Getting started with Amazon Inspector - Amazon Inspector

Getting started with Amazon Inspector

This section provides information to consider before activating Amazon Inspector and a getting started tutorial describing how to activate Amazon Inspector and view your findings in the Amazon Inspector console and with the Amazon Inspector API.

Before activating Amazon Inspector

Before activating Amazon Inspector, consider the following:

Amazon Inspector is a Regional service

Your data is stored in the AWS Region where you activate Amazon Inspector. Repeat the steps in the first part of the getting started tutorial for all AWS Regions where you plan to use Amazon Inspector.

Amazon Inspector creates the service-linked roles AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless

A service-linked role is a role in AWS Identity and Access Management (IAM) that's linked to an AWS servce. AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless allow Amazon Inspector to access AWS services required to perform security assessments.

IAM identities with administrator permissions can enable Amazon Inspector

Protect your credentials by creating users with IAM or AWS IAM Identity Center. This helps you make sure users only have the permissions required to manage Amazon Inspector. For more information, see AWS managed policy: AmazonInspectorFullAccess.

Hybrid scanning is automatically enabled

Hybrid scanning includes agent-based scanning and agentless scanning. By default, Amazon Inspector uses these scan methods on all eligible Amazon EC2 instances. For more information, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning and Lambda function scanning doesn't require the SSM agent

Agent-based scanning uses the SSM agent to collect software inventory. Agentless scanning uses Amazon EBS snapshots to collect software inverntory.

Note

By default, the SSM agent is already installed in Amazon EC2 instances based on Amazon Machine Images. However, you might need to activate the SSM agent manually in some cases. For more information, see Working with the SSM agent in the AWS Systems Manager User Guide.

Monthly costs are based on workloads scanned

For more information, see Amazon Inspector pricing.

Getting started tutorial

In the first part of this tutorial, you activate Amazon Inspector for a standalone account environment or multi-account environment. In the second part of this tutorial, you learn how to view your findings in the Amazon Inspector console and with the Amazon Inspector API.

Activating Amazon Inspector

Complete one of the following procedures to activate Amazon Inspector. Once you activate Amazon Inspector, Amazon Inspector automatically begins discovering workloads and continually scanning them for software vulnerabilities and unintended network exposure.

Standalone account environment
  1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Choose Get Started.

  3. Choose Activate Amazon Inspector.

When you activate Amazon Inspector in a standalone account, all scan types are activated by default. You can manage activated scan types from the account management page within the Amazon Inspector console or by using Amazon Inspector APIs. After Amazon Inspector is activated, it automatically discovers and begins scanning all eligible resources. Review the following scan type information to understand which resources are eligible by default:

Amazon EC2 scanning

To provide Common Vulnerabilities and Exposures (CVE) data for your EC2 instance, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be installed and activated. This agent is pre-installed on many EC2 instances, but you may need to activate it manually. Regardless of SSM agent status, all of your EC2 instances will be scanned for network exposure issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning

When you activate Amazon ECR scanning, Amazon Inspector converts all container repositories in your private registry that are configured for the default Basic scanning provided by Amazon ECR to Enhanced scanning with continual scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days are scheduled for Lifetime scanning, this Amazon ECR scan setting can be changed at any time. For more information about configuring scans for Amazon ECR, see Scanning Amazon Elastic Container Registry container images with Amazon Inspector.

AWS Lambda function scanning

When you activate AWS Lambda function scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they are deployed, and rescans them when they are updated or when new Common Vulnerabilities and Exposures (CVEs) are published. Amazon Inspector offers two different levels of Lambda function scanning. By default when you first activate Amazon Inspector, Lambda standard scanning is activated, which scans package dependencies in your functions. You can additionally activate Lambda code scanning to scan the developer code in your functions for code vulnerabilities. For more information about configuring Lambda function scanning, see Scanning AWS Lambda functions with Amazon Inspector.

Multi-account environment
Important

To complete these steps, you must be in the same organization as all the accounts you want to manage and have access to the AWS Organizations management account in order to delegate an administrator for Amazon Inspector within your organization. Additional permissions may be required to delegate an administrator. For more information, see Permissions required to designate a delegated administrator.

Note

To programatically enable Amazon Inspector for multiple accounts in multiple Regions you can use a shell script developed by Amazon Inspector. For more information on using this script see the inspector2-enablement-with-cli on GitHub.

Delegating an administrator for Amazon Inspector

  1. Log in to the AWS Organizations management account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  3. Within the Delegated administrator pane, enter the twelve-digit ID of the AWS account that you want to designate as the Amazon Inspector delegated administrator for the organization. Then choose Delegate. Then, in the confirmation window, choose Delegate again.

    Note

    Amazon Inspector is activated for your account when you delegate an administrator.

Adding member accounts

As a delegated administrator you can activate scanning for any member associated with the Organizations management account. This workflow activates all scan types for all member accounts. However, members can also activate Amazon Inspector for their own accounts, or scans for a service can be selectively activated by the delegated administrator. For more information, see Managing multiple accounts.

  1. Log in to the delegated administrator account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  3. In the navigation pane, choose Account Management. The Accounts table displays all of the member accounts associated with the Organizations management account.

  4. From the Account Management page, you can choose Activate scanning for all accounts from the top banner to activate EC2 instances, ECR container images, and, AWS Lambda function scanning for all accounts in your organization. Alternatively, you can choose the accounts that you want to add as members by selecting them in the Accounts table. Then from the Activate menu, select All scanning.

  5. (Optional) Turn on the Automatically activate Inspector for new member accounts feature and select the scan types to include to activate those scans for any new member accounts that are added to your organization.

Amazon Inspector currently offers scans for EC2 instances, ECR container images, and AWS Lambda functions. After you activate Amazon Inspector, it automatically starts discovering and scanning all eligible resources. Review the following scan type information to understand which resources are eligible by default:

Amazon EC2 scanning

To provide CVE vulnerability data for your EC2 instances, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be installed and activated. This agent is pre-installed on many EC2 instances, but you may need to activate it manually. Regardless of SSM agent status, all of your EC2 instances will be scanned for network exposure issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Amazon ECR scanning

When you activate Amazon ECR scanning, Amazon Inspector converts all container repositories in your private registry that are configured for the default Basic scanning provided by Amazon ECR to Enhanced scanning with continuous scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days are scheduled for Lifetime scanning. This Amazon ECR scan setting can be changed by the delegated administrator at any time. For more information about configuring scans for Amazon ECR, see Scanning Amazon Elastic Container Registry container images with Amazon Inspector.

AWS Lambda function scanning

When you activate AWS Lambda function scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they are deployed, and rescans them when they are updated or when new Common Vulnerabilities and Exposures (CVEs) are published. For more information about configuring Lambda function scanning, see Scanning AWS Lambda functions with Amazon Inspector.

Viewing your Amazon Inspector findings

You can view your findings in the Amazon Inspector console and with the Amazon Inspector API. In the console, you can view your findings in the dashboard and on the Findings screen. To complete this part of the tutorial, see Viewing your Amazon Inspector findings.

Note

Because you just activated Amazon Inspector, you might not have any findings.