Activating Amazon Inspector scans for member accounts - Amazon Inspector

Activating Amazon Inspector scans for member accounts

As a delegated administrator for your organization, you can activate Amazon EC2 scanning, Amazon ECR scanning, or both, for any member associated with the AWS Organizations management account. When you activate scans for a member account, that account becomes associated to the delegated administrator, Amazon Inspector is automatically activated, and scans of the chosen type are started immediately. For information about what resources can be scanned and configuring scans, see Automated resource scanning with Amazon Inspector.

Amazon Inspector provides several options for managing and activating scans for member accounts, including allowing member accounts to activate Amazon Inspector. Use one of the following options to start scans for your member accounts.

To automatically activate scanning for all member accounts

  1. Log in to the delegated administrator account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the AWS Region selector in the upper right to specify the Region in which you want to activate scanning for all member accounts.

  3. In the navigation pane, under Settings, choose Account management. The accounts table displays all the member accounts associated with the AWS Organizations management account.

  4. Select the check box at the top of the table to select all accounts on this page. Then choose Activate and select your preferred scan type option from the menu.

    Note

    Only the accounts currently visible on the page are selected, this means that if you have multiple pages of accounts you must repeat this process on each page. To change the number of accounts displayed on the page select the gear icon.

  5. Turn on the Automatically activate Inspector for new member accounts setting, and the select the scan types to activate for any new members who are added to your organization.

  6. (Recommended) Repeat these steps in each Region in which you want to activate scans for all of your members.

The Automatically activate Inspector for new member accounts setting activates Amazon Inspector for all future members of your organization. This allows your Amazon Inspector delegated administrator to manage any new members that are added to the organization. When the number of member accounts reaches the limit of 5,000, this setting is automatically turned off. If an account is removed and the total number of members decreases to fewer than 5,000, the setting is automatically reactivated.

To selectively activate member accounts

  1. Log in to the delegated administrator account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the AWS Region selector in the upper right to specify the Region in which you want to activate scanning for certain member accounts.

  3. In the navigation pane, under Settings, choose Account management. The accounts table displays all the member accounts associated with the AWS Organizations management account.

  4. On the Account management page, select the check box for each member account that you want to activate scanning for.

  5. Select Activate.

  6. From the Activate menu, choose the scan types to activate for the selected accounts. You can choose from the following scan options:

    • All scanning to activate all scan types.

    • EC2 scanning to activate scans of Amazon EC2 instances

    • ECR container scanning to activate scans of Amazon ECR container images

    • AWS Lambda standard scanning to activate scans of Lambda functions

  7. (Recommended) Repeat these steps in each Region in which you want to activate scans for certain members.

To activate scanning as a member account

If your AWS Organizations management account has delegated an administrator for Amazon Inspector, you can activate your own account as a member. This allows you to view scan details for your own account.

  1. Log in to your account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the AWS Region selector in the upper right to specify the Region in which you want to activate scanning.

  3. In the navigation pane, under Settings, choose Account management.

  4. On the Account management page, select the check box for your account.

  5. From the Activate menu, choose the scan types to activate. You can choose from the following scan options:

    • All scanning to activate all scan types.

    • EC2 scanning to activate scans of Amazon EC2 instances

    • ECR container scanning to activate scans of Amazon ECR container images

    • AWS Lambda standard scanning to activate scans of Lambda functions

  6. (Recommended) Repeat these steps in each Region in which you want to activate scans.