AWS Inspector V2
Collects Inspector V2 vulnerability findings, coverage data, and account status for compliance assessment. Designed for GovCloud clients without Security Hub.
Evidence Collected:
-
Inspector account status and enablement state
-
Resource coverage and scan status (EC2, ECR, Lambda)
-
Vulnerability findings with severity, CVE identifiers, and remediation recommendations
-
Coverage statistics by resource type
-
Organization member account scanning status
Usage:
# Basic evidence collection (default - creates evidence, no issues)
regscale aws sync_inspector --regscale_id 123
# Collect evidence for specific controls
regscale aws sync_inspector --regscale_id 123 --evidence-control-ids RA-5,SI-2,CM-6
# Filter by AWS account
regscale aws sync_inspector --regscale_id 123 --account-id 123456789012
# Filter by resource tags
regscale aws sync_inspector --regscale_id 123 --tags Environment=production,Compliance=required
# Create issues/vulnerabilities from findings (non-default)
regscale aws sync_inspector --regscale_id 123 --create-issues --create-vulnerabilities --no-collect-evidence
# Create POA&Ms for failed controls
regscale aws sync_inspector --regscale_id 123 --create-poams --update-control-status
# Force refresh cached data (cache TTL: 4 hours)
regscale aws sync_inspector --regscale_id 123 --force-refresh
---
Inspector V2 Integration Permissions
┌───────────────────────────────────┬───────────────────────────────────────────────┐
│ Permission │ Purpose │
├───────────────────────────────────┼───────────────────────────────────────────────┤
│ inspector2:BatchGetAccountStatus │ Check if Inspector is enabled for the account │
├───────────────────────────────────┼───────────────────────────────────────────────┤
│ inspector2:ListCoverage │ List resources covered by Inspector scans │
├───────────────────────────────────┼───────────────────────────────────────────────┤
│ inspector2:ListCoverageStatistics │ Get coverage stats by resource type │
├───────────────────────────────────┼───────────────────────────────────────────────┤
│ inspector2:ListFindings │ Pull vulnerability findings │
├───────────────────────────────────┼───────────────────────────────────────────────┤
│ inspector2:ListMembers │ List org member accounts (multi-account only) │
└───────────────────────────────────┴───────────────────────────────────────────────┘
Minimum IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RegScaleInspectorReadOnly",
"Effect": "Allow",
"Action": [
"inspector2:BatchGetAccountStatus",
"inspector2:ListCoverage",
"inspector2:ListCoverageStatistics",
"inspector2:ListFindings",
"inspector2:ListMembers"
],
"Resource": "*"
}
]
}
▎ Note: All Inspector V2 permissions require Resource: "*" — Inspector does not support resource-level restrictions. This is read-only access; the integration never modifies AWS resources.
Optional (for cross-account access via role assumption):
{
"Sid": "RegScaleCrossAccountAssume",
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource": "arn:aws:iam::<TARGET_ACCOUNT>:role/<ROLE_NAME>"
}
---
Inspector V2 Authentication
Supports multiple authentication methods (priority order):
1. Cached session (--session-name): From regscale aws auth login
2. Explicit credentials: --aws-access-key-id + --aws_secret_access_key + optional --aws_session_token
3. AWS profile (--profile): Named profile from ~/.aws/credentials
4. Default credential chain: Environment variables, EC2 instance metadata, ECS task role
---
Inspector V2 NIST 800-53 R5 Evidence Workflow
# Complete Inspector evidence collection across all mapped controls
regscale aws sync_inspector --regscale_id 123 --evidence-control-ids RA-5,SI-2,CM-6,SA-11
# Production environment only
regscale aws sync_inspector --regscale_id 123 --tags Environment=production --evidence-control-ids RA-5,SI-2
# Multi-account organization - filter by account
regscale aws sync_inspector --regscale_id 123 --account-id 123456789012
# Full compliance run with issues and POA&Ms
regscale aws sync_inspector --regscale_id 123 \
--create-issues \
--create-vulnerabilities \
--create-poams \
--update-control-status \
--evidence-control-ids RA-5,SI-2,CM-6,SA-11
---
Inspector V2 Prerequisites
1. AWS Inspector V2 must be enabled in the target account — the integration checks this via BatchGetAccountStatus before proceeding
2. Resource scanning must be active — enable EC2, ECR, and/or Lambda scanning in Inspector settings
3. For multi-account setups: The calling account must be a delegated administrator for Inspector in the organization
4. Caching: Data is cached for 4 hours use --force-refresh to bypass
Updated about 6 hours ago