{"id":19508795,"url":"https://github.com/rhythmictech/terraform-aws-inspector","last_synced_at":"2026-02-28T17:02:38.313Z","repository":{"id":51669225,"uuid":"234168387","full_name":"rhythmictech/terraform-aws-inspector","owner":"rhythmictech","description":"Configures AWS Inspector. Optionally configures a CloudWatch scheduled event to trigger assessments based on a specified schedule.","archived":false,"fork":false,"pushed_at":"2024-10-01T18:57:48.000Z","size":44,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-26T03:44:01.162Z","etag":null,"topics":["aws","aws-inspector","cloudwatch","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/rhythmictech/inspector/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rhythmictech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-15T20:37:40.000Z","updated_at":"2024-10-01T18:57:50.000Z","dependencies_parsed_at":"2025-04-26T03:41:55.152Z","dependency_job_id":null,"html_url":"https://github.com/rhythmictech/terraform-aws-inspector","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/rhythmictech/terraform-aws-inspector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-inspector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-inspector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-inspector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-inspector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rhythmictech","download_url":"https://codeload.github.com/rhythmictech/terraform-aws-inspector/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-inspector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274914939,"owners_count":25373188,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-13T02:00:10.085Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-inspector","cloudwatch","terraform","terraform-module"],"created_at":"2024-11-10T23:09:55.830Z","updated_at":"2026-02-28T17:02:32.536Z","avatar_url":"https://github.com/rhythmictech.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-aws-inspector\nConfigures AWS Inspector. Optionally creates an SNS topic for Inspector findings notifications.\n\n[![tflint](https://github.com/rhythmictech/terraform-aws-inspector/workflows/tflint/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-inspector/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)\n[![trivy](https://github.com/rhythmictech/terraform-aws-inspector/workflows/trivy/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-inspector/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster)\n[![yamllint](https://github.com/rhythmictech/terraform-aws-inspector/workflows/yamllint/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-inspector/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)\n[![misspell](https://github.com/rhythmictech/terraform-aws-inspector/workflows/misspell/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-inspector/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)\n[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-inspector/workflows/pre-commit-check/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-inspector/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)\n\u003ca href=\"https://twitter.com/intent/follow?screen_name=RhythmicTech\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/RhythmicTech?style=social\u0026logo=twitter\" alt=\"follow on Twitter\"\u003e\u003c/a\u003e\n\n\n## Overview\n\nThis module provides flexible configuration options for AWS Inspector, catering to different account types and organizational structures. It can be used in various scenarios, from simple single-account setups to complex multi-account organizations.\n\n## Usage Scenarios\n\n### 1. Single Account (Ad Hoc) Setup\n\nFor a simple setup in a single AWS account:\n\n```hcl\nmodule \"inspector\" {\n  source                    = \"rhythmictech/inspector/aws\"\n  create_notification_topic = true\n  auto_enable_ec2           = true\n  auto_enable_ecr           = true\n  auto_enable_lambda        = true\n}\n```\n\nThis configuration enables Inspector for the current account, sets up automatic scanning for EC2, ECR, and Lambda resources, and creates an SNS topic for notifications.\n\n### 2. Management Account in an AWS Organization\n\nWhen deploying from the management account of an AWS Organization:\n\n```hcl\nmodule \"inspector\" {\n  source = \"rhythmictech/inspector/aws\"\n\n  delegated_admin_account_id = \"123456789012\"\n  enable_inspector           = false\n}\n```\n\nThis setup designates a delegated administrator account, allowing the delegated admin account to manage Inspector settings for the organization.\n\n### 3. Delegated Administrator Account\n\nFor deployment in a delegated administrator account:\n\n```hcl\nmodule \"inspector\" {\n  source                             = \"rhythmictech/inspector/aws\"\n  is_delegated_admin                 = true\n  auto_enable_ec2                    = true\n  auto_enable_ecr                    = true\n  auto_enable_lambda                 = true\n  enable_inspector_for_all_accounts  = true\n  create_notification_topic          = true\n}\n```\n\nThis configuration sets up the account as the delegated administrator, enables automatic scanning for all supported resource types, associates all member accounts, and creates a notification topic.\n\n### 4. Member Account\n\nFor individual member accounts (if needed):\n\n```hcl\nmodule \"inspector\" {\n  source                    = \"rhythmictech/inspector/aws\"\n  create_notification_topic = true\n}\n```\n\nThis minimal setup enables Inspector for the member account and creates a local notification topic. Note that in most cases, member accounts are managed through the delegated administrator account.\n\n## Features\n\n- Enables AWS Inspector for specified accounts\n- Configures organization-wide settings if the account is a delegated administrator\n- Optionally sets up a delegated administrator account\n- Can automatically associate all member accounts in the organization with Inspector\n- Creates an SNS topic for Inspector findings notifications (optional)\n- Supports various resource types for scanning (EC2, ECR, Lambda)\n\n## Example\n\n```hcl\nmodule \"inspector\" {\n  source                            = \"rhythmictech/inspector/aws\"\n  is_delegated_admin                = true\n  auto_enable_ec2                   = true\n  auto_enable_ecr                   = true\n  auto_enable_lambda                = true\n  create_notification_topic         = true\n  enable_inspector_for_all_accounts = true\n  exclude_account_ids               = [\"123456789012\", \"210987654321\"]\n}\n```\n\nThis example sets up a comprehensive Inspector configuration for an AWS Organization, including delegated administration, automatic scanning for multiple resource types, and member account association.\n\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.1 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 5.66.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_event_rule.inspector_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |\n| [aws_cloudwatch_event_target.send_to_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |\n| [aws_inspector2_delegated_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_delegated_admin_account) | resource |\n| [aws_inspector2_enabler.enable_for_all_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_enabler) | resource |\n| [aws_inspector2_enabler.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_enabler) | resource |\n| [aws_inspector2_member_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_member_association) | resource |\n| [aws_inspector2_organization_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_organization_configuration) | resource |\n| [aws_sns_topic.inspector_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |\n| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_accounts_to_associate_with_inspector\"\u003e\u003c/a\u003e [accounts\\_to\\_associate\\_with\\_inspector](#input\\_accounts\\_to\\_associate\\_with\\_inspector) | List of AWS account IDs to associate with Inspector (used for more granular control over which accounts are associated with Inspector; see README for more details) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_auto_enable_ec2\"\u003e\u003c/a\u003e [auto\\_enable\\_ec2](#input\\_auto\\_enable\\_ec2) | Auto-enable EC2 scanning | `bool` | `false` | no |\n| \u003ca name=\"input_auto_enable_ecr\"\u003e\u003c/a\u003e [auto\\_enable\\_ecr](#input\\_auto\\_enable\\_ecr) | Auto-enable ECR scanning | `bool` | `false` | no |\n| \u003ca name=\"input_auto_enable_lambda\"\u003e\u003c/a\u003e [auto\\_enable\\_lambda](#input\\_auto\\_enable\\_lambda) | Auto-enable Lambda function scanning | `bool` | `false` | no |\n| \u003ca name=\"input_auto_enable_lambda_code\"\u003e\u003c/a\u003e [auto\\_enable\\_lambda\\_code](#input\\_auto\\_enable\\_lambda\\_code) | Auto-enable Lambda function code scanning (only if auto\\_enable\\_lambda is true) | `bool` | `false` | no |\n| \u003ca name=\"input_create_notification_topic\"\u003e\u003c/a\u003e [create\\_notification\\_topic](#input\\_create\\_notification\\_topic) | Whether to create SNS topic for Inspector findings notifications | `bool` | `true` | no |\n| \u003ca name=\"input_delegated_admin_account_id\"\u003e\u003c/a\u003e [delegated\\_admin\\_account\\_id](#input\\_delegated\\_admin\\_account\\_id) | The AWS account ID to be set as a delegated administrator for Inspector | `string` | `null` | no |\n| \u003ca name=\"input_enable_inspector\"\u003e\u003c/a\u003e [enable\\_inspector](#input\\_enable\\_inspector) | Whether to enable Inspector for the current account | `bool` | `true` | no |\n| \u003ca name=\"input_enable_inspector_for_all_accounts\"\u003e\u003c/a\u003e [enable\\_inspector\\_for\\_all\\_accounts](#input\\_enable\\_inspector\\_for\\_all\\_accounts) | Whether to enable Inspector for all accounts in the organization (see README for more details) | `bool` | `false` | no |\n| \u003ca name=\"input_excluded_account_ids\"\u003e\u003c/a\u003e [excluded\\_account\\_ids](#input\\_excluded\\_account\\_ids) | List of account IDs to exclude from Inspector enablement when enable\\_inspector\\_for\\_all\\_accounts is true | `list(string)` | `[]` | no |\n| \u003ca name=\"input_inspector_name\"\u003e\u003c/a\u003e [inspector\\_name](#input\\_inspector\\_name) | Name prefix for Inspector-related resources | `string` | `\"inspector\"` | no |\n| \u003ca name=\"input_is_delegated_admin\"\u003e\u003c/a\u003e [is\\_delegated\\_admin](#input\\_is\\_delegated\\_admin) | Whether this account is a delegated administrator | `bool` | `false` | no |\n| \u003ca name=\"input_resource_types\"\u003e\u003c/a\u003e [resource\\_types](#input\\_resource\\_types) | List of resource types to be scanned | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"EC2\",\u003cbr\u003e  \"ECR\",\u003cbr\u003e  \"LAMBDA\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_sns_kms_master_key_id\"\u003e\u003c/a\u003e [sns\\_kms\\_master\\_key\\_id](#input\\_sns\\_kms\\_master\\_key\\_id) | The ID of the AWS KMS key to use for SNS topic encryption | `string` | `\"alias/aws/sns\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Tags to apply to resources that support tagging | `map(string)` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_sns_topic_arn\"\u003e\u003c/a\u003e [sns\\_topic\\_arn](#output\\_sns\\_topic\\_arn) | ARN of the SNS topic for Inspector findings |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhythmictech%2Fterraform-aws-inspector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frhythmictech%2Fterraform-aws-inspector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhythmictech%2Fterraform-aws-inspector/lists"}