This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Amazon Inspector examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon Inspector.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use add-attributes-to-findings
.
- Amazon CLI
-
To add attributes to findings
The following
add-attribute-to-finding
command assigns an attribute with the key ofExample
and value ofexample
to the finding with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU
:aws inspector add-attributes-to-findings --finding-arns
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU
--attributeskey=Example,value=example
Output:
{ "failedItems": {} }
For more information, see Amazon Inspector Findings in the Amazon Inspector guide.
-
For API details, see AddAttributesToFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use create-assessment-target
.
- Amazon CLI
-
To create an assessment target
The following
create-assessment-target
command creates an assessment target namedExampleAssessmentTarget
using the resource group with the ARN ofarn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv
:aws inspector create-assessment-target --assessment-target-name
ExampleAssessmentTarget
--resource-group-arnarn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv
Output:
{ "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX" }
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see CreateAssessmentTarget
in Amazon CLI Command Reference.
-
The following code example shows how to use create-assessment-template
.
- Amazon CLI
-
To create an assessment template
The following
create-assessment-template
command creates an assessment template calledExampleAssessmentTemplate
for the assessment target with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX
:aws inspector create-assessment-template --assessment-target-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX
--assessment-template-nameExampleAssessmentTemplate
--duration-in-seconds180
--rules-package-arnsarn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p
--user-attributes-for-findingskey=ExampleTag,value=examplevalue
Output:
{ "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T" }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see CreateAssessmentTemplate
in Amazon CLI Command Reference.
-
The following code example shows how to use create-filter
.
- Amazon CLI
-
To create a filter
The following
create-filter
example creates a suppression rule that omits ECR instance type findings.aws inspector2 create-filter \ --name
"ExampleSuppressionRuleECR"
\ --description"This suppression rule omits ECR instance type findings"
\ --actionSUPPRESS
\ --filter-criteria 'resourceType=[{comparison="EQUALS", value="AWS_ECR_INSTANCE"}]
'Output:
{ "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444" }
For more information, see Filtering Amazon Inspector findings
in the Amazon Inspector User Guide. -
For API details, see CreateFilter
in Amazon CLI Command Reference.
-
The following code example shows how to use create-findings-report
.
- Amazon CLI
-
To create a findings report
The following
create-findings-report
example creates a finding report.aws inspector2 create-findings-report \ --report-format
CSV
\ --s3-destinationbucketName=inspector-sbom-123456789012,keyPrefix=sbom-key,kmsKeyArn=arn:aws:kms:us-west-2:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333
\ --filter-criteria '{"ecrImageRepositoryName":[{"comparison":"EQUALS","value":"debian"}]}
'Output:
{ "reportId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" }
For more information, see Managing findings in Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see CreateFindingsReport
in Amazon CLI Command Reference.
-
The following code example shows how to use create-resource-group
.
- Amazon CLI
-
To create a resource group
The following
create-resource-group
command creates a resource group using the tag key ofName
and value ofexample
:aws inspector create-resource-group --resource-group-tags
key=Name,value=example
Output:
{ "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv" }
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see CreateResourceGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use create-sbom-export
.
- Amazon CLI
-
To create a software bill of materials (SBOM) report
The following
create-sbom-export
example creates a software bill of materials (SBOM) report.aws inspector2 create-sbom-export \ --report-format
SPDX_2_3
\ --resource-filter-criteria 'ecrRepositoryName=[{comparison="EQUALS",value="debian"}]
' \ --s3-destinationbucketName=inspector-sbom-123456789012,keyPrefix=sbom-key,kmsKeyArn=arn:aws:kms:us-west-2:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333
Output:
{ "reportId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" }
For more information, see Exporting SBOMs with Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see CreateSbomExport
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-assessment-run
.
- Amazon CLI
-
To delete an assessment run
The following
delete-assessment-run
command deletes the assessment run with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-11LMTAVe
:aws inspector delete-assessment-run --assessment-run-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-11LMTAVe
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see DeleteAssessmentRun
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-assessment-target
.
- Amazon CLI
-
To delete an assessment target
The following
delete-assessment-target
command deletes the assessment target with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq
:aws inspector delete-assessment-target --assessment-target-arn
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see DeleteAssessmentTarget
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-assessment-template
.
- Amazon CLI
-
To delete an assessment template
The following
delete-assessment-template
command deletes the assessment template with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T
:aws inspector delete-assessment-template --assessment-template-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see DeleteAssessmentTemplate
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-filter
.
- Amazon CLI
-
To delete a filter
The following
delete-filter
example deletes a filter.aws inspector2 delete-filter \ --arn
"arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444"
Output:
{ "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444" }
For more information, see Filtering Amazon Inspector findings
in the Amazon Inspector User Guide. -
For API details, see DeleteFilter
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-assessment-runs
.
- Amazon CLI
-
To describe assessment runs
The following
describe-assessment-run
command describes an assessment run with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE
:aws inspector describe-assessment-runs --assessment-run-arns
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE
Output:
{ "assessmentRuns": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw", "completedAt": 1458680301.4, "createdAt": 1458680170.035, "dataCollected": true, "durationInSeconds": 3600, "name": "Run 1 for ExampleAssessmentTemplate", "notifications": [], "rulesPackageArns": [ "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP" ], "startedAt": 1458680170.161, "state": "COMPLETED", "stateChangedAt": 1458680301.4, "stateChanges": [ { "state": "CREATED", "stateChangedAt": 1458680170.035 }, { "state": "START_DATA_COLLECTION_PENDING", "stateChangedAt": 1458680170.065 }, { "state": "START_DATA_COLLECTION_IN_PROGRESS", "stateChangedAt": 1458680170.096 }, { "state": "COLLECTING_DATA", "stateChangedAt": 1458680170.161 }, { "state": "STOP_DATA_COLLECTION_PENDING", "stateChangedAt": 1458680239.883 }, { "state": "DATA_COLLECTED", "stateChangedAt": 1458680299.847 }, { "state": "EVALUATING_RULES", "stateChangedAt": 1458680300.099 }, { "state": "COMPLETED", "stateChangedAt": 1458680301.4 } ], "userAttributesForFindings": [] } ], "failedItems": {} }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see DescribeAssessmentRuns
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-assessment-targets
.
- Amazon CLI
-
To describe assessment targets
The following
describe-assessment-targets
command describes the assessment target with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq
:aws inspector describe-assessment-targets --assessment-target-arns
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq
Output:
{ "assessmentTargets": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq", "createdAt": 1458074191.459, "name": "ExampleAssessmentTarget", "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI", "updatedAt": 1458074191.459 } ], "failedItems": {} }
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see DescribeAssessmentTargets
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-assessment-templates
.
- Amazon CLI
-
To describe assessment templates
The following
describe-assessment-templates
command describes the assessment template with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw
:aws inspector describe-assessment-templates --assessment-template-arns
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw
Output:
{ "assessmentTemplates": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw", "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq", "createdAt": 1458074191.844, "durationInSeconds": 3600, "name": "ExampleAssessmentTemplate", "rulesPackageArns": [ "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP" ], "userAttributesForFindings": [] } ], "failedItems": {} }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see DescribeAssessmentTemplates
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-cross-account-access-role
.
- Amazon CLI
-
To describe the cross account access role
The following
describe-cross-account-access-role
command describes the IAM role that enables Amazon Inspector to access your Amazon account:aws inspector describe-cross-account-access-role
Output:
{ "registeredAt": 1458069182.826, "roleArn": "arn:aws:iam::123456789012:role/inspector", "valid": true }
For more information, see Setting up Amazon Inspector in the Amazon Inspector guide.
-
For API details, see DescribeCrossAccountAccessRole
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-findings
.
- Amazon CLI
-
To describe findings
The following
describe-findings
command describes the finding with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4
:aws inspector describe-findings --finding-arns
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4
Output:
{ "failedItems": {}, "findings": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4", "assetAttributes": { "ipv4Addresses": [], "schemaVersion": 1 }, "assetType": "ec2-instance", "attributes": [], "confidence": 10, "createdAt": 1458680301.37, "description": "Amazon Inspector did not find any potential security issues during this assessment.", "indicatorOfCompromise": false, "numericSeverity": 0, "recommendation": "No remediation needed.", "schemaVersion": 1, "service": "Inspector", "serviceAttributes": { "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "rulesPackageArn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP", "schemaVersion": 1 }, "severity": "Informational", "title": "No potential security issues found", "updatedAt": 1458680301.37, "userAttributes": [] } ] }
For more information, see Amazon Inspector Findings in the Amazon Inspector guide.
-
For API details, see DescribeFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-resource-groups
.
- Amazon CLI
-
To describe resource groups
The following
describe-resource-groups
command describes the resource group with the ARN ofarn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI
:aws inspector describe-resource-groups --resource-group-arns
arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI
Output:
{ "failedItems": {}, "resourceGroups": [ { "arn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI", "createdAt": 1458074191.098, "tags": [ { "key": "Name", "value": "example" } ] } ] }
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see DescribeResourceGroups
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-rules-packages
.
- Amazon CLI
-
To describe rules packages
The following
describe-rules-packages
command describes the rules package with the ARN ofarn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p
:aws inspector describe-rules-packages --rules-package-arns
arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p
Output:
{ "failedItems": {}, "rulesPackages": [ { "arn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p", "description": "The rules in this package help verify whether the EC2 instances in your application are exposed to Common Vulnerabilities and Exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference for publicly known information security vulnerabilities and exposures. For more information, see [https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in one of the produced Findings at the end of a completed Inspector assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) using the CVE's ID (for example, \"CVE-2009-0021\") to find detailed information about this CVE, its severity, and how to mitigate it. ", "name": "Common Vulnerabilities and Exposures", "provider": "Amazon Web Services, Inc.", "version": "1.1" } ] }
For more information, see Amazon Inspector Rules Packages and Rules in the Amazon Inspector guide.
-
For API details, see DescribeRulesPackages
in Amazon CLI Command Reference.
-
The following code example shows how to use get-configuration
.
- Amazon CLI
-
To get the setting configuration for Inspector scans
The following
get-configuration
example gets the setting configuration for Inspector scans.aws inspector2 get-configuration
Output:
{ "ec2Configuration": { "scanModeState": { "scanMode": "EC2_HYBRID", "scanModeStatus": "SUCCESS" } }, "ecrConfiguration": { "rescanDurationState": { "pullDateRescanDuration": "DAYS_90", "rescanDuration": "DAYS_30", "status": "SUCCESS", "updatedAt": "2024-05-14T21:16:20.237000+00:00" } } }
For more information, see Automated resource scanning with Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see GetConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use get-telemetry-metadata
.
- Amazon CLI
-
To get the telemetry metadata
The following
get-telemetry-metadata
command generates information about the data that is collected for the assessment run with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE
:aws inspector get-telemetry-metadata --assessment-run-arn
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE
Output:
{ "telemetryMetadata": [ { "count": 2, "dataSize": 345, "messageType": "InspectorDuplicateProcess" }, { "count": 3, "dataSize": 255, "messageType": "InspectorTimeEventMsg" }, { "count": 4, "dataSize": 1082, "messageType": "InspectorNetworkInterface" }, { "count": 2, "dataSize": 349, "messageType": "InspectorDnsEntry" }, { "count": 11, "dataSize": 2514, "messageType": "InspectorDirectoryInfoMsg" }, { "count": 1, "dataSize": 179, "messageType": "InspectorTcpV6ListeningPort" }, { "count": 101, "dataSize": 10949, "messageType": "InspectorTerminal" }, { "count": 26, "dataSize": 5916, "messageType": "InspectorUser" }, { "count": 282, "dataSize": 32148, "messageType": "InspectorDynamicallyLoadedCodeModule" }, { "count": 18, "dataSize": 10172, "messageType": "InspectorCreateProcess" }, { "count": 3, "dataSize": 8001, "messageType": "InspectorProcessPerformance" }, { "count": 1, "dataSize": 360, "messageType": "InspectorOperatingSystem" }, { "count": 6, "dataSize": 546, "messageType": "InspectorStopProcess" }, { "count": 1, "dataSize": 1553, "messageType": "InspectorInstanceMetaData" }, { "count": 2, "dataSize": 434, "messageType": "InspectorTcpV4Connection" }, { "count": 474, "dataSize": 2960322, "messageType": "InspectorPackageInfo" }, { "count": 3, "dataSize": 2235, "messageType": "InspectorSystemPerformance" }, { "count": 105, "dataSize": 46048, "messageType": "InspectorCodeModule" }, { "count": 1, "dataSize": 182, "messageType": "InspectorUdpV6ListeningPort" }, { "count": 2, "dataSize": 371, "messageType": "InspectorUdpV4ListeningPort" }, { "count": 18, "dataSize": 8362, "messageType": "InspectorKernelModule" }, { "count": 29, "dataSize": 48788, "messageType": "InspectorConfigurationInfo" }, { "count": 1, "dataSize": 79, "messageType": "InspectorMonitoringStart" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgBegin" }, { "count": 51, "dataSize": 4593, "messageType": "InspectorGroup" }, { "count": 1, "dataSize": 184, "messageType": "InspectorTcpV4ListeningPort" }, { "count": 1159, "dataSize": 3146579, "messageType": "Total" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgEnd" }, { "count": 1, "dataSize": 612, "messageType": "InspectorLoadImageInProcess" } ] }
-
For API details, see GetTelemetryMetadata
in Amazon CLI Command Reference.
-
The following code example shows how to use list-account-permissions
.
- Amazon CLI
-
To list account permissions
The following
list-account-permissions
example lists your account permissions.aws inspector2 list-account-permissions
Output:
{ "permissions": [ { "operation": "ENABLE_SCANNING", "service": "ECR" }, { "operation": "DISABLE_SCANNING", "service": "ECR" }, { "operation": "ENABLE_REPOSITORY", "service": "ECR" }, { "operation": "DISABLE_REPOSITORY", "service": "ECR" }, { "operation": "ENABLE_SCANNING", "service": "EC2" }, { "operation": "DISABLE_SCANNING", "service": "EC2" }, { "operation": "ENABLE_SCANNING", "service": "LAMBDA" }, { "operation": "DISABLE_SCANNING", "service": "LAMBDA" } ] }
For more information, see Identity and Access Management for Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see ListAccountPermissions
in Amazon CLI Command Reference.
-
The following code example shows how to use list-assessment-run-agents
.
- Amazon CLI
-
To list assessment run agents
The following
list-assessment-run-agents
command lists the agents of the assessment run with the specified ARN.aws inspector list-assessment-run-agents \ --assessment-run-arn
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE
Output:
{ "assessmentRunAgents": [ { "agentHealth": "HEALTHY", "agentHealthCode": "HEALTHY", "agentId": "i-49113b93", "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "telemetryMetadata": [ { "count": 2, "dataSize": 345, "messageType": "InspectorDuplicateProcess" }, { "count": 3, "dataSize": 255, "messageType": "InspectorTimeEventMsg" }, { "count": 4, "dataSize": 1082, "messageType": "InspectorNetworkInterface" }, { "count": 2, "dataSize": 349, "messageType": "InspectorDnsEntry" }, { "count": 11, "dataSize": 2514, "messageType": "InspectorDirectoryInfoMsg" }, { "count": 1, "dataSize": 179, "messageType": "InspectorTcpV6ListeningPort" }, { "count": 101, "dataSize": 10949, "messageType": "InspectorTerminal" }, { "count": 26, "dataSize": 5916, "messageType": "InspectorUser" }, { "count": 282, "dataSize": 32148, "messageType": "InspectorDynamicallyLoadedCodeModule" }, { "count": 18, "dataSize": 10172, "messageType": "InspectorCreateProcess" }, { "count": 3, "dataSize": 8001, "messageType": "InspectorProcessPerformance" }, { "count": 1, "dataSize": 360, "messageType": "InspectorOperatingSystem" }, { "count": 6, "dataSize": 546, "messageType": "InspectorStopProcess" }, { "count": 1, "dataSize": 1553, "messageType": "InspectorInstanceMetaData" }, { "count": 2, "dataSize": 434, "messageType": "InspectorTcpV4Connection" }, { "count": 474, "dataSize": 2960322, "messageType": "InspectorPackageInfo" }, { "count": 3, "dataSize": 2235, "messageType": "InspectorSystemPerformance" }, { "count": 105, "dataSize": 46048, "messageType": "InspectorCodeModule" }, { "count": 1, "dataSize": 182, "messageType": "InspectorUdpV6ListeningPort" }, { "count": 2, "dataSize": 371, "messageType": "InspectorUdpV4ListeningPort" }, { "count": 18, "dataSize": 8362, "messageType": "InspectorKernelModule" }, { "count": 29, "dataSize": 48788, "messageType": "InspectorConfigurationInfo" }, { "count": 1, "dataSize": 79, "messageType": "InspectorMonitoringStart" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgBegin" }, { "count": 51, "dataSize": 4593, "messageType": "InspectorGroup" }, { "count": 1, "dataSize": 184, "messageType": "InspectorTcpV4ListeningPort" }, { "count": 1159, "dataSize": 3146579, "messageType": "Total" }, { "count": 5, "dataSize": 0, "messageType": "InspectorSplitMsgEnd" }, { "count": 1, "dataSize": 612, "messageType": "InspectorLoadImageInProcess" } ] } ] }
For more information, see Amazon Agents
in the Amazon Inspector User Guide. -
For API details, see ListAssessmentRunAgents
in Amazon CLI Command Reference.
-
The following code example shows how to use list-assessment-runs
.
- Amazon CLI
-
To list assessment runs
The following
list-assessment-runs
command lists all existing assessment runs.aws inspector list-assessment-runs
Output:
{ "assessmentRunArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE", "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v" ] }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs
in the Amazon Inspector User Guide. -
For API details, see ListAssessmentRuns
in Amazon CLI Command Reference.
-
The following code example shows how to use list-assessment-targets
.
- Amazon CLI
-
To list assessment targets
The following
list-assessment-targets
command lists all existing assessment targets:aws inspector list-assessment-targets
Output:
{ "assessmentTargetArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq" ] }
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see ListAssessmentTargets
in Amazon CLI Command Reference.
-
The following code example shows how to use list-assessment-templates
.
- Amazon CLI
-
To list assessment templates
The following
list-assessment-templates
command lists all existing assessment templates:aws inspector list-assessment-templates
Output:
{ "assessmentTemplateArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw", "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-Uza6ihLh" ] }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see ListAssessmentTemplates
in Amazon CLI Command Reference.
-
The following code example shows how to use list-coverage-statistics
.
- Amazon CLI
-
Example 1: To list coverage statistics by groups
The following
list-coverage-statistics
example lists the coverage statistics of your Amazon environment by groups.aws inspector2 list-coverage-statistics \ --group-by
RESOURCE_TYPE
Output:
{ "countsByGroup": [ { "count": 56, "groupKey": "AWS_LAMBDA_FUNCTION" }, { "count": 27, "groupKey": "AWS_ECR_REPOSITORY" }, { "count": 18, "groupKey": "AWS_EC2_INSTANCE" }, { "count": 3, "groupKey": "AWS_ECR_CONTAINER_IMAGE" }, { "count": 1, "groupKey": "AWS_ACCOUNT" } ], "totalCounts": 105 }
For more information, see Assessing Amazon Inspector coverage of your Amazon environment
in the Amazon Inspector User Guide. Example 2: To list coverage statistics by resource type
The following
list-coverage-statistics
example lists the coverage statistics of your Amazon environment by resource type.aws inspector2 list-coverage-statistics --filter-criteria '
{"resourceType":[{"comparison":"EQUALS","value":"AWS_ECR_REPOSITORY"}]}
' --group-bySCAN_STATUS_REASON
Output:
{ "countsByGroup": [ { "count": 27, "groupKey": "SUCCESSFUL" } ], "totalCounts": 27 }
For more information, see Assessing Amazon Inspector coverage of your Amazon environment
in the Amazon Inspector User Guide. Example 3: To list coverage statistics by ECR repository name
The following
list-coverage-statistics
example lists the coverage statistics of your Amazon environment by ECR repository name.aws inspector2 list-coverage-statistics --filter-criteria '
{"ecrRepositoryName":[{"comparison":"EQUALS","value":"debian"}]}
' --group-bySCAN_STATUS_REASON
Output:
{ "countsByGroup": [ { "count": 3, "groupKey": "SUCCESSFUL" } ], "totalCounts": 3 }
For more information, see Assessing Amazon Inspector coverage of your Amazon environment
in the Amazon Inspector User Guide. -
For API details, see ListCoverageStatistics
in Amazon CLI Command Reference.
-
The following code example shows how to use list-coverage
.
- Amazon CLI
-
Example 1: To list coverage details about your environment
The following
list-coverage
example lists your environment's coverage details.aws inspector2 list-coverage
Output:
{ "coveredResources": [ { "accountId": "123456789012", "lastScannedAt": "2024-05-20T16:23:20-07:00", "resourceId": "i-EXAMPLE55555555555", "resourceMetadata": { "ec2": { "amiId": "ami-EXAMPLE6666666666", "platform": "LINUX" } }, "resourceType": "AWS_EC2_INSTANCE", "scanStatus": { "reason": "SUCCESSFUL", "statusCode": "ACTIVE" }, "scanType": "PACKAGE" } ] }
Example 2: To list coverage details about the Lambda function resource type
The following
list-coverage
example lists your Lamda function resource type details.aws inspector2 list-coverage --filter-criteria '
{"resourceType":[{"comparison":"EQUALS","value":"AWS_LAMBDA_FUNCTION"}]}
'Output:
{ "coveredResources": [ { "accountId": "123456789012", "resourceId": "arn:aws:lambda:us-west-2:123456789012:function:Eval-container-scan-results:$LATEST", "resourceMetadata": { "lambdaFunction": { "functionName": "Eval-container-scan-results", "functionTags": {}, "layers": [], "runtime": "PYTHON_3_7" } }, "resourceType": "AWS_LAMBDA_FUNCTION", "scanStatus": { "reason": "SUCCESSFUL", "statusCode": "ACTIVE" }, "scanType": "CODE" } ] }
-
For API details, see ListCoverage
in Amazon CLI Command Reference.
-
The following code example shows how to use list-delegated-admin-accounts
.
- Amazon CLI
-
To list information about the delegated administrator account of your organization
The following
list-delegated-admin-accounts
example lists information about the delegated administrator account of your organization.aws inspector2 list-delegated-admin-accounts
Output:
{ "delegatedAdminAccounts": [ { "accountId": "123456789012", "status": "ENABLED" } ] }
For more information, see Designating a delegated administrator for Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see ListDelegatedAdminAccounts
in Amazon CLI Command Reference.
-
The following code example shows how to use list-event-subscriptions
.
- Amazon CLI
-
To list event subscriptions
The following
list-event-subscriptions
command lists all the event subscriptions for the assessment template with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
:aws inspector list-event-subscriptions --resource-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
Output:
{ "subscriptions": [ { "eventSubscriptions": [ { "event": "ASSESSMENT_RUN_COMPLETED", "subscribedAt": 1459455440.867 } ], "resourceArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0", "topicArn": "arn:aws:sns:us-west-2:123456789012:exampletopic" } ] }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see ListEventSubscriptions
in Amazon CLI Command Reference.
-
The following code example shows how to use list-filters
.
- Amazon CLI
-
To list filters associated with the account that you used to activated Amazon Inspector
The following
list-filters
examples lists filters associated with the account that you used to activated Amazon Inspector.aws inspector2 list-filters
Output:
{ "filters": [ { "action": "SUPPRESS", "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444", "createdAt": "2024-05-15T21:11:08.602000+00:00", "criteria": { "resourceType": [ { "comparison": "EQUALS", "value": "AWS_EC2_INSTANCE" }, ] }, "description": "This suppression rule omits EC2 instance type findings", "name": "ExampleSuppressionRuleEC2", "ownerId": "o-EXAMPLE222", "tags": {}, "updatedAt": "2024-05-15T21:11:08.602000+00:00" }, { "action": "SUPPRESS", "arn": "arn:aws:inspector2:us-east-1:813737243517:owner/o-EXAMPLE222/filter/EXAMPLE444444444", "createdAt": "2024-05-15T21:28:27.054000+00:00", "criteria": { "resourceType": [ { "comparison": "EQUALS", "value": "AWS_ECR_INSTANCE" } ] }, "description": "This suppression rule omits ECR instance type findings", "name": "ExampleSuppressionRuleECR", "ownerId": "o-EXAMPLE222", "tags": {}, "updatedAt": "2024-05-15T21:28:27.054000+00:00" } ] }
For more information, see Filtering Amazon Inspector findings
in the Amazon Inspector User Guide. -
For API details, see ListFilters
in Amazon CLI Command Reference.
-
The following code example shows how to use list-findings
.
- Amazon CLI
-
To list findings
The following
list-findings
command lists all of the generated findings:aws inspector list-findings
Output:
{ "findingArns": [ "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4", "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v/finding/0-tyvmqBLy" ] }
For more information, see Amazon Inspector Findings in the Amazon Inspector guide.
-
For API details, see ListFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use list-rules-packages
.
- Amazon CLI
-
To list rules packages
The following
list-rules-packages
command lists all available Inspector rules packages:aws inspector list-rules-packages
Output:
{ "rulesPackageArns": [ "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p", "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc", "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ", "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD" ] }
For more information, see Amazon Inspector Rules Packages and Rules in the Amazon Inspector guide.
-
For API details, see ListRulesPackages
in Amazon CLI Command Reference.
-
The following code example shows how to use list-tags-for-resource
.
- Amazon CLI
-
To list tags for resource
The following
list-tags-for-resource
command lists all tags associated with the assessment template with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-gcwFliYu
:aws inspector list-tags-for-resource --resource-arn
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-gcwFliYu
Output:
{ "tags": [ { "key": "Name", "value": "Example" } ] }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see ListTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use list-usage-totals
.
- Amazon CLI
-
To list usage totals over the last 30 days
The following
list-usage-totals
examples lists usage totals over the last 30 days.aws inspector2 list-usage-totals
Output:
{ "totals": [ { "accountId": "123456789012", "usage": [ { "currency": "USD", "estimatedMonthlyCost": 4.6022044647, "total": 1893.4784083333334, "type": "EC2_AGENTLESS_INSTANCE_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 18.892449279, "total": 10882.050784722222, "type": "EC2_INSTANCE_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 5.4525363736, "total": 6543.043648333333, "type": "LAMBDA_FUNCTION_CODE_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 3.9064080309, "total": 9375.379274166668, "type": "LAMBDA_FUNCTION_HOURS" }, { "currency": "USD", "estimatedMonthlyCost": 0.06, "total": 6.0, "type": "ECR_RESCAN" }, { "currency": "USD", "estimatedMonthlyCost": 0.09, "total": 1.0, "type": "ECR_INITIAL_SCAN" } ] } ] }
For more information, see Monitoring usage and cost in Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see ListUsageTotals
in Amazon CLI Command Reference.
-
The following code example shows how to use preview-agents
.
- Amazon CLI
-
To preview agents
The following
preview-agents
command previews the agents installed on the EC2 instances that are part of the assessment target with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq
:aws inspector preview-agents --preview-agents-arn
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq
Output:
{ "agentPreviews": [ { "agentId": "i-49113b93" } ] }
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see PreviewAgents
in Amazon CLI Command Reference.
-
The following code example shows how to use register-cross-account-access-role
.
- Amazon CLI
-
To register the cross account access role
The following
register-cross-account-access-role
command registers the IAM role with the ARN ofarn:aws:iam::123456789012:role/inspector
that Amazon Inspector uses to list your EC2 instances at the start of the assessment run of when you call the preview-agents command:aws inspector register-cross-account-access-role --role-arn
arn:aws:iam::123456789012:role/inspector
For more information, see Setting up Amazon Inspector in the Amazon Inspector guide.
-
For API details, see RegisterCrossAccountAccessRole
in Amazon CLI Command Reference.
-
The following code example shows how to use remove-attributes-from-findings
.
- Amazon CLI
-
To remove attributes from findings
The following
remove-attributes-from-finding
command removes the attribute with the key ofExample
and value ofexample
from the finding with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU
:aws inspector remove-attributes-from-findings --finding-arns
arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-8l1VIE0D/run/0-Z02cjjug/finding/0-T8yM9mEU
--attribute-keyskey=Example,value=example
Output:
{ "failedItems": {} }
For more information, see Amazon Inspector Findings in the Amazon Inspector guide.
-
For API details, see RemoveAttributesFromFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use set-tags-for-resource
.
- Amazon CLI
-
To set tags for a resource
The following
set-tags-for-resource
command sets the tag with the key ofExample
and value ofexample
to the assessment template with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
:aws inspector set-tags-for-resource --resource-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
--tagskey=Example,value=example
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see SetTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use start-assessment-run
.
- Amazon CLI
-
To start an assessment run
The following
start-assessment-run
command starts the assessment run namedexamplerun
using the assessment template with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T
:aws inspector start-assessment-run --assessment-run-name
examplerun
--assessment-template-arnarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T
Output:
{ "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY" }
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see StartAssessmentRun
in Amazon CLI Command Reference.
-
The following code example shows how to use stop-assessment-run
.
- Amazon CLI
-
To stop an assessment run
The following
stop-assessment-run
command stops the assessment run with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY
:aws inspector stop-assessment-run --assessment-run-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see StopAssessmentRun
in Amazon CLI Command Reference.
-
The following code example shows how to use subscribe-to-event
.
- Amazon CLI
-
To subscribe to an event
The following example enables the process of sending Amazon SNS notifications about the
ASSESSMENT_RUN_COMPLETED
event to the topic with the ARN ofarn:aws:sns:us-west-2:123456789012:exampletopic
aws inspector subscribe-to-event \ --event
ASSESSMENT_RUN_COMPLETED
\ --resource-arnarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
\ --topic-arnarn:aws:sns:us-west-2:123456789012:exampletopic
This command produces no output.
For more information, see Amazon Inspector Assessment Templates and Assessment Runs
in the Amazon Inspector guide. -
For API details, see SubscribeToEvent
in Amazon CLI Command Reference.
-
The following code example shows how to use unsubscribe-from-event
.
- Amazon CLI
-
To unsubscribe from an event
The following
unsubscribe-from-event
command disables the process of sending Amazon SNS notifications about theASSESSMENT_RUN_COMPLETED
event to the topic with the ARN ofarn:aws:sns:us-west-2:123456789012:exampletopic
:aws inspector unsubscribe-from-event --event
ASSESSMENT_RUN_COMPLETED
--resource-arnarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
--topicarn:aws:sns:us-west-2:123456789012:exampletopic
For more information, see Amazon Inspector Assessment Templates and Assessment Runs in the Amazon Inspector guide.
-
For API details, see UnsubscribeFromEvent
in Amazon CLI Command Reference.
-
The following code example shows how to use update-assessment-target
.
- Amazon CLI
-
To update an assessment target
The following
update-assessment-target
command updates the assessment target with the ARN ofarn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX
and the name ofExample
, and the resource group with the ARN ofarn:aws:inspector:us-west-2:123456789012:resourcegroup/0-yNbgL5Pt
:aws inspector update-assessment-target --assessment-target-arn
arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX
--assessment-target-nameExample
--resource-group-arnarn:aws:inspector:us-west-2:123456789012:resourcegroup/0-yNbgL5Pt
For more information, see Amazon Inspector Assessment Targets in the Amazon Inspector guide.
-
For API details, see UpdateAssessmentTarget
in Amazon CLI Command Reference.
-
The following code example shows how to use update-filter
.
- Amazon CLI
-
To update a filter
The following
update-filter
example updates a filter to omit Lambda findings instead of ECR instance findings.aws inspector2 update-filter \ --filter-arn
"arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444"
\ --name"ExampleSuppressionRuleLambda"
\ --description"This suppression rule omits Lambda instance findings"
\ --reason"Updating filter to omit Lambda instance findings instead of ECR instance findings"
Output:
{ "filters": [ { "action": "SUPPRESS", "arn": "arn:aws:inspector2:us-west-2:123456789012:owner/o-EXAMPLE222/filter/EXAMPLE444444444", "createdAt": "2024-05-15T21:28:27.054000+00:00", "criteria": { "resourceType": [ { "comparison": "EQUALS", "value": "AWS_ECR_INSTANCE" } ] }, "description": "This suppression rule omits Lambda instance findings", "name": "ExampleSuppressionRuleLambda", "ownerId": "o-EXAMPLE222", "reason": "Updating filter to omit Lambda instance findings instead of ECR instance findings", "tags": {}, "updatedAt": "2024-05-15T22:23:13.665000+00:00" } ] }
For more information, see Managing findings in Amazon Inspector
in the Amazon Inspector User Guide. -
For API details, see UpdateFilter
in Amazon CLI Command Reference.
-