additional persmissions for inspector

Author: kazmer97

CHANGELOG.md

@@ -5,6 +5,10 @@ SPDX-License-Identifier: MIT-0
 
 ## [Unreleased]
 
+### Fixed
+
+- **Pattern-2 ECR Enhanced Scanning Support** - Added required IAM permissions (inspector2:ListCoverage, inspector2:ListFindings) to Pattern2DockerBuildRole to support AWS accounts with Amazon Inspector Enhanced Scanning enabled. Also added KMS permissions (kms:Decrypt, kms:CreateGrant) for customer-managed encryption keys. This resolves AccessDenied errors and CodeBuild timeouts when deploying Pattern-2 in accounts with enhanced scanning enabled.
+
 ## [0.4.1]
 
 ### Changed

patterns/pattern-2/template.yaml

@@ -156,6 +156,8 @@ Resources:
         rules_to_suppress:
           - id: W11
             reason: "Wildcard permissions required for CloudWatch Logs creation"
+          - id: W12
+            reason: "Amazon Inspector ListCoverage and ListFindings require wildcard resource per AWS documentation"
     Properties:
       Path: /
       AssumeRolePolicyDocument:
@@ -201,6 +203,20 @@ Resources:
                 Action:
                   - ecr:DescribeImageScanFindings
                   - ecr:StartImageScan
+              # Required for Amazon Inspector Enhanced Scanning
+              # https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced-iam.html
+              - Resource: "*"
+                Effect: Allow
+                Action:
+                  - inspector2:ListCoverage
+                  - inspector2:ListFindings
+              # Required when ECR repository uses customer-managed KMS key encryption
+              - Resource:
+                  - !Ref CustomerManagedEncryptionKeyArn
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:CreateGrant
 
   Pattern2ECRRepository:
     Type: AWS::ECR::Repository