Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
AmazonInspector2ServiceRolePolicy
Descrizione: concede ad Amazon Inspector l'accesso ai dati necessari Servizi AWS per eseguire le valutazioni di sicurezza
AmazonInspector2ServiceRolePolicyè una politica gestita AWS .
Utilizzo di questa politica
Questa policy è associata a un ruolo collegato al servizio che consente al servizio di eseguire azioni per conto dell'utente. Non puoi collegare questa policy ai tuoi utenti, gruppi o ruoli.
Dettagli della politica
-
Tipo: politica relativa ai ruoli collegati ai servizi
-
Ora di creazione: 16 novembre 2021, 20:27 UTC
-
Ora modificata: 29 aprile 2025, 17:37 UTC
-
ARN:
arn:aws:iam::aws:policy/aws-service-role/AmazonInspector2ServiceRolePolicy
Versione della politica
Versione della politica: v16 (default) (predefinito)
La versione predefinita della politica è la versione che definisce le autorizzazioni per la politica. Quando un utente o un ruolo con la politica effettua una richiesta di accesso a una AWS risorsa, AWS controlla la versione predefinita della politica per determinare se consentire la richiesta.
Documento di policy JSON
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "TirosPolicy", "Effect" : "Allow", "Action" : [ "directconnect:DescribeConnections", "directconnect:DescribeDirectConnectGatewayAssociations", "directconnect:DescribeDirectConnectGatewayAttachments", "directconnect:DescribeDirectConnectGateways", "directconnect:DescribeVirtualGateways", "directconnect:DescribeVirtualInterfaces", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGateways", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetManagedPrefixListEntries", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:SearchTransitGatewayRoutes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "network-firewall:DescribeFirewall", "network-firewall:DescribeFirewallPolicy", "network-firewall:DescribeResourcePolicy", "network-firewall:DescribeRuleGroup", "network-firewall:ListFirewallPolicies", "network-firewall:ListFirewalls", "network-firewall:ListRuleGroups", "tiros:CreateQuery", "tiros:GetQueryAnswer" ], "Resource" : [ "*" ] }, { "Sid" : "PackageVulnerabilityScanning", "Effect" : "Allow", "Action" : [ "ecr:BatchGetImage", "ecr:BatchGetRepositoryScanningConfiguration", "ecr:DescribeImages", "ecr:DescribeRegistry", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRegistryScanningConfiguration", "ecr:ListImages", "ecr:PutRegistryScanningConfiguration", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", "ssm:DescribeAssociation", "ssm:DescribeAssociationExecutions", "ssm:DescribeInstanceInformation", "ssm:ListAssociations", "ssm:ListResourceDataSync" ], "Resource" : "*" }, { "Sid" : "LambdaPackageVulnerabilityScanning", "Effect" : "Allow", "Action" : [ "lambda:ListFunctions", "lambda:GetFunction", "lambda:GetLayerVersion", "lambda:ListTags", "cloudwatch:GetMetricData" ], "Resource" : "*" }, { "Sid" : "GatherInventory", "Effect" : "Allow", "Action" : [ "ssm:CreateAssociation", "ssm:StartAssociationsOnce", "ssm:UpdateAssociation" ], "Resource" : [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:document/AmazonInspector2-*", "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:managed-instance/*", "arn:aws:ssm:*:*:association/*" ] }, { "Sid" : "GatherInventoryDeleteAssociation", "Effect" : "Allow", "Action" : [ "ssm:DeleteAssociation" ], "Resource" : [ "arn:aws:ssm:*:*:association/*" ] }, { "Sid" : "DataSyncCleanup", "Effect" : "Allow", "Action" : [ "ssm:CreateResourceDataSync", "ssm:DeleteResourceDataSync" ], "Resource" : [ "arn:aws:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete" ] }, { "Sid" : "ManagedRules", "Effect" : "Allow", "Action" : [ "events:PutRule", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutTargets", "events:RemoveTargets" ], "Resource" : [ "arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule" ] }, { "Sid" : "LambdaCodeVulnerabilityScanning", "Effect" : "Allow", "Action" : [ "codeguru-security:CreateScan", "codeguru-security:GetAccountConfiguration", "codeguru-security:GetFindings", "codeguru-security:GetScan", "codeguru-security:ListFindings", "codeguru-security:BatchGetFindings", "codeguru-security:DeleteScansByCategory" ], "Resource" : [ "*" ] }, { "Sid" : "CodeGuruCodeVulnerabilityScanning", "Effect" : "Allow", "Action" : [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListAttachedRolePolicies", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:ListRolePolicies", "lambda:ListVersionsByFunction" ], "Resource" : [ "*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "codeguru-security.amazonaws.com" ] } } }, { "Sid" : "Ec2DeepInspection", "Effect" : "Allow", "Action" : [ "ssm:PutParameter", "ssm:GetParameters", "ssm:DeleteParameter" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/inspector-aws/service/inspector-linux-application-paths" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "AllowManagementOfServiceLinkedChannel", "Effect" : "Allow", "Action" : [ "cloudtrail:CreateServiceLinkedChannel", "cloudtrail:DeleteServiceLinkedChannel" ], "Resource" : [ "arn:aws:cloudtrail:*:*:channel/aws-service-channel/inspector2/*" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "AllowListServiceLinkedChannels", "Effect" : "Allow", "Action" : [ "cloudtrail:ListServiceLinkedChannels" ], "Resource" : [ "*" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "AllowToRunInvokeCisSpecificDocuments", "Effect" : "Allow", "Action" : [ "ssm:SendCommand", "ssm:GetCommandInvocation" ], "Resource" : [ "arn:aws:ssm:*:*:document/AmazonInspector2-InvokeInspectorSsmPluginCIS" ] }, { "Sid" : "AllowToRunCisCommandsToSpecificResources", "Effect" : "Allow", "Action" : [ "ssm:SendCommand" ], "Resource" : [ "arn:aws:ec2:*:*:instance/*" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "AllowToPutCloudwatchMetricData", "Effect" : "Allow", "Action" : [ "cloudwatch:PutMetricData" ], "Resource" : [ "*" ], "Condition" : { "StringEquals" : { "cloudwatch:namespace" : "AWS/Inspector2" } } }, { "Sid" : "AllowListAccessToECSAndEKS", "Effect" : "Allow", "Action" : [ "ecs:ListClusters", "ecs:ListTasks", "eks:ListClusters" ], "Resource" : [ "*" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "AllowAccessToECSTasks", "Effect" : "Allow", "Action" : [ "ecs:DescribeTasks" ], "Resource" : "arn:aws:ecs:*:*:task/*", "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } } ] }
Ulteriori informazioni
