How to enable Inspector V2 using CloudFormation
2025.07.30
Problem
I want to enable Inspector V2's EC2 and ECR scan functionality using CloudFormation.
Please let me know how to write the template needed to accomplish this.## How should I respond to this?
As of July 30, 2025, CloudFormation does not provide resource properties to enable Inspector V2 as part of its specifications.[^1]
Therefore, it is not possible to enable Inspector V2 using only CloudFormation features.
If you want to enable Inspector V2 through CloudFormation, you'll need to use custom resources[^2].
Specifically, you must create a Lambda function that calls the Inspector V2 Enable API and configure a CloudFormation custom resource definition to invoke this function.
Here's a sample implementation:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Enable Inspector V2'
#----------------------------------------------
# Parameters Section
#----------------------------------------------
Parameters:
EnableEC2:
Type: String
Default: 'true'
AllowedValues: ['true', 'false']
EnableECR:
Type: String
Default: 'true'
AllowedValues: ['true', 'false']
#----------------------------------------------
# Resources Section
#----------------------------------------------
Resources:
InspectorV2EnablerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: InspectorV2EnablePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- inspector2:Enable
- inspector2:Disable
- inspector2:GetConfiguration
- iam:CreateServiceLinkedRole
Resource: '*'
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
Resource: 'arn:aws:iam::*:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2*'
Condition:
StringEquals:
'iam:AWSServiceName': 'inspector2.amazonaws.com'
InspectorV2EnablerFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: InspectorV2Enabler
Runtime: python3.9
Handler: index.lambda_handler
Role: !GetAtt InspectorV2EnablerRole.Arn
Timeout: 60
Code:
ZipFile: |
import json
import boto3
import cfnresponse
def lambda_handler(event, context):
try:
inspector_client = boto3.client('inspector2')
request_type = event['RequestType']
properties = event['ResourceProperties']
# Get resource types to enable
resource_types = []
if properties.get('EnableEC2') == 'true':
resource_types.append('EC2')
if properties.get('EnableECR') == 'true':
resource_types.append('ECR')
if request_type == 'Create' or request_type == 'Update':
if resource_types:
response = inspector_client.enable(
resourceTypes=resource_types
)
print(f"Enabled Inspector V2 for: {resource_types}")
print(f"Response: {response}")
elif request_type == 'Delete':
if resource_types:
response = inspector_client.disable(
resourceTypes=resource_types
)
print(f"Disabled Inspector V2 for: {resource_types}")
print(f"Response: {response}")
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
print(f"Error: {str(e)}")
cfnresponse.send(event, context, cfnresponse.FAILED, {})
InspectorV2CustomResource:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt InspectorV2EnablerFunction.Arn
EnableEC2: !Ref EnableEC2
EnableECR: !Ref EnableECR
```[^1]:[Amazon Inspector resource type reference](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/TemplateReference/AWS_InspectorV2.html)
[^2]:[Custom resources with Lambda](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/template-custom-resources-lambda.html)
