Assessing Amazon Inspector coverage of your AWS environment

To help you assess and interpret Amazon Inspector coverage of your AWS environment, the Account management page on the Amazon Inspector console provides statistics and details about the status of Amazon Inspector scanning for your accounts and resources. With this page, you can review aggregated statistics and other data for your resources. You can also perform in-depth analysis of Amazon Inspector coverage for individual resources and drill down to review findings for specific resources. If you're the delegated Amazon Inspector administrator for an organization, the data includes statistics and details for all the accounts in your organization.

To assess Amazon Inspector coverage of your AWS environment

1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

2. In the navigation pane, under Settings, choose Account management.

3. On the Account management page, choose the tab for one of four different coverage views:

   • Accounts, for account-level coverage.

   • Instances, for coverage of Amazon Elastic Compute Cloud (Amazon EC2) instances.

   • Repositories, for coverage of Amazon Elastic Container Registry (Amazon ECR) repositories.

   • Images, for coverage of Amazon ECR container images.

   • Lambda, for coverage of Lambda functions.

The topics in this section describe the information that each tab provides, including the scanning status that an individual resource can have.

Assessing account-level coverage

If your account is not part of an organization or is not the delegated Amazon Inspector administrator account for an organization, the Accounts tab provides information about your account and the status of resource scanning for your account. On this tab, you can activate or deactivate scanning for all or only specific types of resources for your account. For more information, see Scanning resources with Amazon Inspector.

If your account is the delegated Amazon Inspector administrator account for an organization, the Accounts tab provides automatic activation settings for accounts in your organization, and it lists all the accounts in your organization. For each account, the list indicates whether Amazon Inspector is activated for the account and, if so, the resource scanning types that are activated for the account. As the delegated administrator, you can use this tab to change the automatic activation settings for your organization. You can also activate or deactivate specific types of resource scanning for individual member accounts. For more information, see Activating Amazon Inspector scans for member accounts.

Assessing coverage of Amazon EC2 instances

The Instances tab shows Amazon EC2 instances in your AWS environment. The lists are organized into groups on the following tabs:

• All – Shows all the instances in your environment. The Status field indicates the current scanning status for an instance. For a list of possible status values and a description of each one, see Assessing the scanning status of individual resources.

• Scanning – Shows all the instances that Amazon Inspector is actively monitoring and scanning in your environment.

• Not scanning – Shows all the instances that Amazon Inspector is not monitoring and scanning in your environment. The Reason field indicates why Amazon Inspector is not monitoring and scanning an instance.

  An EC2 instance can appear on the Not scanning tab for any of several reasons. Amazon Inspector uses AWS Systems Manager (SSM) and the SSM Agent to automatically monitor and scan your EC2 instances for vulnerabilities. If an instance does not have the SSM Agent running, does not have an AWS Identity and Access Management (IAM) role that supports Systems Manager, or is not running a supported operating system or architecture, Amazon Inspector cannot monitor and scan the instance. For more information, see Scanning Amazon EC2 instances.

On each tab, the Account field specifies the AWS account that owns an instance.

To review additional details about an EC2 instance, choose the link in the EC2 instance field. Amazon Inspector then displays details about the instance and current findings for the instance. To review the details of a finding, choose the link in the Title field. For information about these details, see Finding details.

Assessing coverage of Amazon ECR repositories

The Repositories tab shows Amazon ECR repositories in your AWS environment. The lists are organized into groups on the following tabs:

• All – Shows all the repositories in your environment. The Status field indicates the current scanning status for a repository. For a list of possible status values and a description of each one, see Assessing the scanning status of individual resources.

• Activated – Shows all the repositories that Amazon Inspector is configured to monitor and scan in your environment. The Status field indicates the current scanning status for a repository.

• Not activated – Shows all the repositories that Amazon Inspector is not monitoring and scanning in your environment. The Reason field indicates why Amazon Inspector is not monitoring and scanning a repository.

On each tab, the Account field specifies the AWS account that owns a repository.

To review additional details about a repository, choose the repository’s name. Amazon Inspector then displays a list of container images in the repository and details for each image. The details include the image tag, image digest, and scanning status. They also include key finding statistics, such as the number of Critical findings for the image. To drill down and review supporting data for finding statistics, choose the image tag for the image.

Assessing coverage of Amazon ECR container images

The Images tab shows Amazon ECR container images in your AWS environment. The lists are organized into groups on the following tabs:

• All – Shows all the container images in your environment. The Status field indicates the current scanning status for an image. For a list of possible status values and a description of each one, see Assessing the scanning status of individual resources.

• Activated – Shows all the container images that Amazon Inspector is configured to monitor and scan in your environment. The Status field indicates the current scanning status for an image.

• Not activated – Shows all the container images that Amazon Inspector is not monitoring and scanning in your environment. The Reason field indicates why Amazon Inspector is not monitoring and scanning an image.

  A container image can appear on the Not activated tab for any of several reasons. The image might be stored in a repository that Amazon Inspector scans are not activated for, or Amazon ECR filtering rules prevent that repository from being scanned. Or a new image has not been pushed within the duration that you specified for automated re-scans of images in the repository. For more information, see Scanning Amazon ECR container images.

On each tab, the Repository name field specifies the name of the repository that stores a container image. The Account field specifies the AWS account that owns the repository.

To review additional details about a container image, choose the link in the ECR container image field. Amazon Inspector then displays details about the image and current findings for the image. To review the details of a finding, choose the link in the Title field. For information about these details, see Finding details.

Assessing coverage of AWS Lambda functions

The Lambda tab shows Lambda functions in your AWS environment. This page two tables, one that shows function coverage details for Lambda standard scanning and another for Lambda code scanning. You can group functions based on the following tabs:

• All – Shows all the Lambda functions in your environment. The Status field indicates the current scanning status for a Lambda function. For a list of possible status values and a description of each one, see Assessing the scanning status of individual resources.

• Scanning – Shows the Lambda functions that Amazon Inspector is configured to scan. The Status field indicates the current scanning status for each Lambda function.

• Not scanning – Shows the Lambda functions that Amazon Inspector is not configured to scan. The Reason field indicates why Amazon Inspector is not monitoring and scanning a function.

  A Lambda function can appear on the Not scanning tab for several reasons. The Lambda function might belong to an account that hasn't been added to Amazon Inspector or filtering rules prevent this function from being scanned. For more information, see Scanning AWS Lambda functions.

On each tab, the Function name field specifies the name of the Lambda function. The Account field specifies the AWS account that owns the function. Runtime specifies the function's runtime. The Status field indicates the current scanning status for each Lambda function. Resource tags shows the tags that have been applied to the function.

Assessing the scanning status of individual resources

By using the Instances, Repositories, and Images tabs on the Account management page, you can check the status of Amazon Inspector scanning for individual resources of a specified type: choose All on the appropriate tab, and then refer to the Status field. The Status field indicates the current status of Amazon Inspector scanning for a resource.

Amazon EC2 instances

For an Amazon Elastic Compute Cloud (Amazon EC2) instance, the possible Status values are:

• Actively monitoring – Amazon Inspector is continuously monitoring and scanning the instance.

• EC2 instance stopped – Amazon Inspector paused scanning for the instance because the instance is in a stopped state. Any existing findings will persist until the instance is terminated. If the instance is restarted, Amazon Inspector will automatically resume scanning for the instance.

• Internal error – An internal error occurred when Amazon Inspector attempted to scan the instance. Amazon Inspector will automatically address the error and resume scanning as soon as possible.

• No inventory – Amazon Inspector couldn’t find the software application inventory to scan for the instance. The Amazon Inspector associations for the instance might have been deleted or they might have failed to run.

  To remediate this issue, use AWS Systems Manager to ensure that the InspectorInventoryCollection-do-not-delete association exists and its association status is successful. In addition, use AWS Systems Manager Fleet Manager to verify the software application inventory for the instance.

• Pending disable – Amazon Inspector has stopped scanning the instance. The instance is being disabled, pending completion of clean-up tasks.

• Pending initial scan – Amazon Inspector has queued the instance for an initial scan.

• Resource terminated – The instance was terminated. Amazon Inspector is currently cleaning up existing findings and coverage data for the instance.

• Stale inventory – Amazon Inspector wasn’t able to collect an updated software application inventory that was captured within the past 7 days for the instance.

  To remediate this issue, use AWS Systems Manager to ensure that the required Amazon Inspector associations exist and are running for the instance. In addition, use AWS Systems Manager Fleet Manager to verify the software application inventory for the instance.

• Unmanaged EC2 instance – Amazon Inspector isn’t monitoring or scanning the instance. The instance isn’t managed by AWS Systems Manager.

  To remediate this issue, you can use the AWSSupport-TroubleshootManagedInstance runbook provided by AWS Systems Manager Automation. After you configure AWS Systems Manager to manage the instance, Amazon Inspector will automatically begin to continuously monitor and scan the instance.

• Unsupported OS – Amazon Inspector isn’t monitoring or scanning the instance. The instance uses an operating system or architecture that Amazon Inspector doesn’t support. For a list of operating systems that Amazon Inspector supports, see Operating system support for Amazon EC2 scanning.

For details about configuring the scanning settings for an EC2 instance, see Scanning Amazon EC2 instances.

Amazon ECR repositories and container images

For an Amazon Elastic Container Registry (Amazon ECR) repository or container image, the possible Status values are:

• Activated (Continuous) – For a repository, Amazon Inspector is continuously monitoring and scanning container images in the repository. The enhanced scanning setting for the repository is set to continuous scanning. Continuous scanning includes an initial scan of new images when they are pushed to the repository and automated re-scans of images in the repository.

  For a container image, Amazon Inspector is continuously monitoring and scanning the image. Enhanced scanning is enabled for the repository that stores the image, and the enhanced scanning setting for the repository is set to continuous scanning.

• Access denied – Amazon Inspector isn’t allowed to access the repository or any container images in the repository.

  To remediate this issue, ensure that AWS Identity and Access Management (IAM) policies for the repository allow Amazon Inspector to access the repository.

• Deactivated (Manual) – Amazon Inspector isn’t monitoring or scanning any container images in the repository. The Amazon ECR scanning setting for the repository is set to basic, manual scanning.

  To start scanning images in the repository with Amazon Inspector, change the scanning setting for the repository to enhanced scanning, and then choose whether to scan images continuously or only when a new image is pushed.

• Activated (Continuous) – For a repository, Amazon Inspector is continuously monitoring and scanning container images in the repository. The enhanced scanning setting for the repository is set to continuous scanning. Continuous scanning includes an initial scan of new images when they are pushed to the repository and automated re-scans of images in the repository.

  For a container image, Amazon Inspector is continuously monitoring and scanning the image. Enhanced scanning is activated for the repository that stores the image, and the enhanced scanning setting for the repository is set to continuous scanning.

• Activated (On push) – For a repository, Amazon Inspector automatically scans individual container images in the repository when a new image is pushed. The enhanced scanning setting for the repository is set to scan on push.

  For a container image, Amazon Inspector automatically scans the image each time a new image is pushed. Enhanced scanning is activated for the repository that stores the image, and the enhanced scanning setting for the repository is set to scan on push.

• Internal error – An internal error occurred when Amazon Inspector attempted to scan the repository or container image. Amazon Inspector will automatically address the error and resume scanning as soon as possible.

• Pending initial scan – This status doesn't apply to repositories. For a container image, Amazon Inspector has queued the image for an initial scan.

• Scan eligibility expired (Continuous) – This status doesn't apply to repositories. For a container image, Amazon Inspector suspended scanning for the image. The image hasn’t been updated within the duration that you specified for automated re-scans of images in the repository. To resume scanning for the image, update the image.

• Scan eligibility expired (On push) – This status doesn't apply to repositories. For a container image, Amazon Inspector suspended scanning for the image. The image hasn’t been updated within the duration that you specified for automated re-scans of images in the repository. To resume scanning for the image, update the image.

• Scan frequency manual (Manual) – Amazon Inspector doesn’t scan the Amazon ECR container image. The Amazon ECR scanning setting for the repository that stores image is set to basic, manual scanning. To start scanning the image automatically with Amazon Inspector, change the repository setting to enhanced scanning, and then choose whether to scan images continuously or only when a new image is pushed.

• Unsupported OS – This status doesn't apply to repositories. For a container image, Amazon Inspector isn’t monitoring or scanning the image. The image is based on an operating system that Amazon Inspector doesn't support, or it uses a media type that Amazon Inspector doesn’t support.

  For a list of operating systems that Amazon Inspector supports, see Operating system support for Amazon ECR scanning. For a list of media types that Amazon Inspector supports, see Supported media types.

For details about configuring the scanning settings for repositories and images, see Scanning Amazon ECR container images.

AWS Lambda functions

For a Lambda function, the possible Status values are:

• Actively monitoring – Amazon Inspector is continuously monitoring and scanning Lambda functions. Continuous scanning includes an initial scan of new functions when they are pushed to the repository and automated re-scans of functions when they are updated or when new Common Vulnerabilities and Exposures (CVEs) are released.

• Excluded by tag– Amazon Inspector isn’t scanning this function because it has been excluded from scans by tags.

• Scan eligibility expired– Amazon Inspector is not monitoring this function because it has been 90 days or more since it was last invoked or updated.

• Internal error–An internal error occurred when Amazon Inspector attempted to scan the function. Amazon Inspector will automatically address the error and resume scanning as soon as possible.

• Pending initial scan– Amazon Inspector has queued the function for an initial scan.

• Unsupported– The Lambda function has an unsupported runtime.