Deactivating a scan type - Amazon Inspector
Deactivating scans
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deactivating a scan type

You can deactivate a new Amazon Inspector scan type at any time. When you deactivate a scan type you lose access to any existing findings you have that were produced by that scan type. If you reactivate the scan type your eligible resources are scanned and Amazon Inspector will produce new findings. To keep a record of your findings data you can export your findings before you deactivate. For more information, see Exporting findings reports from Amazon Inspector.

When you deactivate a scan type certain changes may occur in that Amazon account depending on the scan type being deactivated. The following are the changes that will occur when you deactivate these scan types:

  • Amazon EC2 scanning — When you deactivate Amazon Inspector Amazon EC2 scanning for an account, the following SSM associations used by Amazon Inspector are deleted:

    • InspectorDistributor-do-not-delete

    • InspectorInventoryCollection-do-not-delete

    • InspectorLinuxDistributor-do-not-delete

    • InvokeInspectorLinuxSsmPlugin-do-not-delete

    • InvokeInspectorSsmPlugin-do-not-delete. Additionally, the Amazon Inspector SSM plugin installed through this association is removed from all of your Windows hosts. For more information, see Scanning Windows instances.

  • Amazon ECR scanning — When you deactivate Amazon ECR container image scanning for an account, the Amazon ECR scan type for that account changes from Enhanced scanning with Amazon Inspector to Basic scanning with Amazon ECR.

  • Lambda standard scanning — When you deactivate Lambda standard scanning in an account, it will deactivate Lambda code scanning if code scanning was also active. Additionally the CloudTrail service linked channel created when scanning was enabled is deleted.

Deactivating scans

Deactivating all scan types for an account deactivates Amazon Inspector for that account in that Amazon Web Services Region. For more information, see Deactivating Amazon Inspector.

To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator.

Console
To deactivate scans

  1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. By using the Amazon Web Services Region selector in the upper-right corner of the page, select the Region where you want to deactivate scans.

  3. In the navigation pane, choose Account management.

  4. Choose the Accounts tab to show the scanning status of an account.

  5. Select the check box of each account for which you want to deactivate scans.

  6. Choose Actions, and, from the Deactivate options, select the scan type you wish to deactivate.

  7. (Recommended) Repeat these steps in each Amazon Web Services Region for which you want to deactivate that scan type.

API

Run the Disable API operation. In the request, provide the account IDs you are deactivating scans for, and for resourceTypes provide one or more of EC2, ECR, LAMBDA, or LAMBDA_CODE to deactivate scans.