Amazon Inspector examples using Amazon CLI - Amazon Command Line Interface
Actions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Inspector examples using Amazon CLI

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon Inspector.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.

Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.

Topics

Actions

The following code example shows how to use add-attributes-to-findings.

Amazon CLI

To add attributes to findings

The following add-attribute-to-finding command assigns an attribute with the key of Example and value of example to the finding with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU:

aws inspector add-attributes-to-findings --finding-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU --attributes key=Example,value=example

Output:

{
    "failedItems": {}
}

For more information, see Amazon Inspector Findings in the Amazon Inspector guide.

The following code example shows how to use create-assessment-target.

Amazon CLI

To create an assessment target

The following create-assessment-target command creates an assessment target named ExampleAssessmentTarget using the resource group with the ARN of arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv:

aws inspector create-assessment-target --assessment-target-name ExampleAssessmentTarget --resource-group-arn arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv

Output:

{
    "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX"
}

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

The following code example shows how to use create-assessment-template.

Amazon CLI

To create an assessment template

The following create-assessment-template command creates an assessment template called ExampleAssessmentTemplate for the assessment target with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX:

aws inspector create-assessment-template --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX --assessment-template-name ExampleAssessmentTemplate --duration-in-seconds 180 --rules-package-arns arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p --user-attributes-for-findings key=ExampleTag,value=examplevalue

Output:

{
    "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T"
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use create-resource-group.

Amazon CLI

To create a resource group

The following create-resource-group command creates a resource group using the tag key of Name and value of example:

aws inspector create-resource-group --resource-group-tags key=Name,value=example

Output:

{
   "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv"
}

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

The following code example shows how to use delete-assessment-run.

Amazon CLI

To delete an assessment run

The following delete-assessment-run command deletes the assessment run with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-11LMTAVe:

aws inspector delete-assessment-run --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-11LMTAVe

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use delete-assessment-target.

Amazon CLI

To delete an assessment target

The following delete-assessment-target command deletes the assessment target with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq:

aws inspector delete-assessment-target --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

The following code example shows how to use delete-assessment-template.

Amazon CLI

To delete an assessment template

The following delete-assessment-template command deletes the assessment template with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T:

aws inspector delete-assessment-template --assessment-template-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use describe-assessment-runs.

Amazon CLI

To describe assessment runs

The following describe-assessment-run command describes an assessment run with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE:

aws inspector describe-assessment-runs --assessment-run-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

Output:

{
        "assessmentRuns": [
          {
                "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
                "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
                "completedAt": 1458680301.4,
                "createdAt": 1458680170.035,
                "dataCollected": true,
                "durationInSeconds": 3600,
                "name": "Run 1 for ExampleAssessmentTemplate",
                "notifications": [],
                "rulesPackageArns": [
                  "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"
                ],
                "startedAt": 1458680170.161,
                "state": "COMPLETED",
                "stateChangedAt": 1458680301.4,
                "stateChanges": [
                  {
                        "state": "CREATED",
                        "stateChangedAt": 1458680170.035
                  },
                  {
                        "state": "START_DATA_COLLECTION_PENDING",
                        "stateChangedAt": 1458680170.065
                  },
                  {
                        "state": "START_DATA_COLLECTION_IN_PROGRESS",
                        "stateChangedAt": 1458680170.096
                  },
                  {
                        "state": "COLLECTING_DATA",
                        "stateChangedAt": 1458680170.161
                  },
                  {
                        "state": "STOP_DATA_COLLECTION_PENDING",
                        "stateChangedAt": 1458680239.883
                  },
                  {
                        "state": "DATA_COLLECTED",
                        "stateChangedAt": 1458680299.847
                  },
                  {
                        "state": "EVALUATING_RULES",
                        "stateChangedAt": 1458680300.099
                  },
                  {
                        "state": "COMPLETED",
                        "stateChangedAt": 1458680301.4
                  }
                ],
                "userAttributesForFindings": []
          }
        ],
        "failedItems": {}
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use describe-assessment-targets.

Amazon CLI

To describe assessment targets

The following describe-assessment-targets command describes the assessment target with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq:

aws inspector describe-assessment-targets --assessment-target-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

Output:

{
      "assessmentTargets": [
        {
              "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",
              "createdAt": 1458074191.459,
              "name": "ExampleAssessmentTarget",
              "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI",
              "updatedAt": 1458074191.459
        }
      ],
      "failedItems": {}
}

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

The following code example shows how to use describe-assessment-templates.

Amazon CLI

To describe assessment templates

The following describe-assessment-templates command describes the assessment template with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw:

aws inspector describe-assessment-templates --assessment-template-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw

Output:

{
      "assessmentTemplates": [
        {
              "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
              "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",
              "createdAt": 1458074191.844,
              "durationInSeconds": 3600,
              "name": "ExampleAssessmentTemplate",
              "rulesPackageArns": [
                "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"
              ],
              "userAttributesForFindings": []
        }
      ],
      "failedItems": {}
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use describe-cross-account-access-role.

Amazon CLI

To describe the cross account access role

The following describe-cross-account-access-role command describes the IAM role that enables Amazon Inspector to access your Amazon account:

aws inspector describe-cross-account-access-role

Output:

{
        "registeredAt": 1458069182.826,
        "roleArn": "arn:aws:iam::123456789012:role/inspector",
        "valid": true
}

For more information, see Setting up Amazon Inspector in the Amazon Inspector guide.

The following code example shows how to use describe-findings.

Amazon CLI

To describe findings

The following describe-findings command describes the finding with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4:

aws inspector describe-findings --finding-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4

Output:

{
      "failedItems": {},
      "findings": [
        {
              "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",
              "assetAttributes": {
                "ipv4Addresses": [],
                "schemaVersion": 1
              },
              "assetType": "ec2-instance",
              "attributes": [],
              "confidence": 10,
              "createdAt": 1458680301.37,
              "description": "Amazon Inspector did not find any potential security issues during this assessment.",
              "indicatorOfCompromise": false,
              "numericSeverity": 0,
              "recommendation": "No remediation needed.",
              "schemaVersion": 1,
              "service": "Inspector",
              "serviceAttributes": {
                "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
                "rulesPackageArn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP",
                "schemaVersion": 1
              },
              "severity": "Informational",
              "title": "No potential security issues found",
              "updatedAt": 1458680301.37,
              "userAttributes": []
        }
      ]
}

For more information, see Amazon Inspector Findings in the Amazon Inspector guide.

The following code example shows how to use describe-resource-groups.

Amazon CLI

To describe resource groups

The following describe-resource-groups command describes the resource group with the ARN of arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI:

aws inspector describe-resource-groups --resource-group-arns arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI

Output:

{
      "failedItems": {},
      "resourceGroups": [
        {
              "arn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI",
              "createdAt": 1458074191.098,
              "tags": [
                {
                      "key": "Name",
                      "value": "example"
                }
              ]
        }
      ]
}

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

The following code example shows how to use describe-rules-packages.

Amazon CLI

To describe rules packages

The following describe-rules-packages command describes the rules package with the ARN of arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p:

aws inspector describe-rules-packages --rules-package-arns arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p

Output:

{
      "failedItems": {},
      "rulesPackages": [
        {
              "arn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
              "description": "The rules in this package help verify whether the EC2 instances in your application are exposed to Common Vulnerabilities and
              Exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service
              or data. The CVE system provides a reference for publicly known information security vulnerabilities and exposures. For more information, see
              [https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in one of the produced Findings at the end of a completed
              Inspector assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) using the CVE's ID (for example, \"CVE-2009-0021\") to
              find detailed information about this CVE, its severity, and how to mitigate it. ",
              "name": "Common Vulnerabilities and Exposures",
              "provider": "Amazon Web Services, Inc.",
              "version": "1.1"
        }
      ]
}

For more information, see Amazon Inspector Rules Packages and Rules in the Amazon Inspector guide.

The following code example shows how to use get-telemetry-metadata.

Amazon CLI

To get the telemetry metadata

The following get-telemetry-metadata command generates information about the data that is collected for the assessment run with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE:

aws inspector get-telemetry-metadata --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

Output:

{
      "telemetryMetadata": [
        {
              "count": 2,
              "dataSize": 345,
              "messageType": "InspectorDuplicateProcess"
        },
        {
              "count": 3,
              "dataSize": 255,
              "messageType": "InspectorTimeEventMsg"
        },
        {
              "count": 4,
              "dataSize": 1082,
              "messageType": "InspectorNetworkInterface"
        },
        {
              "count": 2,
              "dataSize": 349,
              "messageType": "InspectorDnsEntry"
        },
        {
              "count": 11,
              "dataSize": 2514,
              "messageType": "InspectorDirectoryInfoMsg"
        },
        {
              "count": 1,
              "dataSize": 179,
              "messageType": "InspectorTcpV6ListeningPort"
        },
        {
              "count": 101,
              "dataSize": 10949,
              "messageType": "InspectorTerminal"
        },
        {
              "count": 26,
              "dataSize": 5916,
              "messageType": "InspectorUser"
        },
        {
              "count": 282,
              "dataSize": 32148,
              "messageType": "InspectorDynamicallyLoadedCodeModule"
        },
        {
              "count": 18,
              "dataSize": 10172,
              "messageType": "InspectorCreateProcess"
        },
        {
              "count": 3,
              "dataSize": 8001,
              "messageType": "InspectorProcessPerformance"
        },
        {
              "count": 1,
              "dataSize": 360,
              "messageType": "InspectorOperatingSystem"
        },
        {
              "count": 6,
              "dataSize": 546,
              "messageType": "InspectorStopProcess"
        },
        {
              "count": 1,
              "dataSize": 1553,
              "messageType": "InspectorInstanceMetaData"
        },
        {
              "count": 2,
              "dataSize": 434,
              "messageType": "InspectorTcpV4Connection"
        },
        {
              "count": 474,
              "dataSize": 2960322,
              "messageType": "InspectorPackageInfo"
        },
        {
              "count": 3,
              "dataSize": 2235,
              "messageType": "InspectorSystemPerformance"
        },
        {
              "count": 105,
              "dataSize": 46048,
              "messageType": "InspectorCodeModule"
        },
        {
              "count": 1,
              "dataSize": 182,
              "messageType": "InspectorUdpV6ListeningPort"
        },
        {
              "count": 2,
              "dataSize": 371,
              "messageType": "InspectorUdpV4ListeningPort"
        },
        {
              "count": 18,
              "dataSize": 8362,
              "messageType": "InspectorKernelModule"
        },
        {
              "count": 29,
              "dataSize": 48788,
              "messageType": "InspectorConfigurationInfo"
        },
        {
              "count": 1,
              "dataSize": 79,
              "messageType": "InspectorMonitoringStart"
        },
        {
              "count": 5,
              "dataSize": 0,
              "messageType": "InspectorSplitMsgBegin"
        },
        {
              "count": 51,
              "dataSize": 4593,
              "messageType": "InspectorGroup"
        },
        {
              "count": 1,
              "dataSize": 184,
              "messageType": "InspectorTcpV4ListeningPort"
        },
        {
              "count": 1159,
              "dataSize": 3146579,
              "messageType": "Total"
        },
        {
              "count": 5,
              "dataSize": 0,
              "messageType": "InspectorSplitMsgEnd"
        },
        {
              "count": 1,
              "dataSize": 612,
              "messageType": "InspectorLoadImageInProcess"
        }
      ]
}

The following code example shows how to use list-assessment-run-agents.

Amazon CLI

To list assessment run agents

The following list-assessment-run-agents command lists the agents of the assessment run with the specified ARN.

aws inspector list-assessment-run-agents \
    --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE

Output:

{
    "assessmentRunAgents": [
        {
            "agentHealth": "HEALTHY",
            "agentHealthCode": "HEALTHY",
            "agentId": "i-49113b93",
            "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
            "telemetryMetadata": [
                {
                    "count": 2,
                    "dataSize": 345,
                    "messageType": "InspectorDuplicateProcess"
                },
                {
                    "count": 3,
                    "dataSize": 255,
                    "messageType": "InspectorTimeEventMsg"
                },
                {
                    "count": 4,
                    "dataSize": 1082,
                    "messageType": "InspectorNetworkInterface"
                },
                {
                    "count": 2,
                    "dataSize": 349,
                    "messageType": "InspectorDnsEntry"
                },
                {
                    "count": 11,
                    "dataSize": 2514,
                    "messageType": "InspectorDirectoryInfoMsg"
                },
                {
                    "count": 1,
                    "dataSize": 179,
                    "messageType": "InspectorTcpV6ListeningPort"
                },
                {
                    "count": 101,
                    "dataSize": 10949,
                    "messageType": "InspectorTerminal"
                },
                {
                    "count": 26,
                    "dataSize": 5916,
                    "messageType": "InspectorUser"
                },
                {
                    "count": 282,
                    "dataSize": 32148,
                    "messageType": "InspectorDynamicallyLoadedCodeModule"
                },
                {
                    "count": 18,
                    "dataSize": 10172,
                    "messageType": "InspectorCreateProcess"
                },
                {
                    "count": 3,
                    "dataSize": 8001,
                    "messageType": "InspectorProcessPerformance"
                },
                {
                    "count": 1,
                    "dataSize": 360,
                    "messageType": "InspectorOperatingSystem"
                },
                {
                    "count": 6,
                    "dataSize": 546,
                    "messageType": "InspectorStopProcess"
                },
                {
                    "count": 1,
                    "dataSize": 1553,
                    "messageType": "InspectorInstanceMetaData"
                },
                {
                    "count": 2,
                    "dataSize": 434,
                    "messageType": "InspectorTcpV4Connection"
                },
                {
                    "count": 474,
                    "dataSize": 2960322,
                    "messageType": "InspectorPackageInfo"
                },
                {
                    "count": 3,
                    "dataSize": 2235,
                    "messageType": "InspectorSystemPerformance"
                },
                {
                    "count": 105,
                    "dataSize": 46048,
                    "messageType": "InspectorCodeModule"
                },
                {
                    "count": 1,
                    "dataSize": 182,
                    "messageType": "InspectorUdpV6ListeningPort"
                },
                {
                    "count": 2,
                    "dataSize": 371,
                    "messageType": "InspectorUdpV4ListeningPort"
                },
                {
                    "count": 18,
                    "dataSize": 8362,
                    "messageType": "InspectorKernelModule"
                },
                {
                    "count": 29,
                    "dataSize": 48788,
                    "messageType": "InspectorConfigurationInfo"
                },
                {
                    "count": 1,
                    "dataSize": 79,
                    "messageType": "InspectorMonitoringStart"
                },
                {
                    "count": 5,
                    "dataSize": 0,
                    "messageType": "InspectorSplitMsgBegin"
                },
                {
                    "count": 51,
                    "dataSize": 4593,
                    "messageType": "InspectorGroup"
                },
                {
                    "count": 1,
                    "dataSize": 184,
                    "messageType": "InspectorTcpV4ListeningPort"
                },
                {
                    "count": 1159,
                    "dataSize": 3146579,
                    "messageType": "Total"
                },
                {
                    "count": 5,
                    "dataSize": 0,
                    "messageType": "InspectorSplitMsgEnd"
                },
                {
                    "count": 1,
                    "dataSize": 612,
                    "messageType": "InspectorLoadImageInProcess"
                }
            ]
        }
    ]
}

For more information, see Amazon Agents in the Amazon Inspector User Guide.

The following code example shows how to use list-assessment-runs.

Amazon CLI

To list assessment runs

The following list-assessment-runs command lists all existing assessment runs.

aws inspector list-assessment-runs

Output:

{
    "assessmentRunArns": [
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v"
    ]
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector User Guide.

The following code example shows how to use list-assessment-targets.

Amazon CLI

To list assessment targets

The following list-assessment-targets command lists all existing assessment targets:

aws inspector list-assessment-targets

Output:

{
       "assessmentTargetArns": [
       "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq"
       ]
}

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

The following code example shows how to use list-assessment-templates.

Amazon CLI

To list assessment templates

The following list-assessment-templates command lists all existing assessment templates:

aws inspector list-assessment-templates

Output:

{
       "assessmentTemplateArns": [
       "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
       "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-Uza6ihLh"
       ]
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use list-event-subscriptions.

Amazon CLI

To list event subscriptions

The following list-event-subscriptions command lists all the event subscriptions for the assessment template with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0:

aws inspector list-event-subscriptions --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0

Output:

{
      "subscriptions": [
        {
              "eventSubscriptions": [
                {
                      "event": "ASSESSMENT_RUN_COMPLETED",
                      "subscribedAt": 1459455440.867
                }
              ],
              "resourceArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0",
              "topicArn": "arn:aws:sns:us-west-2:123456789012:exampletopic"
        }
      ]
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use list-findings.

Amazon CLI

To list findings

The following list-findings command lists all of the generated findings:

aws inspector list-findings

Output:

{
        "findingArns": [
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v/finding/0-tyvmqBLy"
      ]
}

For more information, see Amazon Inspector Findings in the Amazon Inspector guide.

  • For API details, see ListFindings in Amazon CLI Command Reference.

The following code example shows how to use list-rules-packages.

Amazon CLI

To list rules packages

The following list-rules-packages command lists all available Inspector rules packages:

aws inspector list-rules-packages

Output:

{
       "rulesPackageArns": [
         "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
         "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",
         "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",
         "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD"
       ]
 }

For more information, see Amazon Inspector Rules Packages and Rules in the Amazon Inspector guide.

The following code example shows how to use list-tags-for-resource.

Amazon CLI

To list tags for resource

The following list-tags-for-resource command lists all tags associated with the assessment template with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-gcwFliYu:

aws inspector list-tags-for-resource --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-gcwFliYu

Output:

{
      "tags": [
        {
              "key": "Name",
              "value": "Example"
        }
      ]
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use preview-agents.

Amazon CLI

To preview agents

The following preview-agents command previews the agents installed on the EC2 instances that are part of the assessment target with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq:

aws inspector preview-agents --preview-agents-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq

Output:

{
      "agentPreviews": [
        {
              "agentId": "i-49113b93"
        }
      ]
}

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.

  • For API details, see PreviewAgents in Amazon CLI Command Reference.

The following code example shows how to use register-cross-account-access-role.

Amazon CLI

To register the cross account access role

The following register-cross-account-access-role command registers the IAM role with the ARN of arn:aws:iam::123456789012:role/inspector that Amazon Inspector uses to list your EC2 instances at the start of the assessment run of when you call the preview-agents command:

aws inspector register-cross-account-access-role --role-arn arn:aws:iam::123456789012:role/inspector

For more information, see Setting up Amazon Inspector in the Amazon Inspector guide.

The following code example shows how to use remove-attributes-from-findings.

Amazon CLI

To remove attributes from findings

The following remove-attributes-from-finding command removes the attribute with the key of Example and value of example from the finding with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU:

aws inspector remove-attributes-from-findings --finding-arns arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU --attribute-keys key=Example,value=example

Output:

{
      "failedItems": {}
}

For more information, see Amazon Inspector Findings in the Amazon Inspector guide.

The following code example shows how to use set-tags-for-resource.

Amazon CLI

To set tags for a resource

The following set-tags-for-resource command sets the tag with the key of Example and value of example to the assessment template with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0:

aws inspector set-tags-for-resource --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0 --tags key=Example,value=example

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use start-assessment-run.

Amazon CLI

To start an assessment run

The following start-assessment-run command starts the assessment run named examplerun using the assessment template with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T:

aws inspector start-assessment-run --assessment-run-name examplerun --assessment-template-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T

Output:

{
      "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY"
}

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use stop-assessment-run.

Amazon CLI

To stop an assessment run

The following stop-assessment-run command stops the assessment run with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY:

aws inspector stop-assessment-run --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use subscribe-to-event.

Amazon CLI

To subscribe to an event

The following example enables the process of sending Amazon SNS notifications about the ASSESSMENT_RUN_COMPLETED event to the topic with the ARN of arn:aws:sns:us-west-2:123456789012:exampletopic

aws inspector subscribe-to-event \
    --event ASSESSMENT_RUN_COMPLETED \
    --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0 \
    --topic-arn arn:aws:sns:us-west-2:123456789012:exampletopic

This command produces no output.

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use unsubscribe-from-event.

Amazon CLI

To unsubscribe from an event

The following unsubscribe-from-event command disables the process of sending Amazon SNS notifications about the ASSESSMENT_RUN_COMPLETED event to the topic with the ARN of arn:aws:sns:us-west-2:123456789012:exampletopic:

aws inspector unsubscribe-from-event --event ASSESSMENT_RUN_COMPLETED --resource-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0 --topic arn:aws:sns:us-west-2:123456789012:exampletopic

For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.

The following code example shows how to use update-assessment-target.

Amazon CLI

To update an assessment target

The following update-assessment-target command updates the assessment target with the ARN of arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX and the name of Example, and the resource group with the ARN of arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-yNbgL5Pt:

aws inspector update-assessment-target --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX --assessment-target-name Example --resource-group-arn arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-yNbgL5Pt

For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.