Getting started with Amazon Inspector - Amazon Inspector

Getting started with Amazon Inspector

This section provides information to consider before activating Amazon Inspector and a getting started tutorial describing how to activate Amazon Inspector and view your findings in the Amazon Inspector console and with the Amazon Inspector API.

Before activating Amazon Inspector

Before activating Amazon Inspector, consider the following:

Amazon Inspector is a Regional service

Your data is stored in the AWS Region where you activate Amazon Inspector. Repeat the steps in the first part of the getting started tutorial for all AWS Regions where you plan to use Amazon Inspector.

Amazon Inspector creates the service-linked roles AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless

A service-linked role is a role in AWS Identity and Access Management (IAM) that's linked to an AWS servce. AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless allow Amazon Inspector to access AWS services required to perform security assessments.

IAM identities with administrator permissions can enable Amazon Inspector

Protect your credentials by creating users with IAM or AWS IAM Identity Center. This helps you make sure users only have the permissions required to manage Amazon Inspector. For more information, see AWS managed policy: AmazonInspectorFullAccess.

Hybrid scanning is automatically enabled

Hybrid scanning includes agent-based scanning and agentless scanning. By default, Amazon Inspector uses these scan methods on all eligible Amazon EC2 instances. For more information, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning and Lambda function scanning doesn't require the SSM agent

Agent-based scanning uses the SSM agent to collect software inventory. Agentless scanning uses Amazon EBS snapshots to collect software inverntory.

Note

By default, the SSM agent is already installed in Amazon EC2 instances based on Amazon Machine Images. However, you might need to activate the SSM agent manually in some cases. For more information, see Working with the SSM agent in the AWS Systems Manager User Guide.

Monthly costs are based on workloads scanned

For more information, see Amazon Inspector pricing.