTargetGroupAttributes",
				"elasticloadbalancing:DescribeTargetHealth",
				"network-firewall:DescribeFirewall",
				"network-firewall:DescribeFirewallPolicy",
				"network-firewall:DescribeResourcePolicy",
				"network-firewall:DescribeRuleGroup",
				"network-firewall:ListFirewallPolicies",
				"network-firewall:ListFirewalls",
				"network-firewall:ListRuleGroups",
				"tiros:CreateQuery",
				"tiros:GetQueryAnswer"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "PackageVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"ecr:BatchGetImage",
				"ecr:BatchGetRepositoryScanningConfiguration",
				"ecr:DescribeImages",
				"ecr:DescribeRegistry",
				"ecr:DescribeRepositories",
				"ecr:GetAuthorizationToken",
				"ecr:GetDownloadUrlForLayer",
				"ecr:GetRegistryScanningConfiguration",
				"ecr:ListImages",
				"ecr:PutRegistryScanningConfiguration",
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAccounts",
				"ssm:DescribeAssociation",
				"ssm:DescribeAssociationExecutions",
				"ssm:DescribeInstanceInformation",
				"ssm:ListAssociations",
				"ssm:ListResourceDataSync"
			],
			"Resource": "*"
		},
		{
			"Sid": "LambdaPackageVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"lambda:ListFunctions",
				"lambda:GetFunction",
				"lambda:GetLayerVersion",
				"lambda:ListTags",
				"cloudwatch:GetMetricData"
			],
			"Resource": "*"
		},
		{
			"Sid": "GatherInventory",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateAssociation",
				"ssm:StartAssociationsOnce",
				"ssm:UpdateAssociation"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*",
				"arn:aws:ssm:*:*:document/AmazonInspector2-*",
				"arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory",
				"arn:aws:ssm:*:*:managed-instance/*",
				"arn:aws:ssm:*:*:association/*"
			]
		},
		{
			"Sid": "GatherInventoryDeleteAssociation",
			"Effect": "Allow",
			"Action": [
				"ssm:DeleteAssociation"
			],
			"Resource": [
				"arn:aws:ssm:*:*:association/*"
			]
		},
		{
			"Sid": "DataSyncCleanup",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateResourceDataSync",
				"ssm:DeleteResourceDataSync"
			],
			"Resource": [
				"arn:aws:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete"
			]
		},
		{
			"Sid": "ManagedRules",
			"Effect": "Allow",
			"Action": [
				"events:PutRule",
				"events:DeleteRule",
				"events:DescribeRule",
				"events:ListTargetsByRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": [
				"arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule"
			]
		},
		{
			"Sid": "LambdaCodeVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"codeguru-security:CreateScan",
				"codeguru-security:GetAccountConfiguration",
				"codeguru-security:GetFindings",
				"codeguru-security:GetScan",
				"codeguru-security:ListFindings",
				"codeguru-security:BatchGetFindings",
				"codeguru-security:DeleteScansByCategory"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "CodeGuruCodeVulnerabilityScanning",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:ListAttachedRolePolicies",
				"iam:ListPolicies",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"lambda:ListVersionsByFunction"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"codeguru-security.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "Ec2DeepInspection",
			"Effect": "Allow",
			"Action": [
				"ssm:PutParameter",
				"ssm:GetParameters",
				"ssm:DeleteParameter"
			],
			"Resource": [
				"arn:aws:ssm:*:*:parameter/inspector-aws/service/inspector-linux-application-paths"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowManagementOfServiceLinkedChannel",
			"Effect": "Allow",
			"Action": [
				"cloudtrail:CreateServiceLinkedChannel",
				"cloudtrail:DeleteServiceLinkedChannel"
			],
			"Resource": [
				"arn:aws:cloudtrail:*:*:channel/aws-service-channel/inspector2/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowListServiceLinkedChannels",
			"Effect": "Allow",
			"Action": [
				"cloudtrail:ListServiceLinkedChannels"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowToRunInvokeCisSpecificDocuments",
			"Effect": "Allow",
			"Action": [
				"ssm:SendCommand",
				"ssm:GetCommandInvocation"
			],
			"Resource": [
				"arn:aws:ssm:*:*:document/AmazonInspector2-InvokeInspectorSsmPluginCIS"
			]
		},
		{
			"Sid": "AllowToRunCisCommandsToSpecificResources",
			"Effect": "Allow",
			"Action": [
				"ssm:SendCommand"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowToPutCloudwatchMetricData",
			"Effect": "Allow",
			"Action": [
				"cloudwatch:PutMetricData"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"cloudwatch:namespace": "AWS/Inspector2"
				}
			}
		},
		{
			"Sid": "AllowListAccessToECSAndEKS",
			"Effect": "Allow",
			"Action": [
			    "ecs:ListClusters",
			    "ecs:ListTasks",
			    "eks:ListClusters"
			],
			"Resource": [
			    "*"
			],
			"Condition": {
			    "StringEquals": {
			        "aws:ResourceAccount": "${aws:PrincipalAccount}"
			    }
			}
			},
			{
			"Sid": "AllowAccessToECSTasks",
			"Effect": "Allow",
			"Action": [
			    "ecs:DescribeTasks"
			],
			"Resource": "arn:aws:ecs:*:*:task/*",
			"Condition": {
			    "StringEquals": {
			        "aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		}
	]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Using service-linked roles

Service-linked role permissions for Amazon Inspector agentless scans