Getting started with Amazon Inspector

This tutorial provides a hands-on introduction to Amazon Inspector.

Step 1 covers activating Amazon Inspector scans for a standalone account or as an Amazon Inspector delegated administrator with AWS Organizations in a multi-account environment.

Step 2 covers understanding Amazon Inspector findings in the console.

Note

In this tutorial, you complete tasks in your current AWS Region. To set up Amazon Inspector in other Regions, you must complete these steps in each of those Regions.

Before you begin

Amazon Inspector is a vulnerability management service that continually scans your Amazon EC2 instances, Amazon ECR container images, and AWS Lambda functions for software vulnerabilities and unintended network exposure.

Note

Be aware of the following before you activate Amazon Inspector.

• Amazon Inspector is a Regional service. Data is stored in the AWS Region where you want to use the service. You must repeat the procedures you complete in this tutorial in each AWS Region where you want to use Amazon Inspector.

• With Amazon Inspector, you can activate Amazon EC2 instance, Amazon ECR container image, and AWS Lambda function scanning. You can manage your scanning preferences from the account management page in the Amazon Inspector console or using Amazon Inspector APIs.

• Amazon Inspector can provide Common Vulnerabilities and Exposures (CVE) data for your EC2 instances if the Amazon EC2 Systems Manager (SSM) agent is installed and activated. The SSM agent is preinstalled on many EC2 instances, but you might need to activate it manually. Regardless of the SSM agent status, all of your EC2 instances are scanned for network exposure issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances. Amazon ECR and AWS Lambda function scanning don't require the use of an agent.

• Amazon Inspector can use an agentless scanning method on eligible instances if your account is configured for hybrid scanning. For agentless scans, Amazon Inspector uses Amazon EBS snapshots to collect a software inventory from your instances. With agentless scanning, Amazon Inspector scans for operating system package vulnerabilites and programming language package vulnerabilities.

• An IAM user identity with administrator permissions in an AWS account can enable Amazon Inspector. For data protection purposes, we recommend that you protect your credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to manage Amazon Inspector. For information about the permissions required to enable Amazon Inspector, see AWS managed policy: AmazonInspector2FullAccess.

• When you activate Amazon Inspector for the first time in any Region, it creates a service-linked role globally for your account called AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless. This role includes the permissions and trust policies that allow Amazon Inspector to collect software package details and analyze Amazon VPC configurations in order to generate vulnerability findings. For more information, see Using service-linked roles for Amazon Inspector. For more information about service-linked roles, see Using service-linked roles.

Step 1: Activate Amazon Inspector

The first step to using Amazon Inspector is to activate it for your AWS account. After you activate any Amazon Inspector scan type, Amazon Inspector immediately begins discovering and scanning all eligible resources.

If you want to manage Amazon Inspector for multiple accounts within your organization through a centralized administrator account, you must assign a delegated administrator for Amazon Inspector. Choose one of the following options to learn how to activate Amazon Inspector for your environment.

Standalone account environment

1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

2. Choose Get Started.

3. Choose Activate Amazon Inspector.

When you activate Amazon Inspector in a standalone account, all scan types are activated by default. You can manage activated scan types from the account management page within the Amazon Inspector console or by using Amazon Inspector APIs. After Amazon Inspector is activated, it automatically discovers and begins scanning all eligible resources. Review the following scan type information to understand which resources are eligible by default:

Amazon EC2 scanning

To provide Common Vulnerabilities and Exposures (CVE) data for your EC2 instance, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be installed and activated. This agent is pre-installed on many EC2 instances, but you may need to activate it manually. Regardless of SSM agent status, all of your EC2 instances will be scanned for network exposure issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning

When you activate Amazon ECR scanning, Amazon Inspector converts all container repositories in your private registry that are configured for the default Basic scanning provided by Amazon ECR to Enhanced scanning with continual scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days are scheduled for Lifetime scanning, this Amazon ECR scan setting can be changed at any time. For more information about configuring scans for Amazon ECR, see Scanning Amazon ECR container images with Amazon Inspector.

AWS Lambda function scanning

When you activate AWS Lambda function scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they are deployed, and rescans them when they are updated or when new Common Vulnerabilities and Exposures (CVEs) are published. Amazon Inspector offers two different levels of Lambda function scanning. By default when you first activate Amazon Inspector, Lambda standard scanning is activated, which scans package dependencies in your functions. You can additionally activate Lambda code scanning to scan the developer code in your functions for code vulnerabilities. For more information about configuring Lambda function scanning, see Scanning AWS Lambda functions with Amazon Inspector.

Multi-account environment

Important

To complete these steps, you must be in the same organization as all the accounts you want to manage and have access to the AWS Organizations management account in order to delegate an administrator for Amazon Inspector within your organization. Additional permissions may be required to delegate an administrator. For more information, see Permissions required to designate a delegated administrator.

Note

To programatically enable Amazon Inspector for multiple accounts in multiple Regions you can use a shell script developed by Amazon Inspector. For more information on using this script see the inspector2-enablement-with-cli on GitHub.

Delegating an administrator for Amazon Inspector

1. Log in to the AWS Organizations management account.

2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

3. Within the Delegated administrator pane, enter the twelve-digit ID of the AWS account that you want to designate as the Amazon Inspector delegated administrator for the organization. Then choose Delegate. Then, in the confirmation window, choose Delegate again.

   Note

   Amazon Inspector is activated for your account when you delegate an administrator.

Adding member accounts

As a delegated administrator you can activate scanning for any member associated with the Organizations management account. This workflow activates all scan types for all member accounts. However, members can also activate Amazon Inspector for their own accounts, or scans for a service can be selectively activated by the delegated administrator. For more information, see Managing multiple accounts.

1. Log in to the delegated administrator account.

2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

3. In the navigation pane, choose Account Management. The Accounts table displays all of the member accounts associated with the Organizations management account.

4. From the Account Management page, you can choose Activate scanning for all accounts from the top banner to activate EC2 instances, ECR container images, and, AWS Lambda function scanning for all accounts in your organization. Alternatively, you can choose the accounts that you want to add as members by selecting them in the Accounts table. Then from the Activate menu, select All scanning.

5. (Optional) Turn on the Automatically activate Inspector for new member accounts feature and select the scan types to include to activate those scans for any new member accounts that are added to your organization.

Amazon Inspector currently offers scans for EC2 instances, ECR container images, and AWS Lambda functions. After you activate Amazon Inspector, it automatically starts discovering and scanning all eligible resources. Review the following scan type information to understand which resources are eligible by default:

Amazon EC2 scanning

To provide CVE vulnerability data for your EC2 instances, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be installed and activated. This agent is pre-installed on many EC2 instances, but you may need to activate it manually. Regardless of SSM agent status, all of your EC2 instances will be scanned for network exposure issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning

When you activate Amazon ECR scanning, Amazon Inspector converts all container repositories in your private registry that are configured for the default Basic scanning provided by Amazon ECR to Enhanced scanning with continuous scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days are scheduled for Lifetime scanning. This Amazon ECR scan setting can be changed by the delegated administrator at any time. For more information about configuring scans for Amazon ECR, see Scanning Amazon ECR container images with Amazon Inspector.

AWS Lambda function scanning

When you activate AWS Lambda function scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they are deployed, and rescans them when they are updated or when new Common Vulnerabilities and Exposures (CVEs) are published. For more information about configuring Lambda function scanning, see Scanning AWS Lambda functions with Amazon Inspector.

Step 2: View Amazon Inspector findings

You can view findings for your environment in the Amazon Inspector console or through the API. All findings are also pushed to Amazon EventBridge and AWS Security Hub (if activated). Additionally, container image findings are pushed to Amazon ECR.

The Amazon Inspector console offers several different viewing formats for your findings. The Amazon Inspector dashboard gives you a high-level overview of risks to your environment, while the Findings table lets you view the details of a specific finding.

In this step, you explore the details of a finding using the Findings table and Findings dashboard. For information about the Amazon Inspector dashboard, see Understanding the dashboard.

To view details of findings for your environment in the Amazon Inspector console:

1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

2. From the navigation pane, select Dashboard. You can select any of the links in the dashboard to navigate to a page in the Amazon Inspector console with more details about that item.

3. From the navigation pane, select Findings.

4. By default you will see the All findings tab, which displays all EC2 instance, ECR container image, AWS Lambda function findings for your environment.

5. In the Findings list, choose a finding name in the Title column to open the details pane for that finding. All findings have a Finding details tab. You can interact with the Finding details tab in the following ways:

   • For more details about the vulnerability, follow the link in the Vulnerability details section to open the documentation for this vulnerability.

   • To further investigate your resource, follow the Resource ID link in the Resource affected section to open the service console for the affected resource.

   Package vulnerability type findings also have an Inspector Score and vulnerability intelligence tab explaining how the Amazon Inspector score was calculated for that finding and providing information on the Common Vulnerability and Exploits (CVE) associated with the finding. For more details about finding types, see Finding types in Amazon Inspector.