AWS Inspector - User Guide

Simplified Integration with AWS Inspector: A Step-by-Step Guide for Effortless Integration

By integrating with AWS Inspector, the collection of vulnerability scan data for the production environment is streamlined. Scytale conducts comprehensive tests to verify the implementation of vulnerability scanning measures. It presents a detailed list of scanned resources, including the number of findings categorized by severity. This enables a comprehensive understanding of the security posture and allows for prioritization of remediation efforts based on severity levels.


All the permissions required for the integration with AWS Inspector are read-only and do not allow Scytale to perform any actions within your AWS account.

You can assign permissions by creating a customer managed policy, which allows you to include the following permissions, as detailed below in Step 1:

  • inspector2:ListCoverage

  • inspector2:ListFindingAggregations

  • inspector2: ListFindings

How to connect AWS Inspector integration?

Log in to the Scytale web app

  • Click on the "Integrations" menu screen to the left
  • Click on the "Connect" button under the AWS Inspector icon

Connect with IAM Role

Step 1: Create a policy in AWS IAM Console

  • Go to the AWS Console

  • In the top search, write IAM and select it in services

  • On the left sidebar, go to Access Management and select Policies

  • In the Create Policy screen follow the instructions:
    • Service - select Inspector2
    • Actions - search and enable the following permissions:
      • inspector2:ListCoverage

      • inspector2:ListFindingAggregations

    • Resources - select the "All resources" option.
    • Request conditions - Leave as is

  • On the Review and create policy page please fill in the following fields:
    • Name the policy: for example - scytale-aws-inspector
    • Description: you can write your description
    • Add tags (optional) - There is no need to fill it
    • Click on "Create policy"


Step 2: Create an IAM role 

  • On the left menu in the IAM service,  select Roles.

  • In the top right corner, click on create role.
  • In the trusted entity type - select AWS account. 
  • Then, enable "Another AWS account"
    • The Account ID should be copied from the connection in Scytale.
  • Under options, enable "Require external ID (Best practice when a third party will assume this role)"
    • The External ID should be copied from the connection in Scytale.
  • Please don't enable the require MFA.
  • Click on "Next"


  • In the Add permissions step, find the policy you created in the previous step.
  • Enable this policy. 
  • Click on "Next"
  • Then, add the role name and review the policy and role details. 
  • Click on "Create role" if all the details are correct.


  • In Scytale connection, Paste the Role ARN.
  • Connection Name - is used to differentiate between your connections. For instance, if you manage multiple AWS accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
    For example: scytale-production-env.