HERE'S WHY
Connecting Amazon AWS Inspector to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of vulnerabilities issues required for compliance.
Connecting AWS Inspector will automate evidence collection for the ‘Records of Vulnerability Scans’ test, which is mapped to DCF-18 by default. You will also be able to view findings by clicking the ‘View Findings’ button on the connection card after successful setup.
BEFORE DIVING IN
Vulnerability records upper limit: The Records of Vulnerability Scans test only supports up to 100 thousand results with this connection. If you have more results, this connection will produce a summary and you will need to manually provide evidence.
Note: if you have more than 100k vulnerabilities, we show the following aggregate view:
For existing customers with manual Vulnerability reports: We will not check Amazon Inspector for evidence when these reports are present. Instead we created the mapping between uploaded Vulnerability and control in the evidence library. You may add any future vulnerability reports to the same Evidence Library record by updating the evidence.
Drata supports AWS Inspector 2 only. AWS Inspector Classic is not supported.
HERE'S HOW
Overview of what we're going to set up:
Create a new Policy for accessing AWS Inspector
Attach the new Policy to your existing AWS Drata role
Use the ARN for this role to connect AWS Inspector with Drata
Create a Policy
Log in to the AWS Console with an account that has access to create a new role
Go to the IAM service
Click on 'Policies' link in the sidebar
Click on the 'Create Policy' button
Copy the Drata Policy below
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector2:ListFilters", "inspector2:GetMember", "inspector2:ListUsageTotals", "inspector2:ListCoverageStatistics", "inspector2:ListFindings", "inspector2:ListFindingAggregations", "inspector2:ListCoverage", "inspector2:GetFindingsReportStatus", "inspector2:ListTagsForResource" ], "Resource": "*" } ] }
Click the 'JSON' tab.
Select all of the default policy in the editor and paste over it.
Click the 'Next: Tags' button.
(Optional) If your company uses tags, enter them here.
Click the 'Next: Review' button.
Copy and paste the Drata Policy Name into the 'Name' field exactly as it appears below.
DrataAwsInspectorPolicy
Copy and paste the Drata Policy Description into the 'Description' field.
Provides read-only access for Drata AWS Inspector Connection
Click the 'Create policy' button.
Update your AWS Drata Role
Search for your current AWS Drata Autopilot Role
2. Inside your Drata Autopilot Role, select the Add Permissions and then Attach Policies
3. Search and attach the DrataAwsInspectorPolicy:
DrataAwsInspectorPolicy
4. Copy and paste the Role ARN value on AWS into the Role ARN field on Drata.
Here is what you will see after connecting AWS Inspector