I organized the response procedures when enabling opt-in regions after using Amazon Inspector policies in AWS Organizations
This page has been translated by machine translation. View original
Introduction
When using Amazon Inspector policies in AWS Organizations, you can centrally manage Amazon Inspector scan settings for accounts under the organization.
This time, I verified the behavior when enabling the opt-in region Hong Kong (ap-east-1) after the fact, in an environment where an Amazon Inspector policy is already attached to the AWS Organizations Root and ALL_SUPPORTED (all regions supported by Amazon Inspector) is specified as the target region.
The documentation explains that specifying ALL_SUPPORTED automatically includes new regions, and that the Amazon Inspector delegated administrator is configured on a per-region basis.
Using the
ALL_SUPPORTEDoption ensures that new regions are automatically included.https://docs.aws.amazon.com/ja_jp/organizations/latest/userguide/orgs_manage_policies_inspector.html
Delegated administrators are at the region level.
https://docs.aws.amazon.com/ja_jp/inspector/latest/user/designating-admin.html
On the other hand, whether the existing Amazon Inspector policy is automatically re-evaluated when a delegated administrator is configured in an opt-in region that was enabled after the fact is not explicitly stated within the scope of what can be confirmed in the documentation.
As a conclusion, the following behaviors were confirmed in this verification:
- Simply enabling the Hong Kong region did not automatically enable Amazon Inspector for member accounts
- Simply configuring the Amazon Inspector delegated administrator in the Hong Kong region also did not enable Amazon Inspector for member accounts
- After configuring the delegated administrator, updating the existing Amazon Inspector policy without any content changes to trigger re-evaluation enabled Amazon Inspector for member accounts
Prerequisites
In this verification environment, the following state was used as a starting point.
| Item | Details |
|---|---|
| Amazon Inspector policy attachment target | AWS Organizations Root |
| Amazon Inspector policy target regions | ALL_SUPPORTED |
This article focuses not on the steps to create an Amazon Inspector policy itself, but on the behavior when an opt-in region is enabled after the fact in an environment where an existing Amazon Inspector policy is already in place.
Enabling the Hong Kong Region
First, the opt-in Hong Kong region was enabled in both the management account and member account.

Screen showing the Hong Kong region being enabled in the management account and member account
After enabling, confirm the region status.

Screen confirming that the Hong Kong region has been enabled
What is being enabled here is the operation to make the Hong Kong region available as an AWS account.
This operation alone does not complete the Amazon Inspector organizational management or member account association.
Checking the Amazon Inspector Screen in the Hong Kong Region
After enabling the Hong Kong region, I navigated to the Amazon Inspector screen for the Hong Kong region in the management account.
At this point, activation by the Amazon Inspector policy could not yet be confirmed.

State where Amazon Inspector has not yet been enabled in the Hong Kong region for the management account
It appears that there can be a lag in the display and status reflection on the Amazon Inspector side after enabling the region.
In this verification environment, after waiting some time and checking Account coverage, only the management account showed as Activated.
On the other hand, the member account was not displayed in Account coverage.

State where only the management account is Activated in Account coverage for the Hong Kong region
From this result, in this verification, simply enabling the Hong Kong region in both the management account and member account did not confirm that Amazon Inspector was automatically enabled for member accounts.
Configuring the Amazon Inspector Delegated Administrator in the Hong Kong Region
Next, the Amazon Inspector delegated administrator was configured in the Hong Kong region.

Screen showing the Amazon Inspector delegated administrator being configured in the Hong Kong region
Configuring the delegated administrator establishes the prerequisite for performing Amazon Inspector organizational management.
Checking Account Coverage After Configuring the Delegated Administrator
After configuring the delegated administrator, Account coverage was checked before re-evaluating the Amazon Inspector policy.
The member account became visible, but its status remained Disassociated.

State where the member account is Disassociated in Account coverage after configuring the delegated administrator but before re-evaluating the policy
From this result, in this verification, simply configuring the delegated administrator in the Hong Kong region did not execute the enablement of member accounts via the existing Amazon Inspector policy.
This is an easy point to stumble on when adding an opt-in region after the fact.
The behavior was not that configuring the delegated administrator automatically re-applies the existing Amazon Inspector policy.
Re-evaluating the Amazon Inspector Policy
Next, the Amazon Inspector policy attached to AWS Organizations is updated without any content changes to trigger re-evaluation.
This time, the Amazon Inspector policy was edited from the AWS Management Console and updated without changing the content.
First, select the policy attached to the organization from the Amazon Inspector policy screen in AWS Organizations.

Screen showing the Amazon Inspector policy being selected from Configurations in AWS Organizations
Click Edit on the policy details screen.

Operation to proceed to the Amazon Inspector policy edit screen
This time, the policy content was not changed, and it was updated as-is.

Screen showing the Amazon Inspector policy being updated without content changes
In this verification, even without changing the policy content, the Amazon Inspector policy was re-evaluated by the update operation.
In actual operations, it would be a good idea to confirm the policy content before and after the update to avoid accidentally changing the policy content.
Checking Account Coverage for Member Accounts
After re-evaluating the Amazon Inspector policy, Account coverage for the Hong Kong region was checked.
The member account status changed to Activated.

State where the member account is Activated after policy re-evaluation
This confirmed that member accounts were enabled based on the Amazon Inspector policy in the Hong Kong region as well.
Checking ECR Rescan Settings as Needed
Finally, check the ECR rescan settings as needed.
In this verification, the Amazon Inspector ECR rescan settings screen was checked in the Hong Kong region.

Screen showing ECR rescan settings being checked in the Hong Kong region
With Amazon Inspector policies, you can manage which regions ECR scanning is enabled for.
On the other hand, detailed settings such as the ECR rescan duration cannot be configured with Amazon Inspector policies, so confirm and configure them separately on the delegated administrator account side as needed.
Organizing as an Operational Procedure
When enabling an opt-in region after the fact, the following flow would be advisable.
- Enable the target opt-in region in the management account and target member accounts
- Configure the Amazon Inspector delegated administrator in that region
- Trigger re-evaluation of the Amazon Inspector policy
- Confirm that the target accounts show as
Activatedin Account coverage - Check ECR rescan settings in that region as needed
As such, in operations where opt-in regions are added after the fact, it would be advisable not to assume that "the policy is automatically re-applied in full after the region is enabled," and to include delegated administrator configuration and policy re-evaluation in the procedure.
Summary
I verified the behavior when enabling the opt-in Hong Kong region after the fact in an environment using Amazon Inspector policies in AWS Organizations.
In this verification, simply enabling the Hong Kong region and configuring the Amazon Inspector delegated administrator in that region was not sufficient to enable Amazon Inspector for member accounts.
It was confirmed that member accounts become Activated by updating the existing Amazon Inspector policy without any content changes to trigger re-evaluation.
When adding an opt-in region after the fact, it would be advisable to organize region enablement, delegated administrator configuration, Amazon Inspector policy re-evaluation, and Account coverage confirmation as a series of operational steps.

