Enabling Amazon Inspector scans for member accounts - Amazon Inspector

Enabling Amazon Inspector scans for member accounts

As a delegated administrator for your organization you can enable Amazon EC2 scanning, Amazon ECR scanning, or both, for any member associated with the AWS Organizations management account. When you enable scans for a member account, that account becomes associated to the delegated administrator, Amazon Inspector is automatically enabled, and scans of the chosen type are started immediately. For information on what resources can be scanned and configuring scans see Scanning resources with Amazon Inspector.

Amazon Inspector provides several options for managing and enabling scans for member accounts, including allowing member accounts to enable Amazon Inspector. Use one of the following options to start scans for your member accounts:

To automatically enable scanning for all member accounts:

  1. Log in to the delegated administrator account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the Region selector in the upper right to specify the Region in which you want to designate an administrator.

  3. In the navigation panel, choose Account Management. The accounts table displays all of the member accounts associated with the AWS Organizations management account.

  4. Select the check box at the top of the table to select all accounts on this page. Then choose Enable and select your preferred scan type option from the list.

    Note

    Only the accounts currently visible on the page are selected, this means that if you have multiple pages of accounts you must repeat this process on each page. To change the number of accounts displayed on the page select the gear icon.

  5. Turn on the Auto-enable feature and select the scan types to enable those scans for any new members who are added to your organization.

  6. (Recommended) Repeat these steps in each Region in which you want to enable scans for your members.

The auto-enable feature enables Amazon Inspector for all future members of your organization. This allows your Amazon Inspector delegated administrator to manage any new members that are added to the organization. When the number of member accounts reaches the limit of 5000, the auto-enable feature is automatically turned off. If an account is removed and the total number of members decreases to fewer than 5000, then the auto-enable feature is automatically reactivated.

To selectively enable member accounts:

  1. Log in to the delegated administrator account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the Region selector in the upper right to specify the desired Region.

  3. From the Account Management page choose the accounts that you want to add as members by selecting the check box for those accounts.

  4. Select Enable.

  5. From the Enable menu, choose the scan types to enable for the selected accounts. You can choose from the following scan options:

    • All Scanning to enable both Amazon EC2 and Amazon ECR scans

    • EC2 Scanning to enable scans of Amazon EC2 instances

    • Container Scanning to enable scans of Amazon ECR container images

  6. (Recommended) Repeat these steps in each Region in which you want to enable scans for your members.

To enable scanning as a member account:

If your AWS Organizations management account has delegated an administrator for Amazon Inspector you can enable your own account as a member. This allows you to view scan details for your own account.

  1. Log in to your account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the Region selector in the upper right to specify the desired Region.

  3. From the Account Management page and choose your account from the table.

  4. Select the Enable button.

  5. From the Enable menu choose the scan types to enable. You can choose from the following scan options:

    • All Scanning to enable both Amazon EC2 and Amazon ECR scans

    • EC2 Scanning to enable scans of Amazon EC2 instances

    • Container Scanning to enable scans of Amazon ECR container images

  6. (Recommended) Repeat these steps in each Region in which you want to enable scans.