Scanning Windows EC2 instances with Amazon Inspector
Note
On August 31, 2022, Amazon Inspector expanded its Amazon EC2 scanning coverage to include EC2 instances that run on Windows.
Amazon Inspector automatically discovers all supported Windows instances and includes them in continuous scanning without any extra actions. For information about which instances are supported, see Operating systems and programming languages supported by Amazon Inspector.
Amazon Inspector runs Windows scans at regular intervals. Windows instances are scanned at discovery and then scanned every 6 hours. However, you can adjust the default scan interval after the first scan.
-
When Amazon EC2 scanning is activated, Amazon Inspector creates new SSM associations for your Windows resources:
InspectorDistributor-do-not-delete,InspectorInventoryCollection-do-not-delete, andInvokeInspectorSsmPlugin-do-not-delete. -
The
InspectorDistributor-do-not-deleteSSM association uses theAWS-ConfigureAWSPackageSSM document and theAmazonInspector2-InspectorSsmPluginSSM Distributor package to install the Amazon Inspector SSM plugin on your Windows instances. See About the Amazon Inspector SSM plugin for Windows for more information. -
The
InvokeInspectorSsmPlugin-do-not-deleteSSM association runs the Amazon Inspector SSM plugin at regular intervals to collect instance data and generate Amazon Inspector findings. By default, the interval is every 6 hours. However, you can customize this by setting a cron expression or rate expression for the association using SSM. For more information, see Reference: Cron and rate expressions for Systems Manager in the AWS Systems Manager User Guide.
Note
Amazon Inspector stages updated Open Vulnerability and Assessment Language (OVAL)
definition files to the S3 bucket
inspector2-oval-prod-.
This S3 bucket contains the OVAL definitions used in scans and shouldn't be
modified. Changing this setting will prevent Amazon Inspector from scanning for new CVEs as
they're released. REGION
Amazon Inspector scan requirements for Windows instances
To scan a Windows instance, Amazon Inspector requires the instance to meet the following criteria:
-
The instance is an SSM managed instance. For instructions about setting up your instance for scanning, see Configuring the SSM Agent.
-
The instance operating system is one of the supported Windows operating systems. For a complete list of supported operating systems, see Supported operating systems for Amazon EC2 scanning.
-
The instance has the Amazon Inspector SSM plugin installed. Amazon Inspector automatically installs the Amazon Inspector SSM plugin for managed instances upon discovery. See the next topic for details about the plugin.
Note
If your host is running in an Amazon VPC without outgoing internet access,
Windows scanning requires your host to be able to access Regional Amazon S3
endpoints. To learn how to configure an Amazon S3 Amazon VPC endpoint, see Create a gateway endpoint in the Amazon Virtual Private Cloud User Guide. If your Amazon VPC endpoint policy is
restricting access to external S3 buckets, you must specifically allow
access to the bucket maintained by Amazon Inspector in your AWS Region that stores
the OVAL definitions used to evaluate your instance. This bucket has the
following the format:
inspector2-oval-prod-.
REGION
About the Amazon Inspector SSM plugin for Windows
The Amazon Inspector SSM plugin is required for Amazon Inspector to scan your Windows instances.
The Amazon Inspector SSM plugin is automatically installed on your Windows instances in C:\Program Files\Amazon\Inspector, and the executable binary file is named InspectorSsmPlugin.exe.
The following file locations are created to store data the Amazon Inspector SSM plugin collects:
-
C:\ProgramData\Amazon\Inspector\Input -
C:\ProgramData\Amazon\Inspector\Output -
C:\ProgramData\Amazon\Inspector\Logs
By default, the Amazon Inspector SSM plugin runs at below normal priority.
Note
You can scan Windows instances with the Default Host Management Configuration setting.
However, you must create an instance profile and attach the ssm:PutInventory permission.
Uninstalling the Amazon Inspector SSM plugin
If the InspectorSsmPlugin.exe file is inadvertently
deleted, the InspectorDistributor-do-not-delete SSM
association will reinstall the plugin at the next Windows scan interval. If
you want to uninstall the Amazon Inspector SSM plugin, you can use the
Uninstall action on the
AmazonInspector2-ConfigureInspectorSsmPlugin
document.
Additionally, the Amazon Inspector SSM plugin will be automatically uninstalled from all Windows hosts if you deactivate Amazon EC2 scanning.
Note
If you uninstall the SSM Agent before deactivating Amazon Inspector, the Amazon Inspector SSM plugin will remain on the Windows host but will no longer send data to the Amazon Inspector SSM plugin. For more information, see Deactivating Amazon Inspector.
Setting custom schedules for Windows instance scans
You can customize the time between your Windows Amazon EC2 instance scans by setting
a cron expression or rate expression for the
InvokeInspectorSsmPlugin-do-not-delete association using SSM.
For more information, see Reference: Cron and rate expressions for Systems Manager in the
AWS Systems Manager User Guide or use the following
instructions.
Select from the following code examples to change the scan cadence for Windows instances from the default 6 hours to 12 hours using either a rate expression or a cron expression.
The following examples require you to use the
AssociationId for the association named
InvokeInspectorSsmPlugin-do-not-delete. You can retrieve your
AssociationId by running the following AWS CLI
command:
$aws ssm list-associations --association-filter-list "key=AssociationName,value=InvokeInspectorSsmPlugin-do-not-delete" --regionus-east-1
Note
The AssociationId is Regional, so you need to first retrieve a unique ID for each AWS Region. You can then run the command to change the scan cadence in each Region where you want to set a custom scan schedule for Windows instances.
