Activating Amazon Inspector scans for member accounts - Amazon Inspector

Activating Amazon Inspector scans for member accounts

As a delegated administrator for your organization, you can activate Amazon EC2 scanning, Amazon ECR scanning, or both, for any member associated with the AWS Organizations management account. When you activate scans for a member account, that account becomes associated to the delegated administrator, Amazon Inspector is automatically activated, and scans of the chosen type are started immediately. For information about what resources can be scanned and how to configure scans, see Automated resource scanning with Amazon Inspector.

Amazon Inspector provides several options for managing and activating scans for member accounts, including allowing member accounts to activate Amazon Inspector. Use one of the following options to start scans for your member accounts.

To automatically activate scanning for all member accounts
  1. Sign in using the delegated administrator account credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Use the region selector to choose the AWS Region where you want to activate scanning for all member accounts.

  3. From the navigation pane, choose Account management. The Accounts tab displays all member accounts associated with the AWS Organizations management account.

  4. Under Organization, select the box next to Account number. Then choose Activate to select which scanning options you want to apply to member accounts. You can select the following scanning types:

    • Amazon EC2 scanning

    • Amazon ECR scanning

    • Lambda standard scanning

    • Lambda code scanning

    1. After you select your preferred scanning types, choose Save.

    Note

    If you have multiple pages of accounts, you must repeat this step on each page. You can choose the gear icon to change the number of accounts displayed on each page.

  5. Turn on the Automatically activate Inspector for new member accounts setting, and select which scanning options you want to apply to new member accounts added to your organization. You can select the following scanning types:

    • Amazon EC2 scanning

    • Amazon ECR scanning

    • Lambda standard scanning

    • Lambda code scanning

    1. After you select your preferred scanning types, choose Activate.

  6. (Recommended) Repeat each of these steps in each AWS Region where you want to activate scanning for member accounts.

The Automatically activate Inspector for new member accounts setting activates Amazon Inspector for all future members of your organization. If the number of member accounts is more than 5,000, this setting is automatically turned off. If the total number of member accounts decreases to less than 5,000, the setting is automatically reactivated.

To activate scanning for specific member accounts
  1. Sign in using the delegated administrator account credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Use the region selector to choose the AWS Region where you want to activate scanning for all member accounts.

  3. From the navigation pane, choose Account management. The Accounts tab displays all member accounts associated with the AWS Organizations management account.

  4. Under Organization, select the box next to each member account number you want to activate scanning for. Then choose Activate to select which scanning options you want to apply to member accounts. You can select the following scanning types:

    • Amazon EC2 scanning

    • Amazon ECR scanning

    • Lambda standard scanning

    • Lambda code scanning

    1. After you select your preferred scanning types, choose Save.

    Note

    If you have multiple pages of accounts, you must repeat this step on each page. You can choose the gear icon to change the number of accounts displayed on each page.

  5. (Recommended) Repeat each of these steps in each AWS Region where you want to activate scanning for specific members.

If your AWS Organizations management account has a delegated administrator account for Amazon Inspector, you can activate your account as a member account to view scan details.

To activate scanning as a member account
  1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Use the region selector to choose the AWS Region where you want to activate scanning for all member accounts.

  3. From the navigation pane, choose Account management. The Accounts tab displays all member accounts associated with the AWS Organizations management account.

  4. Under Organization, select the box next to your account number. Then choose Activate to select which scanning options you want to apply. You can select the following scanning types:

    • Amazon EC2 scanning

    • Amazon ECR scanning

    • Lambda standard scanning

    • Lambda code scanning

    1. After you select your preferred scanning types, choose Save.

  5. (Recommended) Repeat these steps in each Region where you want to activate scanning for your member account.