Accessing or deactivating deep inspection About the Amazon Inspector SSM plugin for Linux Custom paths for Amazon Inspector deep inspection Custom schedules for Amazon Inspector deep inspection Supported programming languages

Amazon Inspector deep inspection for Amazon EC2 Linux instances

Amazon Inspector expands Amazon EC2 scanning coverage to include deep inspection. With deep inspection, Amazon Inspector detects package vulnerabilities for application programming language packages in your Linux-based Amazon EC2 instances.

Amazon Inspector scans default paths for programming language package libraries. You can also configure custom paths in addition to default paths.

Note

You can use deep inspection with the Default Host Management Configuration setting. However, you must create an instance profile and attach the ssm:PutInventory and ssm:GetParameter permissions.

Amazon Inspector uses data that's collected with the Amazon Inspector SSM plugin to perform deep inspection scans. To manage the Amazon Inspector SSM plugin and perform deep inspection for Linux, Amazon Inspector automatically creates the SSM association InvokeInspectorLinuxSsmPlugin-do-not-delete in your account.

Amazon Inspector collects updated application inventory from instances for deep inspection every 6 hours.

Deep inspection is not supported for Windows or Mac instances.

Accessing or deactivating deep inspection

Note

For accounts that activate Amazon Inspector after April 17, 2023, deep inspection is automatically activated as part of Amazon EC2 scanning.

To manage deep inspection

https://console.amazonaws.cn/inspector/
From the navigation pane, choode General settings, and then choose Amazon EC2 scanning settings.
Under Deep inspection of Amazon EC2 instance, you can set custom paths for your organization or for your own account.

You can check the activation status programmatically for a single account with the GetEc2DeepInspectionConfiguration API. You can check the activation status programmatically for multiple accounts with the BatchGetMemberEc2DeepInspectionStatus API.

If you activated Amazon Inspector before April 17, 2023, you can activate deep inspection through the console banner or the UpdateEc2DeepInspectionConfiguration API. If you're the delegated administrator for an organization in Amazon Inspector, you can use the BatchUpdateMemberEc2DeepInspectionStatus API to activate deep inspection for yourself and your member accounts.

You can deactivate deep inspection through the UpdateEc2DeepInspectionConfiguration API. Member accounts in an organization can't deactivate deep inspection. Instead, the member account must be deactivated by their delegated administrator using the BatchUpdateMemberEc2DeepInspectionStatus API.

About the Amazon Inspector SSM plugin for Linux

Amazon Inspector uses the Amazon Inspector SSM plugin to perform deep inspection on your Linux instances. The Amazon Inspector SSM plugin is automatically installed on your Linux instances in the /opt/aws/inspector/bin directory. The name of the executable is inspectorssmplugin.

Amazon Inspector uses Systems Manager Distributor to deploy the plugin on your instance. To perform deep inspection scans, Systems Manager Distributor and Amazon Inspector must support your Amazon EC2 instance operating system. For information about operating systems that Systems Manager Distributor supports, see Supported package platforms and architectures in the Amazon Systems Manager User Guide.

Amazon Inspector creates the following file directories to manage data collected for deep inspection by the Amazon Inspector SSM plugin:

/opt/aws/inspector/var/input
/opt/aws/inspector/var/output – The packages.txt file in this directory stores the full paths to packages that deep inspection discovers. If Amazon Inspector detects the same package multiple times on your instance, the packages.txt file lists each location where the package was found.

Amazon Inspector stores logs for the plugin in the /var/log/amazon/inspector directory.

Uninstalling the Amazon Inspector SSM plugin

If the inspectorssmplugin file is inadvertently deleted, the SSM association InspectorLinuxDistributor-do-not-delete will try to reinstall the inspectorssmplugin file at the next scan interval.

If you deactivate Amazon EC2 scanning, the plugin will be automatically uninstalled from all Linux hosts.

Custom paths for Amazon Inspector deep inspection

You can set custom paths for Amazon Inspector to scan during deep inspection of your Linux Amazon EC2 instances. When you set a custom path, Amazon Inspector scans packages in that directory and all of the sub-directories in it.

All accounts can define up to 5 custom paths. The delegated administrator for an organization can define 10 custom paths.

Amazon Inspector scans all custom paths in addition to the following default paths, which Amazon Inspector scans for all accounts:

/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64

Note

Custom paths must be local paths. Amazon Inspector doesn't scan mapped network paths, such as Network File System mounts or Amazon S3 file system mounts.

Formatting custom paths

A custom path cannot be longer than 256 characters. The following is an exampl of how a custom path might look:

Example path

/home/usr1/project01

Note

The package limit per instance is 5,000. The maximum package inventory collection time is 15 minutes. Amazon Inspector recommends that you choose custom paths to avoid these limits.

Setting a custom path in the Amazon Inspector console and with the Amazon Inspector API

The following procedures describe how to set a custom path for Amazon Inspector deep inspection in the Amazon Inspector console and with the Amazon Inspector API. After you set a custom path, Amazon Inspector includes the path in the next deep inspection.

Custom schedules for Amazon Inspector deep inspection

By default, Amazon Inspector collects an application inventory from Amazon EC2 instances every 6 hours. However, you can run the following commands to control how often Amazon Inspector does this.

Example command 1: List associations to view association ID and current interval

The following command shows the association ID for the association InvokeInspectorLinuxSsmPlugin-do-not-delete.


aws ssm list-associations \
--association-filter-list "key=AssociationName,value=InvokeInspectorLinuxSsmPlugin-do-not-delete" \
--region your-Region

Example command 2: Update association to include new interval

The following command uses the association ID for the association InvokeInspectorLinuxSsmPlugin-do-not-delete. You can set the rate for schedule-expression from 6 hours to a new interval, such as 12 hours.


aws ssm update-association \
--association-id "your-association-ID" \
--association-name "InvokeInspectorLinuxSsmPlugin-do-not-delete" \
--schedule-expression "rate(6 hours)" \
--region your-Region

Note

Depending on your use case, if you set the rate for schedule-expression from 6 hours to an interval like 30 minutes, you can exceed the daily ssm inventory limit. This causes results to be delayed, and you might encounter Amazon EC2 instances with partial error statuses.

Supported programming languages

For Linux instances, Amazon Inspector deep inspection can produce findings for application programming language packages and operating system packages.

For Mac and Windows instances, Amazon Inspector deep inspection can produce findings only for operating system packages.

For more information about supported programming languages, see Supported programming languages: Amazon EC2 deep inspection.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Scanning Amazon EC2 instances

Scanning Windows instances