Activating a scan type - Amazon Inspector

Activating a scan type

You can activate a new Amazon Inspector scan type at any time. Once a scan type is activated, Amazon Inspector will immediately begin scanning eligible resources for that scan type. For an overview of the available scan types see Overview of Amazon Inspector scan types. The following describes what happens when you first activate each scan type:

  • Amazon EC2 scanning — When you activate Amazon Inspector Amazon EC2 scanning for an account, Amazon Inspector scans all eligible instances in your account for package vulnerabilities and network reachability issues. The Amazon Inspector SSM plug-in is installed on all your SSM-managed Windows hosts. For more information, see Scanning Windows instances. Additionally, The following SSM associations used by Amazon Inspector are created:

    • InspectorDistributor-do-not-delete

    • InspectorInventoryCollection-do-not-delete

    • InspectorLinuxDistributor-do-not-delete

    • InvokeInspectorLinuxSsmPlugin-do-not-delete

    • InvokeInspectorSsmPlugin-do-not-delete.

  • Amazon ECR scanning — When you activate Amazon ECR container image scanning for an account, the Amazon ECR scan type for private repositories in that account changes from Basic scanning with Amazon ECR to Enhanced scanning with Amazon Inspector. Then all eligible Amazon ECR container images pushed within the last 30 days are scanned for package vulnerabilities. Additionally your Amazon ECR automated rescan duration is set to Lifetime.

  • Lambda standard scanning — When you activate Lambda standard scanning in an account, all Lambda functions in your account that were invoked or updated in the last 90 days are scanned for package vulnerabilities. Additionally a CloudTrail service linked channel is created in your account.

  • Lambda standard scanning + Lambda code scanning — These Lambda function scan types are activated together. When you activate Lambda code scanning in an account, all Lambda functions in your account that were invoked or updated in the last 90 days are scanned for code vulnerabilities.

Activating scans

If you are the delegated administrator for Amazon Inspector in an AWS organization you can enable various Amazon Inspector scan types for multiple accounts in multiple Regions automatically using a shell script developed by Amazon Inspector inspector2-enablement-with-cli on GitHub. Otherwise, to complete this procedure for a multi-account environment through the console, complete the following steps while signed in as the Amazon Inspector delegated administrator.

To activate scans
  1. Open the Amazon Inspector console at

  2. Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to activate a new scan type.

  3. In the navigation pane, choose Account management.

  4. On the Account management page, select the accounts for which you would like to activate a scan type.

  5. Choose Activate and select the type of scanning you would like to activate.

  6. (Recommended) Repeat these steps in each AWS Region for which you want to activate that scan type.


Run the Enable API operation. In the request, provide the account IDs you are activating scans for, and idempotency token, and one or more of EC2, ECR, LAMBDA, or LAMBDA_CODE for resourceTypes to activate scans of that type.