Suppressing Amazon Inspector findings with suppression rules - Amazon Inspector

Suppressing Amazon Inspector findings with suppression rules

You can use suppression rules to automatically exclude Amazon Inspector findings that match specified criteria. For example, you can create a rule to suppress all findings with a low vulnerability score. This helps focus your view on only the findings that are the most critical to you. Suppression rules don't have any impact on the finding itself and don't prevent Amazon Inspector from generating a finding. Suppression rules are only used to filter your list of findings.

If Amazon Inspector generates a new finding that matches a suppression rule, the service automatically sets the status of the finding to Suppressed. The findings that match suppression rule criteria don't appear by default.

Amazon Inspector stores suppressed findings until they are remediated. Amazon Inspector detects remediated findings and closes them automatically. Closed findings are stored for 30 days and then deleted if there is no further activity on the finding.

Suppressed findings are published as events to AWS Security Hub, but they are not published to Amazon EventBridge.

Suppression rules don't close or remediate a finding. They only affect whether the finding appears in the list by default. You can view suppressed findings at any time in the Amazon Inspector console. Amazon Inspector automatically changes the status of suppressed findings to closed if it detects that the issue was remediated.

Creating a suppression rule

You can create suppression rules to filter the list of findings that are shown by default.

To create a suppression rule

  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. In the navigation pane, choose Suppression rules. Then choose Create rule.

  3. For each criterion, do the following:

    • Select the filter bar to see a list of filter criteria that you can add to your suppression rule.

    • Select the filter criteria for your suppression rule.

  4. When you have finished adding criteria, enter a name for the rule and an optional description.

  5. Choose Save rule. Amazon Inspector immediately applies the new suppression rule and hides any findings that match the criteria.

Viewing suppressed findings

By default, Amazon Inspector does not display suppressed findings in the Amazon Inspector console. However, you can view the findings suppressed by a particular rule.

To view suppressed findings

  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. In the navigation pane, select Suppression rules.

  3. In the suppression rules list, select the title of the rule.

Changing suppression rules

You can make changes to suppression rules at any time.

To modify suppression rules

  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home

  2. In the navigation pane, select Suppression rules.

  3. Select the title of the suppression rule that you want to modify.

  4. Make the intended changes, then choose Save to update the rule.

Deleting suppression rules

You can delete suppression rules. If you delete a suppression rule, Amazon Inspector stops suppressing new and existing occurrences of findings that meet the rule criteria and that aren't suppressed by other rules.

After you delete a suppression rule, new and existing occurrences of findings that met the rule's criteria have a status of Active. This means that they appear by default on the Amazon Inspector console. In addition, Amazon Inspector publishes these findings to AWS Security Hub and Amazon EventBridge as events.

To delete a suppression rule

  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. In the navigation pane, select Suppression rules.

  3. Select the check box next to the title of the suppression rule you want to delete.

  4. Choose Delete, and then confirm your choice to permanently delete the rule.