All Collections
Integrations
Amazon Inspector (AWS)
Amazon Inspector (AWS)

This article walks through the details of configuring AWS Inspector to connect to Drata.

Faraz Yaghouti avatar
Written by Faraz Yaghouti
Updated over a week ago

HERE'S WHY

Connecting Amazon AWS Inspector to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of vulnerabilities issues required for compliance.

Connecting AWS Inspector will automate evidence collection for the ‘Records of Vulnerability Scans’ test, which is mapped to DCF-18 by default. You will also be able to view findings by clicking the ‘View Findings’ button on the connection card after successful setup.

BEFORE DIVING IN

  • Vulnerability records upper limit: The Records of Vulnerability Scans test only supports up to 100 thousand results with this connection. If you have more results, this connection will produce a summary and you will need to manually provide evidence.

Note: if you have more than 100k vulnerabilities, we show the following aggregate view:

  • For existing customers with manual Vulnerability reports: We will not check Amazon Inspector for evidence when these reports are present. Instead we created the mapping between uploaded Vulnerability and control in the evidence library. You may add any future vulnerability reports to the same Evidence Library record by updating the evidence.

  • Drata supports AWS Inspector 2 only. AWS Inspector Classic is not supported.

HERE'S HOW

Overview of what we're going to set up:

  • Create a new Policy for accessing AWS Inspector

  • Attach the new Policy to your existing AWS Drata role

  • Use the ARN for this role to connect AWS Inspector with Drata

Create a Policy

  1. Log in to the AWS Console with an account that has access to create a new role

  2. Go to the IAM service

  3. Click on 'Policies' link in the sidebar

  4. Click on the 'Create Policy' button

  5. Copy the Drata Policy below

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector2:ListFilters", "inspector2:GetMember", "inspector2:ListUsageTotals", "inspector2:ListCoverageStatistics", "inspector2:ListFindings", "inspector2:ListFindingAggregations", "inspector2:ListCoverage", "inspector2:GetFindingsReportStatus", "inspector2:ListTagsForResource" ], "Resource": "*" } ] }

  6. Click the 'JSON' tab.

  7. Select all of the default policy in the editor and paste over it.

  8. Click the 'Next: Tags' button.

  9. (Optional) If your company uses tags, enter them here.

  10. Click the 'Next: Review' button.

  11. Copy and paste the Drata Policy Name into the 'Name' field exactly as it appears below.

    DrataAwsInspectorPolicy

  12. Copy and paste the Drata Policy Description into the 'Description' field.

    Provides read-only access for Drata AWS Inspector Connection

  13. Click the 'Create policy' button.

Update your AWS Drata Role

  1. Search for your current AWS Drata Autopilot Role

2. Inside your Drata Autopilot Role, select the Add Permissions and then Attach Policies

3. Search and attach the DrataAwsInspectorPolicy:

DrataAwsInspectorPolicy

4. Copy and paste the Role ARN value on AWS into the Role ARN field on Drata.

Here is what you will see after connecting AWS Inspector

Did this answer your question?