Scanning Amazon EC2 instances with Amazon Inspector

Amazon Inspector EC2 scanning extracts metadata from your EC2 instance, then, compares this metadata against rules collected from security advisories to produce findings. Amazon Inspector scans instances for package vulnerabilities and for network reachability issues. For information about the types of findings produced for these issues, see Finding types in Amazon Inspector.

Amazon Inspector performs network reachability scans once every 24 hours, while package vulnerability scans are performed on a variable cadence depending on the scan method associated with the instance.

Scan methods

Package vulnerability scans can be performed using an agent-based or agentless scan method. These scan methods determine how and when Amazon Inspector collects the software inventory from an EC2 instance for package vulnerability scans. The agent-based method relies on the SSM agent to collect software inventory, while the agentless method uses Amazon EBS snapshots instead of an agent.

The scan methods used by Amazon Inspector depend on your account's scan mode setting, For more information see, Managing scan mode.

To activate Amazon EC2 scans see Activating a scan type.

Agent-based scanning

Agent-based scans are performed continuously using the SSM agent on all eligible instances. For agent-based scans, Amazon Inspector uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. In addition to package vulnerability scans for operating system packages, Amazon Inspector agent-based scanning can also detect package vulnerabilities for application programming language packages in Linux-based instances through Amazon Inspector deep inspection for Amazon EC2 Linux instances.

The following process explains how Amazon Inspector uses SSM to collect inventory and perform agent-based scans:

1. Amazon Inspector creates SSM associations in your account to collect inventory from your instances. For some Instance types (Windows, and Linux), these associations install plugins on individual instances to collect inventory.

2. Using SSM, Amazon Inspector extracts package inventory from an instance.

3. Amazon Inspector evaluates the extracted inventory and generates findings for any detected vulnerabilities.

Eligible instances

Amazon Inspector will use the agent-based method to scan an instance if it meets the following conditions:

• The instance has a supported OS. For a list of supported OS see the Agent-based scan support column of Supported operating systems: Amazon EC2 scanning.

• The instance is not excluded from scans by Amazon Inspector EC2 exclusion tags.

• The instance is SSM managed. For instructions on verifying and configuring the agent, see Configuring the SSM Agent.

Agent-based scan behaviors

When using the agent-based scan method, Amazon Inspector initiates new vulnerability scans of EC2 instances in the following situations:

• When you launch a new EC2 instance.

• When you install new software on an existing EC2 instance (Linux and Mac).

• When Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your EC2 instance (Linux and Mac).

Amazon Inspector updates the Last scanned field for an EC2 instance when an initial scan is completed. After this, the Last scanned field is updated when Amazon Inspector evaluates SSM inventory (every 30 minutes by default), or when an instance is re-scanned because a new CVE impacting that instance was added to the Amazon Inspector database.

You can check when an EC2 instance was last scanned for vulnerabilities from the Instances tab on the Account management page, or by using the ListCoverage command.

Configuring the SSM Agent

In order for Amazon Inspector to detect software vulnerabilities for an Amazon EC2 instance using the agent-based scan method, the instance must be a managed instance in Amazon EC2 Systems Manager (SSM). An SSM managed instance has the SSM Agent installed and running, and SSM has permission to manage the instance. If you are already using SSM to manage your instances, no other steps are needed for agent-based scans.

The SSM Agent is installed by default on EC2 instances created from some Amazon Machine Images (AMIs). For more information, see About SSM Agent in the AWS Systems Manager User Guide. However, even if it's installed, you may need to activate the SSM Agent manually, and grant SSM permission to manage your instance.

The following procedure describes how to configure an Amazon EC2 instance as a managed instance using an IAM instance profile. The procedure also provides links to more detailed information in the AWS Systems Manager User Guide.

AmazonSSMManagedInstanceCore is the recommended policy to use when you attach an instance profile. This policy has all the permissions needed for Amazon Inspector EC2 scanning.

Note

You can also automate SSM management of all your EC2 instances, without the use of IAM instance profiles using SSM Default Host Management Configuration. For more information, see Default Host Management Configuration.

To configure SSM for an Amazon EC2 instance

1. If it's not already installed by your operating system vendor, install the SSM Agent. For more information, see Working with SSM Agent.

2. Use the AWS CLI to verify that the SSM Agent is running. For more information, see Checking SSM Agent status and starting the agent.

3. Grant permission for SSM to manage your instance. You can grant permission by creating an IAM instance profile and attaching it to your instance. We recommend using the AmazonSSMManagedInstanceCore policy, because this policy has the permissions for SSM Distributor, SSM Inventory and SSM State manager, that Amazon Inspector needs for scans. For instructions on creating an instance profile with these permissions and attaching it an instance, see Configure instance permissions for Systems Manager Systems Manager.

4. (Optional) Activate automatic updates for the SSM Agent. For more information, see Automating updates to SSM Agent.

5. (Optional) Configure Systems Manager to use an Amazon Virtual Private Cloud (Amazon VPC) endpoint. For more information, see Create Amazon VPC endpoints.

Important

Amazon Inspector requires a Systems Manager State Manager association in your account to collect software application inventory. Amazon Inspector automatically creates an association called InspectorInventoryCollection-do-not-delete if one doesn't already exist.

Amazon Inspector also requires a resource data sync and automatically creates one called InspectorResourceDataSync-do-not-delete if one doesn't already exist. For more information, see Configuring resource data sync for Inventory in the AWS Systems Manager User Guide. Each account can have a set number of resource data syncs per Region. For more information, see Maximum number of resource data syncs (per AWS account per Region) in SSM endpoints and quotas. If you have reached this maximum you will need to delete a Resource data syncs, see Managing resource data syncs.

SSM resources created for scanning

Amazon Inspector requires a number of SSM resources in your account to run Amazon EC2 scans. The following resources are created when you first activate Amazon Inspector EC2 scanning:

Note

If any of these SSM resources are deleted while Amazon Inspector Amazon EC2 scanning is activated for your account, Amazon Inspector will attempt to recreate them at the next scan interval.

InspectorInventoryCollection-do-not-delete

This is a Systems Manager State Manager (SSM) association that Amazon Inspector uses to collect software application inventory from your Amazon EC2 instances. If your account already has an SSM association for collecting inventory from InstanceIds*, Amazon Inspector will use that instead of creating its own.

InspectorResourceDataSync-do-not-delete

This is a resource data sync that Amazon Inspector uses to send collected inventory data from your Amazon EC2 instances to an Amazon S3 bucket owned by Amazon Inspector. For more information, see Configuring resource data sync for Inventory in the AWS Systems Manager User Guide.

InspectorDistributor-do-not-delete

This is an SSM association Amazon Inspector uses for scanning Windows instances. This association installs the Amazon Inspector SSM plugin on your Windows instances. If the plugin file is inadvertently deleted this association will reinstall it at the next association interval.

InvokeInspectorSsmPlugin-do-not-delete

This is an SSM association Amazon Inspector uses for scanning Windows instances. This association allows Amazon Inspector to initiate scans using the plugin, you can also use it to set custom intervals for scans of Windows instances. For more information, see Setting custom schedules for Windows instance scans.

InspectorLinuxDistributor-do-not-delete

This is an SSM association that Amazon Inspector uses for Amazon EC2 Linux deep inspection. This association installs the Amazon Inspector SSM plugin on your Linux instances.

InvokeInspectorLinuxSsmPlugin-do-not-delete

This is an SSM association Amazon Inspector uses for Amazon EC2 Linux deep inspection. This association allows Amazon Inspector to initiate scans using the plugin.

Note

When you deactivate Amazon Inspector Amazon EC2 scanning or deep inspection, the SSM resource InvokeInspectorLinuxSsmPlugin-do-not-delete is no longer invoked.

Agentless scanning

Amazon Inspector uses an agentless scanning method on eligible instances when your account is in the hybrid scanning mode (which includes both agent-based and agentless scans). For agentless scans, Amazon Inspector uses EBS snapshots to collect a software inventory from your instances. Instances scanned using the agentless method are scanned for both operating system package, and application programming language package vulnerabilities.

Note

When scanning Linux instances for application programming language package vulnerabilities, the agentless method scans all available paths, whereas agent-based scanning only scans the default paths and additional paths you specify as part of Amazon Inspector deep inspection for Amazon EC2 Linux instances. This may result in the same instance having different findings depending on whether it is scanned using the agent-based method or agentless method.

The following process explains how Amazon Inspector uses EBS snapshots to collect inventory and perform agentless scans:

1. Amazon Inspector creates an EBS snapshot of all volumes attached to the instance. While Amazon Inspector is using it, the snapshot is stored in your account and tagged with InspectorScan as a tag key, and a unique scan ID as the tag value.

2. Amazon Inspector retrieves data from the snapshots using EBS direct APIs and evaluates them for vulnerabilities. Findings are generated for any detected vulnerabilities.

3. Amazon Inspector deletes the EBS snapshots it created in your account.

Eligible instances

Amazon Inspector will use the agentless method to scan an instance if it meets the following conditions:

• The instance has a supported OS. For a list of supported OS see the Agent-based scan support column of Supported operating systems: Amazon EC2 scanning.

• The instance is not excluded from scans by Amazon Inspector EC2 exclusion tags.

• The instance has a status of Unmanaged EC2 instance, Stale inventory, or No inventory.

• The instance is EBS-backed and has one of the following file system formats:

  • ext3

  • ext4

  • xfs

Agentless scan behaviors

When your account is configured for Hybrid scanning, Amazon Inspector performs agentless scans on eligible instances every 24 hours. Amazon Inspector detects and scans newly eligible instances every hour, which includes new instances without SSM agents, or pre-existing instances with statuses that have changed to SSM_UNMANAGED.

Amazon Inspector updates the Last scanned field for an Amazon EC2 instance whenever it scans extracted snapshots from an instance after an agentless scan.

You can check when an EC2 instance was last scanned for vulnerabilities from the Instances tab on the Account management page, or by using the ListCoverage command.

Managing scan mode

Your EC2 scan mode determines which scan methods Amazon Inspector will use when performing EC2 scans in your account. You can view the scan mode for your account from the EC2 scanning settings page under General settings. Standalone accounts or Amazon Inspector delegated administrators can change the scan mode. When you set the scan mode as the Amazon Inspector delegated administrator that scan mode is set for all member accounts in your organization. Amazon Inspector has the following scan modes:

Agent-based scanning – In this scan mode, Amazon Inspector will exclusively use the agent-based scan method when scanning for package vulnerabilities. This scan mode only scans SSM managed instances in your account, but has the benefit of providing continuous scans in response to new CVE’s or changes to the instances. Agent-based scanning also provides Amazon Inspector deep Inspection for eligible instances. This is the default scan mode for newly activated accounts.

Hybrid scanning – In this scan mode, Amazon Inspector uses a combination of both agent-based and agentless methods to scan for package vulnerabilities. For eligible EC2 instances that have the SSM agent installed and configured, Amazon Inspector uses the agent-based method. For eligible instances that aren't SSM managed, Amazon Inspector will use the agentless method for eligible EBS-backed instances.

To change the scan mode

1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

2. Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to change your EC2 scan mode.

3. From the side navigation panel, under General settings, select EC2 scanning settings.

4. Under Scan Mode, select Edit.

5. Choose a scan mode and then select Save changes.

Excluding instances from Amazon Inspector scans

You can tag certain instances to exclude them from Amazon Inspector scans. Excluding instances from scans can help prevent unactionable alerts. You are not charged for excluded instances.

To exclude an EC2 instance from scans, tag that instance with the following key:

• InspectorEc2Exclusion

Value is optional.

For more information about adding tags, see Tag your Amazon EC2 resources.

Additionally, you can exclude an encrypted EBS volume from agentless scans by tagging the AWS KMS key used to encrypt that volume with the InspectorEc2Exclusion tag. For more information, see Tagging keys

Supported operating systems

Amazon Inspector scans supported Mac, Windows, and Linux EC2 instance for vulnerabilities in operating system packages. For Linux instances, Amazon Inspector can produce findings for application programming language packages using Amazon Inspector deep inspection for Amazon EC2 Linux instances. For Mac and Windows instances only operating system packages are scanned.

For information about supported operating systems, including which operating system can be scanned without an SSM agent, see Supported operating systems for Amazon EC2 scanning.