Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Getting started with Amazon Inspector
This section provides information to consider before activating Amazon Inspector and a getting started tutorial describing how to activate Amazon Inspector and view your findings in the Amazon Inspector console and with the Amazon Inspector API.
Before activating Amazon Inspector
Before activating Amazon Inspector, consider the following:
Amazon Inspector is a Regional service
Your data is stored in the Amazon Web Services Region where you activate Amazon Inspector.
Repeat the steps in the first part of the getting started tutorial for all Amazon Web Services Regions where you plan to use Amazon Inspector.
Amazon Inspector creates the service-linked roles AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless
A service-linked role is a role in Amazon Identity and Access Management (IAM) that's linked to an Amazon servce.
AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless allow Amazon Inspector to access Amazon Web Services services required to perform security assessments.
IAM identities with administrator permissions can enable Amazon Inspector
Protect your credentials by creating users with IAM or Amazon IAM Identity Center.
This helps you make sure users only have the permissions required to manage Amazon Inspector.
For more information, see Amazon managed policy: AmazonInspectorFullAccess.
Hybrid scanning is automatically enabled
Hybrid scanning includes agent-based scanning and agentless scanning.
By default, Amazon Inspector uses these scan methods on all eligible Amazon EC2 instances.
For more information, see Scanning Amazon EC2 instances with Amazon Inspector.
Amazon ECR scanning and Lambda function scanning doesn't require the SSM agent
Agent-based scanning uses the SSM agent to collect software inventory.
Agentless scanning uses Amazon EBS snapshots to collect software inverntory.
By default, the SSM agent is already installed in Amazon EC2 instances based on Amazon Machine Images.
However, you might need to activate the SSM agent manually in some cases.
For more information, see Working with the SSM agent in the Amazon Systems Manager User Guide.
Monthly costs are based on workloads scanned
For more information, see Amazon Inspector pricing.
Getting started tutorial
In the first part of this tutorial, you activate Amazon Inspector for a standalone account environment or multi-account environment.
In the second part of this tutorial, you learn how to view your findings in the Amazon Inspector console and with the Amazon Inspector API.
Activating Amazon Inspector
Complete one of the following procedures to activate Amazon Inspector.
Once you activate Amazon Inspector, Amazon Inspector automatically begins discovering workloads and continually scanning them for software vulnerabilities and unintended network exposure.
- Standalone account environment
-
When you activate Amazon Inspector in a standalone account, all scan types are activated
by default. You can manage activated scan types from the account management
page within the Amazon Inspector console or by using Amazon Inspector APIs. After Amazon Inspector is
activated, it automatically discovers and begins scanning all eligible
resources. Review the following scan type information to understand which
resources are eligible by default:
- Amazon EC2 scanning
-
To provide Common Vulnerabilities and Exposures (CVE) data for
your EC2 instance, Amazon Inspector requires that the Amazon Systems Manager (SSM) agent be
installed and activated. This agent is pre-installed on many
EC2 instances, but you may need to activate it manually. Regardless of
SSM agent status, all of your EC2 instances will be scanned for
network exposure issues. For more information about configuring
scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.
- Amazon ECR scanning
-
When you activate Amazon ECR scanning, Amazon Inspector converts all container
repositories in your private registry that are configured for
the default Basic scanning provided by
Amazon ECR to Enhanced scanning with continual
scanning. You can also optionally configure this setting to scan
on-push only or to scan select repositories through inclusion
rules. All images pushed within the last 30 days are scheduled
for Lifetime scanning, this Amazon ECR scan
setting can be changed at any time. For more information about
configuring scans for Amazon ECR, see Scanning Amazon Elastic Container Registry container images with Amazon Inspector.
- Amazon Lambda function scanning
-
When you activate Amazon Lambda function scanning, Amazon Inspector discovers the
Lambda functions in your account and immediately starts scanning them
for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when
they are deployed, and rescans them when they are updated or
when new Common Vulnerabilities and Exposures (CVEs) are
published. Amazon Inspector offers two different levels of Lambda function scanning. By default when you first activate Amazon Inspector, Lambda standard scanning is activated, which scans package dependencies in your functions. You can additionally activate Lambda code scanning to scan the developer code in your functions for code vulnerabilities. For more information about configuring Lambda function
scanning, see Scanning Amazon Lambda functions with Amazon Inspector.
- Multi-account environment
-
To complete these steps, you must be in the same organization as all
the accounts you want to manage and have access to the Amazon Organizations
management account in order to delegate an administrator for Amazon Inspector within
your organization. Additional permissions may be required to delegate an
administrator. For more information, see Permissions required to designate a delegated administrator.
To programatically enable Amazon Inspector for multiple accounts in multiple Regions you can use a shell script developed by Amazon Inspector. For more information on using this script see the inspector2-enablement-with-cli on GitHub.
Delegating an administrator for Amazon Inspector
-
Log in to the Amazon Organizations management account.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.
-
Within the Delegated administrator pane,
enter the twelve-digit ID of the Amazon Web Services account that you want to
designate as the Amazon Inspector delegated administrator for the organization.
Then choose Delegate. Then, in the confirmation
window, choose Delegate again.
Amazon Inspector is activated for your account when you delegate an
administrator.
Adding member accounts
As a delegated administrator you can activate scanning for any member associated with the Organizations management
account. This workflow activates all scan types for all member accounts. However,
members can also activate Amazon Inspector for their own accounts, or scans for a service can
be selectively activated by the delegated administrator. For more
information, see Managing multiple accounts.
-
Log in to the delegated administrator account.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.
-
In the navigation pane, choose Account
Management. The Accounts table
displays all of the member accounts associated with the Organizations
management account.
-
From the Account Management page, you can
choose Activate scanning for all accounts from
the top banner to activate EC2 instances, ECR container images, and, Amazon Lambda function
scanning for all accounts in your organization. Alternatively, you
can choose the accounts that you want to add as members by selecting
them in the Accounts table. Then from the
Activate menu, select All
scanning.
-
(Optional) Turn on the Automatically activate Inspector for new member accounts feature
and select the scan types to include to activate those scans for any
new member accounts that are added to your organization.
Amazon Inspector currently offers scans for EC2 instances, ECR container images, and Amazon Lambda functions.
After you activate Amazon Inspector, it automatically starts discovering and scanning
all eligible resources. Review the following scan type information to
understand which resources are eligible by default:
- Amazon EC2 scanning
-
To provide CVE vulnerability data for your EC2 instances, Amazon Inspector
requires that the Amazon Systems Manager (SSM) agent be installed and
activated. This agent is pre-installed on many EC2 instances, but you
may need to activate it manually. Regardless of SSM agent status,
all of your EC2 instances will be scanned for network exposure issues.
For more information about configuring scans for Amazon EC2, see
Scanning Amazon EC2 instances with Amazon Inspector.
- Amazon ECR scanning
-
When you activate Amazon ECR scanning, Amazon Inspector converts all container
repositories in your private registry that are configured for
the default Basic scanning provided by
Amazon ECR to Enhanced scanning with continuous
scanning. You can also optionally configure this setting to scan
on-push only or to scan select repositories through inclusion
rules. All images pushed within the last 30 days are scheduled
for Lifetime scanning. This Amazon ECR scan
setting can be changed by the delegated administrator at any
time. For more information about configuring scans for Amazon ECR,
see Scanning Amazon Elastic Container Registry container images with Amazon Inspector.
- Amazon Lambda function scanning
-
When you activate Amazon Lambda function scanning, Amazon Inspector discovers the
Lambda functions in your account and immediately starts scanning them
for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when
they are deployed, and rescans them when they are updated or
when new Common Vulnerabilities and Exposures (CVEs) are
published. For more information about configuring Lambda function
scanning, see Scanning Amazon Lambda functions with Amazon Inspector.
Viewing your Amazon Inspector findings
You can view your findings in the Amazon Inspector console and with the Amazon Inspector API.
In the console, you can view your findings in the dashboard and on the Findings screen.
To complete this part of the tutorial, see Viewing your Amazon Inspector findings.
Because you just activated Amazon Inspector, you might not have any findings.