Getting started with Amazon Inspector
This tutorial provides a quick setup method to help you get started with Amazon Inspector.
Step 1 covers enabling Amazon Inspector scans for a standalone account, or as an Amazon Inspector delegated administrator with AWS Organizations in a multi-account environment.
In Step 2, you gain hands-on experience explore your findings in the console.
In this tutorial, you complete tasks in your current Region. To set up Amazon Inspector in other Regions, you must complete these steps in those Regions.
Before you begin
Amazon Inspector is a vulnerability management service that continually scans your Amazon EC2 instances and Amazon ECR container images for software vulnerabilities and unintended network exposure.
Note the following before you enable Amazon Inspector:
-
Amazon Inspector is a Regional service. Any of the configuration procedures that you complete in this tutorial must be repeated in each Region that you want to monitor with Amazon Inspector.
Amazon Inspector gives you the flexibility to enable either EC2 scanning or ECR container image scanning, or both. You can manage the scanning types from the account management page within the Amazon Inspector console or using Amazon Inspector APIs.
-
Amazon Inspector can provide CVE vulnerability data for your Amazon EC2 instances only if the Amazon EC2 Systems Manager (SSM) agent is installed and enabled. This agent is preinstalled on many Amazon EC2 instances, but you might need to enable it manually. Regardless of SSM agent status, all of your Amazon EC2 instances are scanned for network reachability issues. For more information about configuring scans for Amazon EC2, see Scanning Amazon EC2 instances.
-
Any user with administrator permissions in an AWS account can enable Amazon Inspector. However, following the security best practice of least privilege, we recommend that you create an IAM user, role, or group specifically to manage Amazon Inspector. For information on the permissions required to enable Amazon Inspector, see AWS managed policy: AmazonInspector2FullAccess.
-
When you enable Amazon Inspector for the first time in any Region, it creates a service-linked role globally for your account called
AWSServiceRoleForAmazonInspector2
. This role includes the permissions and the trust policies that allow Amazon Inspector to collect software package details and analyze VPC configurations in order to generate vulnerability findings. For more information, see Using service-linked roles for Amazon Inspector. For more information about service-linked roles, see Using service-linked roles.
Step 1: Enable Amazon Inspector
The first step to using Amazon Inspector is to enable it in your account. After you enable any Amazon Inspector scan type, Amazon Inspector immediately begins discovering and scanning all eligible resources.
If you want to manage Amazon Inspector for multiple accounts within your organization through a centralized administrator account, you must assign a delegated administrator for Amazon Inspector. Choose one of the following options to learn how to enable Amazon Inspector for your environment.
Step 2: View Amazon Inspector findings
You can view findings for your environment in the Amazon Inspector console or through the API. All findings are also pushed to Amazon EventBridge and AWS Security Hub (if enabled). Additionally, container image findings are pushed to Amazon ECR.
The Amazon Inspector console offers several different viewing formats for your findings. The Amazon Inspector dashboard gives you a high-level overview of risks to your environment, while the Findings table lets you view the details of a specific finding.
In this step, you explore the details of a finding using the Findings table and Findings dashboard. For information on the Amazon Inspector dashboard, see Understanding the dashboard.
To view details of findings for your environment in the Amazon Inspector console:
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
From the navigation pane, select Dashboard. You can select any of the links in the dashboard to navigate to a page in the Amazon Inspector console with more details on that item.
-
From the navigation pane, select Findings.
-
By default you will see the All findings tab, which displays all EC2 instance and ECR container image findings for your environment.
-
In the Findings list, choose a finding name in the Title column to open the details pane for that finding. All findings have a Finding details tab. You can interact with the Finding details tab in the following ways:
-
For more details on the vulnerability, follow the link in the Vulnerability details section to open the documentation for this vulnerability.
-
To further investigate your resource, follow the Resource ID link in the Resource affected section to open the service console for the affected resource.
Package vulnerability type findings also have an Inspector Score Breakdown tab explaining how the Amazon Inspector score was calculated for that finding. For more details on finding types, see Finding types in Amazon Inspector.
-