Getting started with Amazon Inspector
This tutorial provides a hands-on introduction to Amazon Inspector.
Step 1 covers activating Amazon Inspector scans for a standalone account or as an Amazon Inspector delegated
administrator with AWS Organizations in a multi-account environment.
Step 2 covers understanding Amazon Inspector findings in the console.
In this tutorial, you complete tasks in your current AWS Region. To set up Amazon Inspector in
other Regions, you must complete these steps in each of those Regions.
Before you begin
Amazon Inspector is a vulnerability management service that continually scans your Amazon EC2
instances, Amazon ECR container images, and AWS Lambda functions for software vulnerabilities and
unintended network exposure.
Note the following before you activate Amazon Inspector:
-
Amazon Inspector is a Regional service. Any of the configuration procedures that you
complete in this tutorial must be repeated in each Region that you want to
monitor with Amazon Inspector.
-
Amazon Inspector gives you the flexibility to activate Amazon EC2 instance, Amazon ECR container
image, and AWS Lambda function scanning. You can manage the scanning types from the
account management page in the Amazon Inspector console or using Amazon Inspector APIs.
-
Amazon Inspector can provide Common Vulnerabilities and Exposures (CVE) data for your
EC2 instances only if the Amazon EC2 Systems Manager (SSM) agent is installed and activated. This agent
is preinstalled on many
EC2 instances, but you might need to activate it manually. Regardless of SSM agent status, all of your
EC2 instances are scanned for network exposure issues. For more information about
configuring scans for Amazon EC2, see Scanning Amazon EC2 instances. Amazon ECR and AWS Lambda function
scanning do not require the use of an agent.
-
An IAM user identity with administrator permissions in an AWS account can
enable Amazon Inspector. For data protection purposes, we recommend that you protect your
credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM).
That way, each user is given only the permissions necessary to manage Amazon Inspector. For
information about the permissions required to enable Amazon Inspector, see AWS managed policy: AmazonInspector2FullAccess.
-
When you activate Amazon Inspector for the first time in any Region, it creates a
service-linked role globally for your account called
AWSServiceRoleForAmazonInspector2
. This role includes the
permissions and the trust policies that allow Amazon Inspector to collect software package
details and analyze Amazon VPC configurations in order to generate vulnerability
findings. For more information, see Using service-linked roles for
Amazon Inspector. For more information about
service-linked roles, see Using
service-linked roles.
Step 1: Activate Amazon Inspector
The first step to using Amazon Inspector is to activate it for your
AWS account.
After you activate any Amazon Inspector scan type, Amazon Inspector immediately begins discovering and
scanning all eligible resources.
If you want to manage Amazon Inspector for multiple accounts within your organization through a
centralized administrator account, you must assign a delegated administrator for Amazon Inspector.
Choose one of the following options to learn how to activate Amazon Inspector for your
environment.
- Standalone account environment
-
When you activate Amazon Inspector in a standalone account, all scan types are activated
by default. You can manage activated scan types from the account management
page within the Amazon Inspector console or by using Amazon Inspector APIs. After Amazon Inspector is
activated, it automatically discovers and begins scanning all eligible
resources. Review the following scan type information to understand which
resources are eligible by default:
- Amazon EC2 scanning
-
To provide Common Vulnerabilities and Exposures (CVE) data for
your EC2 instance, Amazon Inspector requires that the AWS Systems Manager (SSM) agent be
installed and activated. This agent is pre-installed on many
EC2 instances, but you may need to activate it manually. Regardless of
SSM agent status, all of your EC2 instances will be scanned for
network exposure issues. For more information about configuring
scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.
- Amazon ECR scanning
-
When you activate Amazon ECR scanning, Amazon Inspector converts all container
repositories in your private registry that are configured for
the default Basic scanning provided by
Amazon ECR to Enhanced scanning with continual
scanning. You can also optionally configure this setting to scan
on-push only or to scan select repositories through inclusion
rules. All images pushed within the last 30 days are scheduled
for Lifetime scanning, this Amazon ECR scan
setting can be changed at any time. For more information about
configuring scans for Amazon ECR, see Scanning Amazon ECR container images with Amazon Inspector.
- AWS Lambda function scanning
-
When you activate AWS Lambda function scanning, Amazon Inspector discovers the
Lambda functions in your account and immediately starts scanning them
for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when
they are deployed, and rescans them when they are updated or
when new Common Vulnerabilities and Exposures (CVEs) are
published. Amazon Inspector offers two different levels of Lambda function scanning. By default when you first activate Amazon Inspector, Lambda standard scanning is activated, which scans package dependencies in your functions. You can additionally activate Lambda code scanning to scan the developer code in your functions for code vulnerabilities. For more information about configuring Lambda function
scanning, see Scanning AWS Lambda functions with Amazon Inspector.
- Multi-account environment
-
To complete these steps, you must be in the same organization as all
the accounts you want to manage and have access to the AWS Organizations
management account in order to delegate an administrator for Amazon Inspector within
your organization. Additional permissions may be required to delegate an
administrator. For more information, see Permissions required to designate a
delegated administrator.
To programatically enable Amazon Inspector for multiple accounts in multiple Regions you can use a shell script developed by Amazon Inspector. For more information on using this script see the inspector2-enablement-with-cli on GitHub.
Delegating an administrator for Amazon Inspector
-
Log in to the AWS Organizations management account.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.
-
Within the Delegated administrator pane,
enter the twelve-digit ID of the AWS account that you want to
designate as the Amazon Inspector delegated administrator for the organization.
Then choose Delegate. Then, in the confirmation
window, choose Delegate again.
Amazon Inspector is activated for your account when you delegate an
administrator.
Adding member accounts
As a delegated administrator you can activate scanning for any member associated with the Organizations management
account. This workflow activates all scan types for all member accounts. However,
members can also activate Amazon Inspector for their own accounts, or scans for a service can
be selectively activated by the delegated administrator. For more
information, see Managing multiple
accounts.
-
Log in to the delegated administrator account.
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.
-
In the navigation pane, choose Account
Management. The Accounts table
displays all of the member accounts associated with the Organizations
management account.
-
From the Account Management page, you can
choose Activate scanning for all accounts from
the top banner to activate EC2 instances, ECR container images, and, AWS Lambda function
scanning for all accounts in your organization. Alternatively, you
can choose the accounts that you want to add as members by selecting
them in the Accounts table. Then from the
Activate menu, select All
scanning.
-
(Optional) Turn on the Automatically activate Inspector for new member accounts feature
and select the scan types to include to activate those scans for any
new member accounts that are added to your organization.
Amazon Inspector currently offers scans for EC2 instances, ECR container images, and AWS Lambda functions.
After you activate Amazon Inspector, it automatically starts discovering and scanning
all eligible resources. Review the following scan type information to
understand which resources are eligible by default:
- Amazon EC2 scanning
-
To provide CVE vulnerability data for your EC2 instances, Amazon Inspector
requires that the AWS Systems Manager (SSM) agent be installed and
activated. This agent is pre-installed on many EC2 instances, but you
may need to activate it manually. Regardless of SSM agent status,
all of your EC2 instances will be scanned for network exposure issues.
For more information about configuring scans for Amazon EC2, see
Scanning Amazon EC2 instances with Amazon Inspector.
- Amazon ECR scanning
-
When you activate Amazon ECR scanning, Amazon Inspector converts all container
repositories in your private registry that are configured for
the default Basic scanning provided by
Amazon ECR to Enhanced scanning with continuous
scanning. You can also optionally configure this setting to scan
on-push only or to scan select repositories through inclusion
rules. All images pushed within the last 30 days are scheduled
for Lifetime scanning. This Amazon ECR scan
setting can be changed by the delegated administrator at any
time. For more information about configuring scans for Amazon ECR,
see Scanning Amazon ECR container images with Amazon Inspector.
- AWS Lambda function scanning
-
When you activate AWS Lambda function scanning, Amazon Inspector discovers the
Lambda functions in your account and immediately starts scanning them
for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when
they are deployed, and rescans them when they are updated or
when new Common Vulnerabilities and Exposures (CVEs) are
published. For more information about configuring Lambda function
scanning, see Scanning AWS Lambda functions with Amazon Inspector.
Step 2: View Amazon Inspector findings
You can view findings for your environment in the Amazon Inspector console or through the API.
All findings are also pushed to Amazon EventBridge and AWS Security Hub (if activated). Additionally,
container image findings are pushed to Amazon ECR.
The Amazon Inspector console offers several different viewing formats for your findings. The
Amazon Inspector dashboard gives you a high-level overview of risks to your environment, while the
Findings table lets you view the details of a specific finding.
In this step, you explore the details of a finding using the
Findings table and Findings dashboard. For information about
the Amazon Inspector dashboard, see Understanding the
dashboard.
To view details of findings for your environment in the Amazon Inspector
console:
-
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.
-
From the navigation pane, select Dashboard. You can
select any of the links in the dashboard to navigate to a page in the Amazon Inspector
console with more details about that item.
-
From the navigation pane, select Findings.
-
By default you will see the All findings tab, which
displays all EC2 instance, ECR container image, AWS Lambda function findings for your
environment.
-
In the Findings list, choose a finding name in the
Title column to open the details pane for that finding.
All findings have a Finding details tab. You can interact
with the Finding details tab in the following ways:
-
For more details about the vulnerability, follow the link in the
Vulnerability details section to open the
documentation for this vulnerability.
-
To further investigate your resource, follow the Resource
ID link in the Resource affected
section to open the service console for the affected resource.
Package vulnerability type findings also have an
Inspector Score and vulnerability intelligence tab explaining how the Amazon Inspector
score was calculated for that finding and providing information on the Common Vulnerability and Exploits (CVE) associated with the finding. For more details about finding types, see
Finding types in Amazon Inspector.