# Data protection in Amazon Inspector
<a name="data-protection"></a>

The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Inspector. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.

For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).

We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Inspector or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.

**Topics**
+ [Encryption at rest](encryption-rest.md)
+ [Encryption in transit](encryption-transit.md)

# Encryption at rest
<a name="encryption-rest"></a>

 By default, Amazon Inspector stores data at rest using AWS encryption solutions. Amazon Inspector encrypts data, such as the following: 
+  Resource inventory collected with AWS Systems Manager. 
+  Resource inventory parsed from Amazon Elastic Container Registry images 
+  Generated security findings using AWS owned encryption keys from AWS Key Management Service 

 You cannot manage, use, or view AWS owned keys. However, you don't need to take action or change programs to protect keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys). 

 If you disable Amazon Inspector, it permanently deletes all resources it stores or maintains for you, such as collected inventory and security findings. 

## Encryption at rest for code in your findings
<a name="encryption-code-snippets"></a>

 For Amazon Inspector Lambda code scanning, Amazon Inspector partners with Amazon Q to scan your code for vulnerabilities. When a vulnerability is detected, Amazon Q extracts a snippet of your code containing the vulnerability and stores that code until Amazon Inspector requests access. By default, Amazon Q uses an AWS owned key to encrypt the extracted code. However, you can configure Amazon Inspector to use your own customer-managed AWS KMS key for encryption. 

 The following workflow explains how Amazon Inspector uses the key you configure to encrypt your code: 

1.  You supply an AWS KMS key to Amazon Inspector using the Amazon Inspector [UpdateEncryptionKey](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEncryptionKey.html) API. 

1.  Amazon Inspector forwards the information about your AWS KMS key to Amazon Q, and Amazon Q stores the information for future use. 

1.  Amazon Q uses the KMS key you configured in Amazon Inspector through the key policy. 

1.  Amazon Q creates an encrypted data key from your AWS KMS key and stores it. This data key is used to encrypt your code data stored by Amazon Q. 

1.  When Amazon Inspector requests data from code scans, Amazon Q uses the KMS key to decrypt the data key. When you disable Lambda Code Scanning, Amazon Q deletes the associated data key. 

## Permissions for code encryption with a customer managed key
<a name="cmk-permissions"></a>

 For encryption, you must create a KMS key with [a policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) that includes a statement allowing Amazon Inspector and Amazon Q to perform the following actions. 
+  `kms:Decrypt` 
+  `kms:DescribeKey` 
+  `kms:Encrypt` 
+  `kms:GenerateDataKey` 
+  `kms:GenerateDataKeyWithoutPlainText` 

**Policy statement**  
 You can use the following policy statement when creating the KMS key. 

**Note**  
 Replace `account-id` with your 12-digit AWS account ID. Replace `Region` with the AWS Region where you enabled Amazon Inspector and Lambda code scanning. Replace `role-ARN` with the Amazon Resource Name for your IAM role. 

```
{
  "Effect": "Allow",
  "Principal": {
    "Service": "q.amazonaws.com"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKeyWithoutPlaintext",
    "kms:GenerateDataKey"
  ],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:EncryptionContext:aws:qdeveloper:lambda-codescan-scope": "account-id"
    },
    "StringEquals": {
      "aws:SourceAccount": "account-id"
    },
    "ArnLike": {
      "aws:SourceArn": "arn:aws:qdeveloper:Region:account-id:scans/*"
    }
  }
},
{
  "Effect": "Allow",
  "Principal": {
    "Service": "q.amazonaws.com"
  },
  "Action": "kms:DescribeKey",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:SourceAccount": "account-id"
    },
    "ArnLike": {
      "aws:SourceArn": "arn:aws:qdeveloper:Region:account-id:scans/*"
    }
  }
},
{
  "Effect": "Allow",
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKeyWithoutPlaintext",
    "kms:GenerateDataKey"
  ],
  "Principal": {
    "AWS": "role-ARN"
  },
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "inspector2.Region.amazonaws.com"
    },
    "StringLike": {
      "kms:EncryptionContext:aws:qdeveloper:lambda-codescan-scope": "account-id"
    }
  }
},
{
  "Effect": "Allow",
  "Action": [
    "kms:DescribeKey"
  ],
  "Principal": {
    "AWS": "role-ARN"
  },
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "inspector2.Region.amazonaws.com"
    }
  }
}
```

 The policy statement is formatted in JSON. After you include the statement, review the policy to make sure the syntax is valid. If the statement is the last statement in the policy, place a comma after the closing brace for the previous statement. If the statement is the first statement or between two existing statements in the policy, place a comma after the closing brace for the statement. 

**Note**  
 Amazon Inspector no longer supports [grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to encrypt code snippets extracted from packages. If you are using a grant-based policy, you can still access your findings. However, if you ever update or reset your KMS key or disable Lambda Code Scanning, you will need to use the KMS key policy described in this section. 

 If you set, update, or reset the encryption key for your account, you must use an Amazon Inspector administrator policy, such as the AWS managed policy `AmazonInspector2FullAccess`. 

## Configuring encryption with a customer managed key
<a name="configure-cmk-encryption"></a>

To configure encryption for your account using a customer managed key you must be an Amazon Inspector administrator with the permissions outlined in [Permissions for code encryption with a customer managed key](#cmk-permissions). Additionally you will need a AWS KMS key in the same AWS Region as your findings, or a [multi-region key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html). You can use an existing symmetric key in your account or create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs. For more information see [Creating symmetric encryption AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the AWS KMS user guide.

**Note**  
 Effective June 13th, 2025, the service principal in AWS KMS requests logged in CloudTrail during code snippet encryption/decryption is changing from "codeguru-reviewer" to "q". 

### Using the Amazon Inspector API to configure encryption
<a name="w2aac60c14c13c17b7"></a>

To set a key for encryption the [UpdateEncryptionKey](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEncryptionKey.html) operation of the Amazon Inspector API while signed in as an Amazon Inspector administrator. In the API request, use the `kmsKeyId` field to specify the ARN of the AWS KMS key you want to use. For `scanType` enter `CODE` and for `resourceType` enter `AWS_LAMBDA_FUNCTION`.

You can use [UpdateEncryptionKey](https://docs.aws.amazon.com/inspector/v2/APIReference/API_GetEncryptionKey.html) API to check view which AWS KMS key Amazon Inspector is using for encryption.

**Note**  
 If you attempt to use `GetEncryptionKey` when you haven't set a customer managed key the operation returns a `ResourceNotFoundException` error which means that an AWS owned key is being used for encryption.

If you delete the key or change it's policy to deny access to Amazon Inspector or Amazon Q you will be unable to access your code vulnerability findings and Lambda code scanning will fail for your account.

You can use `ResetEncryptionKey` to resume using an AWS owned key to encrypt code extracted as part of your Amazon Inspector findings. 

# Encryption in transit
<a name="encryption-transit"></a>

 AWS encrypts all data in transit between AWS internal systems and other AWS services. AWS Systems Manager gathers telemetry data from customer-owned EC2 instances it sends to AWS over a Transport Layer Security (TLS)-protected channel for assessment. Amazon ECR and AWS Lambda function scan findings that are sent to Security Hub CSPM are encrypted using a TLS-protected channel. For more information, see [Data Protection in Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/data-protection.html) to understand how SSM encrypts data in transit.