View a markdown version of this page

Actions, resources, and condition keys for Amazon Inspector2 - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Inspector2

Amazon Inspector2 (service prefix: inspector2) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Inspector2

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssociateMember

inspector2:AssociateMember

Write

BatchAssociateCodeSecurityScanConfiguration

inspector2:BatchAssociateCodeSecurityScanConfiguration

Write

BatchDisassociateCodeSecurityScanConfiguration

inspector2:BatchDisassociateCodeSecurityScanConfiguration

Write

BatchGetAccountStatus

inspector2:BatchGetAccountStatus

Read

BatchGetCodeSnippet

inspector2:BatchGetCodeSnippet

Read

BatchGetFindingDetails

inspector2:BatchGetFindingDetails

Read

BatchGetFreeTrialInfo

inspector2:BatchGetFreeTrialInfo

Read

BatchGetMemberEc2DeepInspectionStatus

inspector2:BatchGetMemberEc2DeepInspectionStatus

Read

BatchUpdateMemberEc2DeepInspectionStatus

inspector2:BatchUpdateMemberEc2DeepInspectionStatus

Write

CancelFindingsReport

inspector2:CancelFindingsReport

Write

CancelSbomExport

inspector2:CancelSbomExport

Write

CreateCisScanConfiguration

inspector2:CreateCisScanConfiguration

Write

inspector2:TagResource

Tagging, Write

CreateCodeSecurityIntegration

inspector2:CreateCodeSecurityIntegration

Write

inspector2:TagResource

Tagging, Write

CreateCodeSecurityScanConfiguration

inspector2:CreateCodeSecurityScanConfiguration

Write

inspector2:TagResource

Tagging, Write

CreateConnector

inspector2:CreateConnector

Write

inspector2:TagResource

Tagging, Write

CreateFilter

inspector2:CreateFilter

Write

inspector2:TagResource

Tagging, Write

CreateFindingsReport

inspector2:CreateFindingsReport

Write

CreateSbomExport

inspector2:CreateSbomExport

Write

DeleteCisScanConfiguration

inspector2:DeleteCisScanConfiguration

Write

DeleteCodeSecurityIntegration

inspector2:DeleteCodeSecurityIntegration

Write

DeleteCodeSecurityScanConfiguration

inspector2:DeleteCodeSecurityScanConfiguration

Write

DeleteConnector

inspector2:DeleteConnector

Write

DeleteFilter

inspector2:DeleteFilter

Write

DescribeOrganizationConfiguration

inspector2:DescribeOrganizationConfiguration

Read

Disable

inspector2:Disable

Write

DisableDelegatedAdminAccount

inspector2:DisableDelegatedAdminAccount

Write

DisassociateMember

inspector2:DisassociateMember

Write

Enable

inspector2:Enable

Write

EnableDelegatedAdminAccount

inspector2:EnableDelegatedAdminAccount

Write

GetCisScanReport

inspector2:GetCisScanReport

Read

GetCisScanResultDetails

inspector2:GetCisScanResultDetails

List

GetClustersForImage

inspector2:GetClustersForImage

Read

GetCodeSecurityIntegration

inspector2:GetCodeSecurityIntegration

Read

GetCodeSecurityScan

inspector2:GetCodeSecurityScan

Read

GetCodeSecurityScanConfiguration

inspector2:GetCodeSecurityScanConfiguration

Read

GetConfiguration

inspector2:GetConfiguration

Read

GetDelegatedAdminAccount

inspector2:GetDelegatedAdminAccount

Read

GetEc2DeepInspectionConfiguration

inspector2:GetEc2DeepInspectionConfiguration

Read

GetEncryptionKey

inspector2:GetEncryptionKey

Read

GetFindingsReportStatus

inspector2:GetFindingsReportStatus

Read

GetMember

inspector2:GetMember

Read

GetSbomExport

inspector2:GetSbomExport

Read

ListAccountPermissions

inspector2:ListAccountPermissions

List

ListCisScanConfigurations

inspector2:ListCisScanConfigurations

List

ListCisScanResultsAggregatedByChecks

inspector2:ListCisScanResultsAggregatedByChecks

List

ListCisScanResultsAggregatedByTargetResource

inspector2:ListCisScanResultsAggregatedByTargetResource

List

ListCisScans

inspector2:ListCisScans

List

ListCodeSecurityIntegrations

inspector2:ListCodeSecurityIntegrations

List

ListCodeSecurityScanConfigurationAssociations

inspector2:ListCodeSecurityScanConfigurationAssociations

List

ListCodeSecurityScanConfigurations

inspector2:ListCodeSecurityScanConfigurations

List

ListConnectorScanConfigurations

inspector2:ListConnectorScanConfigurations

List

ListConnectors

inspector2:ListConnectors

List

ListCoverage

inspector2:ListCoverage

List

ListCoverageStatistics

inspector2:ListCoverageStatistics

List

ListDelegatedAdminAccounts

inspector2:ListDelegatedAdminAccounts

List

ListFilters

inspector2:ListFilters

List

ListFindingAggregations

inspector2:ListFindingAggregations

List

ListFindings

inspector2:ListFindings

List

ListMembers

inspector2:ListMembers

List

ListTagsForResource

inspector2:ListTagsForResource

Read

ListUsageTotals

inspector2:ListUsageTotals

List

ResetEncryptionKey

inspector2:ResetEncryptionKey

Write

SearchVulnerabilities

inspector2:SearchVulnerabilities

Read

SendCisSessionHealth

inspector2:SendCisSessionHealth

Write

SendCisSessionTelemetry

inspector2:SendCisSessionTelemetry

Write

StartCisSession

inspector2:StartCisSession

Write

StartCodeSecurityScan

inspector2:StartCodeSecurityScan

Write

StopCisSession

inspector2:StopCisSession

Write

TagResource

inspector2:TagResource

Tagging, Write

UntagResource

inspector2:UntagResource

Tagging, Write

UpdateCisScanConfiguration

inspector2:UpdateCisScanConfiguration

Write

UpdateCodeSecurityIntegration

inspector2:UpdateCodeSecurityIntegration

Write

UpdateCodeSecurityScanConfiguration

inspector2:UpdateCodeSecurityScanConfiguration

Write

UpdateConfiguration

inspector2:UpdateConfiguration

Write

UpdateConnector

inspector2:UpdateConnector

Write

UpdateConnectorScanConfiguration

inspector2:UpdateConnectorScanConfiguration

Write

UpdateEc2DeepInspectionConfiguration

inspector2:UpdateEc2DeepInspectionConfiguration

Write

UpdateEncryptionKey

inspector2:UpdateEncryptionKey

Write

UpdateFilter

inspector2:UpdateFilter

Write

UpdateOrgEc2DeepInspectionConfiguration

inspector2:UpdateOrgEc2DeepInspectionConfiguration

Write

UpdateOrganizationConfiguration

inspector2:UpdateOrganizationConfiguration

Write

Actions defined by Amazon Inspector2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateMember

Grants permission to associate an account with an Amazon Inspector administrator account

Write

BatchAssociateCodeSecurityScanConfiguration

Grants permission to associate multiple code repositories with an Amazon Inspector code security scan configuration

Write

BatchDisassociateCodeSecurityScanConfiguration

Grants permission to disassociate multiple code repositories from an Amazon Inspector code security scan configuration

Write

BatchGetAccountStatus

Grants permission to retrieve information about Amazon Inspector accounts for an account

Read

BatchGetCodeSnippet

Grants permission to retrieve code snippet information about one or more code vulnerability findings

Read

BatchGetFindingDetails

Grants permission to let a customer get enhanced vulnerability intelligence details for findings

Read

BatchGetFreeTrialInfo

Grants permission to retrieve free trial period eligibility about Amazon Inspector accounts for an account

Read

BatchGetMemberEc2DeepInspectionStatus

Grants permission to delegated administrator to retrieve ec2 deep inspection status of member accounts

Read

BatchUpdateMemberEc2DeepInspectionStatus

Grants permission to update ec2 deep inspection status by delegated administrator for its associated member accounts

Write

CancelFindingsReport

Grants permission to cancel the generation of a findings report

Write

CancelSbomExport

Grants permission to cancel the generation of an SBOM report

Write

CreateCisScanConfiguration

Grants permission to create and define the settings for a CIS scan configuration

CIS Scan Configuration*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateCodeSecurityIntegration

Grants permission to create a code security integration with a source code repository provider

Code Security Integration*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateCodeSecurityScanConfiguration

Grants permission to create a scan configuration for code security scanning

Code Security Scan Configuration*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateConnector

Grants permission to create a connector to scan resources from a third-party cloud provider

Connector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateFilter

Grants permission to create and define the settings for a findings filter

Filter*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateFindingsReport

Grants permission to request the generation of a findings report

Write

CreateSbomExport

Grants permission to request the generation of an SBOM report

Write

DeleteCisScanConfiguration

Grants permission to delete a CIS scan configuration

CIS Scan Configuration*

aws:ResourceTag/${TagKey}

Write

DeleteCodeSecurityIntegration

Grants permission to delete a code security integration

Code Security Integration*

aws:ResourceTag/${TagKey}

Write

DeleteCodeSecurityScanConfiguration

Grants permission to delete a code security scan configuration

Code Security Scan Configuration*

aws:ResourceTag/${TagKey}

Write

DeleteConnector

Grants permission to delete a connector configured for scanning resources from a third-party cloud provider

Connector*

aws:ResourceTag/${TagKey}

Write

DeleteFilter

Grants permission to delete a findings filter

Filter*

aws:ResourceTag/${TagKey}

Write

DescribeOrganizationConfiguration

Grants permission to retrieve information about the Amazon Inspector configuration settings for an Amazon organization

Read

Disable

Grants permission to disable an Amazon Inspector account

Write

DisableDelegatedAdminAccount

Grants permission to disable an account as the delegated Amazon Inspector administrator account for an Amazon organization

Write

DisassociateMember

Grants permission to an Amazon Inspector administrator account to disassociate from an Inspector member account

Write

Enable

Grants permission to enable and specify the configuration settings for a new Amazon Inspector account

Write

EnableDelegatedAdminAccount

Grants permission to enable an account as the delegated Amazon Inspector administrator account for an Amazon organization

Write

GetCisScanReport

Grants permission to retrieve a report containing information about completed CIS scans

Read

GetCisScanResultDetails

Grants permission to retrieve information about all details pertaining to one CIS scan and one targeted resource

List

GetClustersForImage

Grants permission to get cluster information for a given a continuously scanned amazon Ecr image

Read

GetCodeSecurityIntegration

Grants permission to retrieve information about a code security integration

Read

GetCodeSecurityScan

Grants permission to retrieve information about a specific code security scan

Read

GetCodeSecurityScanConfiguration

Grants permission to retrieve information about a code security scan configuration

Read

GetConfiguration

Grants permission to retrieve information about the Amazon Inspector configuration settings for an Amazon Web Services account

Read

GetDelegatedAdminAccount

Grants permission to retrieve information about the Amazon Inspector administrator account for an account

Read

GetEc2DeepInspectionConfiguration

Grants permission to retrieve ec2 deep inspection configuration for standalone accounts, delegated administrator and member account

Read

GetEncryptionKey

Grants permission to retrieve information about the KMS key used to encrypt code snippets with

Read

GetFindingsReportStatus

Grants permission to retrieve status for a requested findings report

Read

GetMember

Grants permission to retrieve information about an account that's associated with an Amazon Inspector administrator account

Read

GetSbomExport

Grants permission to retrieve a requested SBOM report

Read

ListAccountPermissions

Grants permission to retrieve feature configuration permissions associated with an Amazon Inspector account within an organization

List

ListCisScanConfigurations

Grants permission to retrieve information about all CIS scan configurations

List

ListCisScanResultsAggregatedByChecks

Grants permission to retrieve information about all checks pertaining to one CIS scan

List

ListCisScanResultsAggregatedByTargetResource

Grants permission to retrieve information about all resources pertaining to one CIS scan

List

ListCisScans

Grants permission to retrieve information about completed CIS scans

List

ListCodeSecurityIntegrations

Grants permission to list all code security integrations in your account

List

ListCodeSecurityScanConfigurationAssociations

Grants permission to list the associations between code repositories and Amazon Inspector code security scan configurations

List

ListCodeSecurityScanConfigurations

Grants permission to list all code security scan configurations in your account

List

ListConnectorScanConfigurations

Grants permission to list scan configurations for connectors

List

ListConnectors

Grants permission to list connectors configured for scanning resources from third-party cloud providers

List

ListCoverage

Grants permission to retrieve the types of statistics Amazon Inspector can generate for resources Inspector monitors

List

ListCoverageStatistics

Grants permission to retrieve statistical data and other information about the resources Amazon Inspector monitors

List

ListDelegatedAdminAccounts

Grants permission to retrieve information about the delegated Amazon Inspector administrator account for an Amazon organization

List

ListFilters

Grants permission to retrieve information about all findings filters

List

ListFindingAggregations

Grants permission to retrieve statistical data and other information about Amazon Inspector findings

List

ListFindings

Grants permission to retrieve a subset of information about one or more findings

List

ListMembers

Grants permission to retrieve information about the Amazon Inspector member accounts that are associated with an Inspector administrator account

List

ListTagsForResource

Grants permission to retrieve the tags for an Amazon Inspector resource

Read

ListUsageTotals

Grants permission to retrieve aggregated usage data for an account

List

ResetEncryptionKey

Grants permission to let a customer reset to use an Amazon-owned KMS key to encrypt code snippets with

Write

SearchVulnerabilities

Grants permission to list Amazon Inspector coverage details for a specific vulnerability

Read

SendCisSessionHealth

Grants permission to send CIS health for a CIS scan

Write

SendCisSessionTelemetry

Grants permission to send CIS telemetry for a CIS scan

Write

StartCisSession

Grants permission to start a CIS scan session

Write

StartCodeSecurityScan

Grants permission to initiate a code security scan on a specified repository

Write

StopCisSession

Grants permission to stop a CIS scan session

Write

TagResource

Grants permission to add or update the tags for an Amazon Inspector resource

CIS Scan Configuration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Code Security Integration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Code Security Scan Configuration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Connector

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Filter

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove tags from an Amazon Inspector resource

CIS Scan Configuration

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Code Security Integration

aws:ResourceTag/${TagKey}

aws:TagKeys

Code Security Scan Configuration

aws:ResourceTag/${TagKey}

aws:TagKeys

Connector

aws:ResourceTag/${TagKey}

aws:TagKeys

Filter

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateCisScanConfiguration

Grants permission to update the settings for a CIS scan configuration

CIS Scan Configuration*

aws:ResourceTag/${TagKey}

Write

UpdateCodeSecurityIntegration

Grants permission to update an existing code security integration

Code Security Integration*

aws:ResourceTag/${TagKey}

Write

UpdateCodeSecurityScanConfiguration

Grants permission to update an existing code security scan configuration

Code Security Scan Configuration*

aws:ResourceTag/${TagKey}

Write

UpdateConfiguration

Grants permission to update information about the Amazon Inspector configuration settings for an Amazon Web Services account

Write

UpdateConnector

Grants permission to update a connector configured for scanning resources from a third-party cloud provider

Connector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdateConnectorScanConfiguration

Grants permission to update scan configuration settings for resources associated with a connector

Write

UpdateEc2DeepInspectionConfiguration

Grants permission to update ec2 deep inspection configuration by delegated administrator, member and standalone account

Write

UpdateEncryptionKey

Grants permission to let a customer use a KMS key to encrypt code snippets with

Write

UpdateFilter

Grants permission to update the settings for a findings filter

Filter*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdateOrgEc2DeepInspectionConfiguration

Grants permission to update ec2 deep inspection configuration by delegated administrator for its associated member accounts

Write

UpdateOrganizationConfiguration

Grants permission to update Amazon Inspector configuration settings for an Amazon organization

Write

Resource types defined by Amazon Inspector2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

CIS Scan Configuration

arn:${Partition}:inspector2:${Region}:${Account}:owner/${OwnerId}/cis-configuration/${CISScanConfigurationId}

aws:ResourceTag/${TagKey}

Code Security Integration

arn:${Partition}:inspector2:${Region}:${Account}:codesecurity-integration/${CodeSecurityIntegrationId}

aws:ResourceTag/${TagKey}

Code Security Scan Configuration

arn:${Partition}:inspector2:${Region}:${Account}:owner/${OwnerId}/codesecurity-configuration/${CodeSecurityScanConfigurationId}

aws:ResourceTag/${TagKey}

Connector

arn:${Partition}:inspector2:${Region}:${Account}:connector/${ConnectorId}

aws:ResourceTag/${TagKey}

Filter

arn:${Partition}:inspector2:${Region}:${Account}:owner/${OwnerId}/filter/${FilterId}

aws:ResourceTag/${TagKey}

Finding

arn:${Partition}:inspector2:${Region}:${Account}:finding/${FindingId}

Condition keys for Amazon Inspector2

Amazon Inspector2 defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString