Scanning Windows EC2 instances with Amazon Inspector
Amazon Inspector automatically discovers all supported Windows instances and includes them in continuous scanning without any extra actions. For information about which instances are supported, see Operating systems and programming languages supported by Amazon Inspector. Amazon Inspector runs Windows scans at regular intervals. Windows instances are scanned at discovery and then every 6 hours. However, you can adjust the default scan interval after the first scan.
When Amazon EC2 scanning is activated, Amazon Inspector creates the following SSM associations for your Windows resources: InspectorDistributor-do-not-delete
, InspectorInventoryCollection-do-not-delete
, and InvokeInspectorSsmPlugin-do-not-delete
.
To install the Amazon Inspector SSM plugin on your Windows instances, the InspectorDistributor-do-not-delete
SSM association uses the AWS-ConfigureAWSPackage
SSM document and the AmazonInspector2-InspectorSsmPlugin
SSM Distributor package.
For more information, see About the Amazon Inspector SSM plugin for Windows.
To collect instance data and generate Amazon Inspector findings, the InvokeInspectorSsmPlugin-do-not-delete
SSM association runs the Amazon Inspector SSM plugin at 6-hour intervals.
However, you can customize this setting using a cron or rate expression.
Note
Amazon Inspector stages updated Open Vulnerability and Assessment Language (OVAL) definition files to the S3 bucket inspector2-oval-prod-
.
The Amazon S3 bucket contains OVAL definitions used in scans.
These OVAL defintions shouldn't be modified.
Otherwise, Amazon Inspector won't scan for new CVEs when they release.
your-AWS-Region
Amazon Inspector scan requirements for Windows instances
To scan a Windows instance, Amazon Inspector requires the instance to meet the following criteria:
-
The instance is an SSM managed instance. For instructions about setting up your instance for scanning, see Configuring the SSM Agent.
-
The instance operating system is one of the supported Windows operating systems. For a complete list of supported operating systems, see Amazon EC2 instances status values.
-
The instance has the Amazon Inspector SSM plugin installed. Amazon Inspector automatically installs the Amazon Inspector SSM plugin for managed instances upon discovery. See the next topic for details about the plugin.
Note
If your host is running in an Amazon VPC without outgoing internet access,
Windows scanning requires your host to be able to access Regional Amazon S3
endpoints. To learn how to configure an Amazon S3 Amazon VPC endpoint, see Create a gateway endpoint in the Amazon Virtual Private Cloud User Guide. If your Amazon VPC endpoint policy is
restricting access to external S3 buckets, you must specifically allow
access to the bucket maintained by Amazon Inspector in your AWS Region that stores
the OVAL definitions used to evaluate your instance. This bucket has the
following the format:
inspector2-oval-prod-
.
REGION
About the Amazon Inspector SSM plugin for Windows
The Amazon Inspector SSM plugin is required for Amazon Inspector to scan your Windows instances.
The Amazon Inspector SSM plugin is automatically installed on your Windows instances in C:\Program Files\Amazon\Inspector
, and the executable binary file is named InspectorSsmPlugin.exe
.
The following file locations are created to store data the Amazon Inspector SSM plugin collects:
-
C:\ProgramData\Amazon\Inspector\Input
-
C:\ProgramData\Amazon\Inspector\Output
-
C:\ProgramData\Amazon\Inspector\Logs
By default, the Amazon Inspector SSM plugin runs at below normal priority.
Note
You can use Windows instances with the Default Host Management Configuration setting.
However, you must create or use a role that's configured with the ssm:PutInventory
and ssm:GetParameter
permissions.
Uninstalling the Amazon Inspector SSM plugin
If the InspectorSsmPlugin.exe
file is inadvertently
deleted, the InspectorDistributor-do-not-delete
SSM
association will reinstall the plugin at the next Windows scan interval. If
you want to uninstall the Amazon Inspector SSM plugin, you can use the
Uninstall action on the
AmazonInspector2-ConfigureInspectorSsmPlugin
document.
Additionally, the Amazon Inspector SSM plugin will be automatically uninstalled from all Windows hosts if you deactivate Amazon EC2 scanning.
Note
If you uninstall the SSM Agent before deactivating Amazon Inspector, the Amazon Inspector SSM plugin will remain on the Windows host but will no longer send data to the Amazon Inspector SSM plugin. For more information, see Deactivating Amazon Inspector.
Setting custom schedules for Windows instance scans
You can customize the time between your Windows Amazon EC2 instance scans by setting
a cron expression or rate expression for the
InvokeInspectorSsmPlugin-do-not-delete
association using SSM.
For more information, see Reference: Cron and rate expressions for Systems Manager in the
AWS Systems Manager User Guide or use the following
instructions.
Select from the following code examples to change the scan cadence for Windows instances from the default 6 hours to 12 hours using either a rate expression or a cron expression.
The following examples require you to use the
AssociationId for the association named
InvokeInspectorSsmPlugin-do-not-delete
. You can retrieve your
AssociationId by running the following AWS CLI
command:
$
aws ssm list-associations --association-filter-list "key=AssociationName,value=InvokeInspectorSsmPlugin-do-not-delete" --region
us-east-1
Note
The AssociationId is Regional, so you need to first retrieve a unique ID for each AWS Region. You can then run the command to change the scan cadence in each Region where you want to set a custom scan schedule for Windows instances.