Amazon Inspector
User Guide (Version Latest)

Setting up Amazon Inspector

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS, including Amazon Inspector. If you don't have an AWS account, use the following procedure to create one.

To sign up for AWS

  1. Open, and then choose Create an AWS Account.


    This might be unavailable in your browser if you previously signed into the AWS Management Console. In that case, choose Sign In to the Console, and then choose Create a new AWS account.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone keypad.

When you launch the Amazon Inspector console for the first time, choose Get Started and complete the following prerequisite tasks. You must complete these tasks before you can create, start, and complete an Amazon Inspector assessment run:

Create a Role

In order for Amazon Inspector to access the EC2 instances in your AWS account and collect the behavior data during the assessment run, you must create an Identity Access Management (IAM) role. To create an IAM role, do the following:

  • On the Inspector prerequisites page, choose Select/Create Role.

    This launches the IAM console where you see the following message: "Amazon Inspector is requesting permissions to use resources in your account. Choose Allow to give Amazon Inspector read-only access to resources in your account."

    Choose Allow. You are redirected back to the Amazon Inspector console where you can complete the rest of the Getting Started wizard.

Create Assessment Targets with EC2 instance Tags

Amazon Inspector evaluates whether your assessment targets (collections of AWS resources) have potential security issues.


In this release of Amazon Inspector, your assessment targets can consist only of EC2 instances that run on a number of supported operating systems. For more information about supported Linux-based and Windows-based operating systems, and supported AWS regions, see Amazon Inspector Supported Operating Systems and Regions.

For more information about launching EC2 instances, see Amazon Elastic Compute Cloud Documentation.

Amazon Inspector uses the tags applied to your EC2 instances to target those resources as part of your defined assessment template. When configuring your assessment targets, you can utilize the tags you already have defined on your EC2 instances, or create entirely new tags specifically for your assessments. For more information about tagging, see Working with Tag Editor and Tagging Your Amazon EC2 Resources.

For more information about tagging EC2 instances to be included in Amazon Inspector assessment targets, see Amazon Inspector Assessment Targets.

Install the Amazon Inspector Agent

You must install the Amazon Inspector Agent on each EC2 instance in your assessment target. The agent monitors the behavior of the EC2 instances on which it is installed, including network, file system, and process activity, and collects a wide set of behavior and configuration data (telemetry), which it then passes to the Amazon Inspector service. For more information about Amazon Inspector Agent privileges, security, updates, telemetry data, and access control, see Amazon Inspector Agents.

For more information about how to install the Amazon Inspector Agent, see Installing Amazon Inspector Agents. For more information about how to uninstall the agent or verify whether the installed agent is running, see Working with Amazon Inspector Agents on Linux-based Operating Systems and Working with Amazon Inspector Agents on Windows-based Operating Systems.