Getting started with Amazon Inspector

This tutorial provides a quick setup method to help you get started with Amazon Inspector.

Step 1 covers enabling Amazon Inspector scans for a standalone account, or as an Amazon Inspector delegated administrator with AWS Organizations in a multi-account environment.

In Step 2, you gain hands-on experience explore your findings in the console.

Note

In this tutorial, you complete tasks in your current Region. To set up Amazon Inspector in other Regions, you must complete these steps in those Regions.

Before you begin

Amazon Inspector is a vulnerability management service that continually scans your Amazon EC2 instances and Amazon ECR container images for software vulnerabilities and unintended network exposure.

Note the following before you enable Amazon Inspector:

• Amazon Inspector is a Regional service. Any of the configuration procedures that you complete in this tutorial must be repeated in each Region that you want to monitor with Amazon Inspector.

• Amazon Inspector gives you the flexibility to enable either EC2 scanning or ECR container image scanning, or both. You can manage the scanning types from the account management page within the Amazon Inspector console or using Amazon Inspector APIs.

• Amazon Inspector can provide common vulnerabilities and exposures (CVE) data for your Amazon EC2 instances only if the Amazon EC2 Systems Manager (SSM) agent is installed and enabled. This agent is preinstalled on many Amazon EC2 instances, but you might need to enable it manually. Regardless of SSM agent status, all of your Amazon EC2 instances are scanned for network reachability issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances.

• Any user with administrator permissions in an AWS account can enable Amazon Inspector. However, following the security best practice of least privilege, we recommend that you create an IAM user, role, or group specifically to manage Amazon Inspector. For information on the permissions required to enable Amazon Inspector, see AWS managed policy: AmazonInspector2FullAccess.

• When you enable Amazon Inspector for the first time in any Region, it creates a service-linked role globally for your account called AWSServiceRoleForAmazonInspector2. This role includes the permissions and the trust policies that allow Amazon Inspector to collect software package details and analyze VPC configurations in order to generate vulnerability findings. For more information, see Using service-linked roles for Amazon Inspector. For more information about service-linked roles, see Using service-linked roles.

Step 1: Enable Amazon Inspector

The first step to using Amazon Inspector is to enable it in your account. After you enable any Amazon Inspector scan type, Amazon Inspector immediately begins discovering and scanning all eligible resources.

If you want to manage Amazon Inspector for multiple accounts within your organization through a centralized administrator account, you must assign a delegated administrator for Amazon Inspector. Choose one of the following options to learn how to enable Amazon Inspector for your environment.

Standalone account environment

1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

2. Choose Get Started.

3. Choose Enable Amazon Inspector.

When you enable Amazon Inspector in a standalone account, all scan types are enabled by default. You can manage enabled scan types from the account management page within the Amazon Inspector console or by using Amazon Inspector APIs. After Amazon Inspector is enabled, it automatically discovers and begins scanning all eligible resources. Review the following scan type information to understand which resources are eligible by default:

Amazon EC2 scanning

To provide common vulnerabilities and exposures (CVE) data for your EC2 instance, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be installed and enabled. This agent is pre-installed on many EC2 instances, but you may need to enable it manually. Regardless of SSM agent status, all of your EC2 instances will be scanned for network reachability issues. For more information on configuring scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning

When you enable Amazon ECR scanning, Amazon Inspector converts all container repositories in your private registry that are configured for the default Basic scanning provided by Amazon ECR to Enhanced scanning with continual scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days are scheduled for Lifetime scanning, this ECR scan setting can be changed at any time. For more information on configuring scans for Amazon ECR, see Scanning Amazon ECR container images with Amazon Inspector.

Multi-account environment

Important

To complete these steps, you must be in the same organization as all the accounts you want to manage and have access to the AWS Organizations management account in order to delegate an administrator for Amazon Inspector within your organization. Additional permissions may be required to delegate an administrator. For more information, see Permissions required to designate a delegated administrator.

To delegate an administrator for Amazon Inspector

1. Log in to the AWS Organizations management account.

2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

3. Within the Delegated administrator pane, enter the twelve-digit ID of the AWS account that you want to designate as the Amazon Inspector delegated administrator for the organization. Then choose Delegate administration.

   Note

   Amazon Inspector is enabled for your account when you delegate an administrator.

Amazon Inspector currently offers scans for EC2 instances and scans for ECR container images. After you enable Amazon Inspector, it automatically begins discovering and scanning all eligible resources. Review the following scan type information to understand which resources are eligible by default:

Amazon EC2 scanning

To provide CVE vulnerability data for your EC2 instance, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be installed and enabled. This agent is pre-installed on many Amazon EC2 instances, but you may need to enable it manually. Regardless of SSM agent status, all of your Amazon EC2 instances will be scanned for network reachability issues. For more information on configuring scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning

When you enable Amazon ECR scanning, Amazon Inspector converts all container repositories in your private registry that are configured for the default Basic scanning provided by Amazon ECR to Enhanced scanning with continuous scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days are scheduled for Lifetime scanning, this ECR scan setting can be changed by the delegated administrator at any time. For more information on configuring scans for Amazon ECR, see Scanning Amazon ECR container images with Amazon Inspector.

To add member accounts

As a delegated administrator you can enable Amazon EC2 scanning, Amazon ECR scanning, or both, for any member associated with the Organizations management account. This workflow enables scans for all member accounts. However, members can also enable Amazon Inspector for their own accounts, or the service can be selectively enabled by the delegated administrator. For more information, see Managing multiple accounts.

1. Log in to the delegated administrator account.

2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

3. In the navigation pane, choose Account Management. The Accounts table displays all of the member accounts associated with the Organizations management account.

4. From the Account Management page, you can choose Enable scanning for all accounts from the top banner to enable both Amazon EC2 instance and Amazon ECR container image scanning for all accounts in your organization. Alternatively, you can choose the accounts that you want to add as members by selecting them in the Accounts table. Then from the Enable menu, select All scanning.

5. (Optional) Turn on the Auto-enable feature and select the scan types to include to enable those scans for any new member accounts that are added to your organization.

Step 2: View Amazon Inspector findings

You can view findings for your environment in the Amazon Inspector console or through the API. All findings are also pushed to Amazon EventBridge and AWS Security Hub (if enabled). Additionally, container image findings are pushed to Amazon ECR.

The Amazon Inspector console offers several different viewing formats for your findings. The Amazon Inspector dashboard gives you a high-level overview of risks to your environment, while the Findings table lets you view the details of a specific finding.

In this step, you explore the details of a finding using the Findings table and Findings dashboard. For information on the Amazon Inspector dashboard, see Understanding the dashboard.

To view details of findings for your environment in the Amazon Inspector console:

1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

2. From the navigation pane, select Dashboard. You can select any of the links in the dashboard to navigate to a page in the Amazon Inspector console with more details on that item.

3. From the navigation pane, select Findings.

4. By default you will see the All findings tab, which displays all EC2 instance and ECR container image findings for your environment.

5. In the Findings list, choose a finding name in the Title column to open the details pane for that finding. All findings have a Finding details tab. You can interact with the Finding details tab in the following ways:

   • For more details on the vulnerability, follow the link in the Vulnerability details section to open the documentation for this vulnerability.

   • To further investigate your resource, follow the Resource ID link in the Resource affected section to open the service console for the affected resource.

   Package vulnerability type findings also have an Inspector Score Breakdown tab explaining how the Amazon Inspector score was calculated for that finding. For more details on finding types, see Finding types in Amazon Inspector.