# Service-linked role permissions for Amazon Inspector Amazon Inspector uses the managed policy named [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonInspector2ServiceRolePolicy.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonInspector2ServiceRolePolicy.html). This service-linked role trusts the `inspector2.amazonaws.com` service to assume the role. The permissions policy for the role, which is named [https://docs.amazonaws.cn/inspector/latest/user/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonInspector2ServiceRolePolicy](https://docs.amazonaws.cn/inspector/latest/user/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonInspector2ServiceRolePolicy), allows Amazon Inspector to perform tasks such as: + Use Amazon Elastic Compute Cloud (Amazon EC2) actions to retrieve information about your instances and network paths. + Use Amazon Systems Manager actions to retrieve inventory from your Amazon EC2 instances, and to retrieve information about third-party packages from custom paths. + Use the Amazon Systems Manager `SendCommand` action to invoke CIS scans for target instances. + Use Amazon Elastic Container Registry actions to retrieve information about your container images. + Use Amazon Lambda actions to retrieve information about your Lambda functions. + Use Amazon Organizations actions to describe associated accounts. + Use CloudWatch actions to retrieve information about the last time your Lambda functions were invoked. + Use select IAM actions to retrieve information about your IAM policies that could create security vulnerabilities in your Lambda code. + Use Amazon Q actions to perform scans of the code in your Lambda functions. Amazon Inspector uses the following Amazon Q actions: + codeguru-security:CreateScan – Grants permission to create Amazon Q; scan. + codeguru-security:GetScan – Grants permission to retrieve Amazon Q scan metadata. + codeguru-security:ListFindings – Grants permission to retrieve findings generated by Amazon Q. + codeguru-security:DeleteScansByCategory – Grants permission for Amazon Q to delete scans initiated by Amazon Inspector. + codeguru-security:BatchGetFindings – Grants permission to retrieve a batch of specific findings generated by Amazon Q. + Use select Elastic Load Balancing actions to preform network scans of EC2 instances that are part of Elastic Load Balancing target groups. + Use Amazon ECS and Amazon EKS actions to allow read-only access to view clusters and tasks and describe tasks. + Use Amazon Organizations actions to list delegated administrators for Amazon Inspector across organizations. + Use Amazon Inspector actions to enable and disable Amazon Inspector across organizations. + Use Amazon Inspector actions to designate delegated administrator accounts and associate member accounts across organizations. **Note** Amazon Inspector no longer uses CodeGuru to perform Lambda scans. Amazon will discontinue support for CodeGuru on November 20, 2025. For more information, see [End of support for CodeGuru Security](https://docs.amazonaws.cn/codeguru/latest/security-ug/end-of-support.html). Amazon Inspector now uses Amazon Q to perform Lambda scans and does not require the permissions described in this section. To review the permissions for this policy, see [AmazonInspector2ServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonInspector2ServiceRolePolicy.html) in the *Amazon Managed Policy Reference Guide*.