Connect AWS Inspector to Drata to Drata allows for the automated, continuous monitoring of SLA due dates and evidence collection of vulnerabilities issues required for compliance.
This will automate evidence collection for the Records of Vulnerability Scans test, which is mapped to DCF-18 by default.
Prerequisites
Drata supports AWS Inspector v2 only. AWS Inspector Classic is not supported.
Note: Drata syncs up to 1,000 new or updated vulnerabilities per day for each connection, sorted by severity from critical to low.
What you’ll do
Create a policy that allows access AWS Inspector.
Attach the policy to your existing AWS Drata role.
Use that role’s ARN to complete the connection.
Create a Policy
Create a new policy for accessing AWS Inspector.
Sign in to the AWS Console with an account that has permission to create a new role.
Go to IAM service > Policies in the sidebar, then select Create policy.
Select the JSON tab.
Select all of the default policy in the editor and paste the copied Drata Policy over it.
Drata Policy below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector2:ListFilters", "inspector2:GetMember", "inspector2:ListUsageTotals", "inspector2:ListCoverageStatistics", "inspector2:ListFindings", "inspector2:ListFindingAggregations", "inspector2:ListCoverage", "inspector2:GetFindingsReportStatus", "inspector2:ListTagsForResource" ], "Resource": "*" } ] }
Select Next: Tags. If your organization uses them, add those tags.
Select Next: Review.
Enter the following values:
Name:
DrataAwsInspectorPolicy
This is the Drata policy name.
Description:
Provides read-only access for Drata AWS Inspector connection
This is the Drata policy description.
Select Create policy button
Update your AWS Drata role
Attach the new Policy to your existing AWS Drata role.
Sign in to the AWS Management Console and open the IAM console.
Navigate to your current AWS Drata Autopilot Role (
DrataAutopilotRole
).Select Add permissions and then Attach policies.
Search and attach the
DrataAwsInspectorPolicy
policy.Copy the AWS Role ARN value. You will enter the Role ARN value during the connection process.
During the AWS Inspector connection process, you can choose which vulnerabilities to sync based on severity, AWS region, and detection date. These filters help tailor your sync to your compliance requirements.
Connect AWS Inspector in Drata
In Drata, go to the Connections page and search and select AWS Inspector.
Paste the Role ARN you copied from AWS.
Configure which vulnerabilities Drata will sync. These selections are also included in the test result report for visibility.
Severity: Select the vulnerability levels to include, such as Critical, High, or Medium.
AWS regions: Choose the AWS regions your ARN role has access to.
First seen on: Drata will sync vulnerabilities detected on or after the selected date.
Select Connect.
Drata automatically begins syncing vulnerabilities based on your configurations.
You can view the findings by selecting the View Findings after connecting Arnica or navigating directly to the Vulnerabilities page through the left-side navigation menu.
Learn more at Vulnerabilities help article.